GDPR Digital Identity Verification: How to Comply with Data Requests

TLDR: The way businesses verify identity online is shifting, and GDPR enforcement is accelerating that shift. Here’s what’s actually changing in 2026 and why location-aware credentials are at the center of it.

What Is Digital Identity?

Digital identity is the set of attributes, credentials, and signals that represent a real person online. In practice, that usually means some combination of:

• Authentication credentials like passwords, biometrics, or cryptographic keys
• Government-issued documents such as passports, national IDs, and driver’s licenses
• Behavioral data including device fingerprints, login history, and location signals
• Verifiable credentials, which are cryptographic proofs from trusted authorities like banks, employers, or government registries

Most people interact with digital identity authentication daily, whether that’s logging into a banking app or passing an age check. What’s changing is how much personal data gets collected during that process, and who controls it afterward.

What Does GDPR Require for Identity Verification?

GDPR doesn’t prohibit identity verification. It sets boundaries around how personal data is collected, stored, and shared throughout the process. The principles that come up most often:

• Data minimization: only collect what the verification actually requires. If you’re confirming someone is over 18, you don’t need their full passport scan
• Purpose limitation: data collected for verification shouldn’t end up in a marketing database or an AI training pipeline
• Storage limitation: once the verification is done, holding biometric templates or document images indefinitely becomes a liability
• Right to erasure: when someone invokes Article 17, every fragment of their identity data needs to be locatable and deletable across every system and sub-processor

Enforcement backs this up. Cumulative GDPR fines have passed €7.1 billion as of early 2026, with roughly €1.2 billion issued in 2025 alone. Over 60% of total fine value has landed since January 2023 . Regulators are paying particular attention to biometric processing, automated decisions under Article 22, and cross-border data transfers.

Why Does Location Matter in GDPR Identity Verification?

GDPR compliance is geographic at its core. Which rules apply depends on where a user is located, where their data is processed, and whether it crosses borders. Knowing someone’s jurisdiction isn’t optional; it’s a prerequisite for applying the right compliance framework.

Organizations have traditionally relied on two methods:

• IP-based location estimation: inferring a user’s country from their IP address. But IP addresses are personal data under GDPR, which means using them as a jurisdictional signal creates its own consent and processing obligations. They’re also unreliable because VPNs, mobile networks, and proxies make them a shaky foundation for compliance decisions
• Document uploads: asking for a passport or national ID to confirm residency. This works, but it collects far more data than the question actually demands

Both methods create tension with GDPR’s data minimization principle. One uses personal data to infer location. The other over-collects to answer a straightforward question about jurisdiction.

How Does Credential-Based Location Verification Work?

A different approach is gaining traction: letting users prove their jurisdictional status through verifiable credentials rather than handing over raw personal data.

The flow looks like this:

• A trusted issuer (a KYC provider, telecom operator, or government registry) verifies a user’s residency or nationality
• That fact gets encoded as a verifiable credential with location as a data field
• When a platform needs to confirm jurisdiction, for example “is this user an EU resident?”, the user presents a zero-knowledge proof that answers the question without revealing their country, city, address, or document details
• The platform receives a cryptographically verified yes or no. The personal data stays with the user

From a GDPR perspective, this changes the picture meaningfully:

• The jurisdictional signal comes from a credential, not from processing an IP address
• zkProof verification transmits mathematical proofs rather than personal information, which means Standard Contractual Clauses and Transfer Impact Assessments generally don’t apply to the verification layer
• Credential-based signals are issued by verified authorities and aren’t thrown off by VPNs or network routing, making them more reliable than IP-based lookups

Zero-knowledge proofs allow users to confirm facts like age, citizenship, or credentials without exposing the raw data. No personal information is stored or transmitted during the process, which reduces the risk of data breaches and keeps verification aligned with GDPR requirements.

What Is Moca Network’s Role in Location-Aware Digital Identity?

Moca Network built around two core components:

• Moca Chain: a Layer 1 blockchain for credential storage, verification, and on-chain reputation
• AIR Kit: an SDK for integrating decentralized identity into applications

What developers get with AIR Kit:

• Universal single sign-on across Web2 and Web3 ecosystems
• Verifiable credential issuance and verification using zkProofs and zkTLS
• W3C-standard credential schemas with defined fields for age, location, and email
• A cross-chain Identity Oracle for verifying credentials across blockchains and jurisdictions
• Embedded wallet with account abstraction, so end users never touch gas fees

For location verification specifically, AIR Kit’s credential schema treats location as a first-class data field. Issuers can encode residency, nationality, or jurisdiction status into a credential. Verifiers can then request a zkProof scoped to that field, confirming jurisdictional status without accessing the underlying personal data (AIR Kit Overview, Moca Network Docs).

Moca Network’s ecosystem currently spans over 600 portfolio companies and reaches more than 700 million addressable users through partners including SK Planet’s OK Cashbag (28 million KYC-verified users) and OneFootball (200 million+ users). Its MocaProof credential marketplace, launched in beta in December 2025, lets users verify and aggregate proofs across categories like influence, finance, loyalty, and activity. The Moca Chain mainnet transition is expected in 2026.

Where Do AI Agents Fit into Digital Identity Verification?

As AI agents increasingly act on behalf of users, processing documents, managing transactions, and accessing third-party services, they introduce a new dimension for GDPR compliance.

A few things worth paying attention to:

• An AI agent accessing personal data without verified authorization looks like an uncontrolled data processor under GDPR
• An agent running from a data center in one jurisdiction on behalf of a user in another creates a cross-border data flow, even if no human triggered it
• Without proper identity controls, agents are exposed to prompt injection attacks where bad actors can redirect data through unauthorized credentials.

Verifiable credentials offer a path forward here too. An agent presenting a cryptographically signed credential, scoped to a specific task, user, and jurisdiction, can operate within GDPR’s accountability framework without exposing the user’s personal data or accumulating new data stores.

Moca Network’s MOCA token already supports identity verification for both human users and AI agents, enabling on-chain agent-to-service authentication that’s auditable and jurisdiction-scoped (Moca Network).

What Steps Should Organizations Take?

For teams looking to bring their identity verification in line with GDPR:

• Map your current identity data flows: trace where personal data enters the verification pipeline, how long it’s stored, and which sub-processors touch it
• Look at where zkProofs can replace raw data collection: age verification, residency confirmation, accreditation checks, and financial standing are all well-suited to credential-based proof
• Consider W3C Verifiable Credentials integration: this lets users present third-party-issued credentials without your organization becoming another data custodian
• Build in human oversight for automated verification: Article 22 requires it for any process that produces significant effects on individuals
• Keep verification and storage separate: the most GDPR-aligned architecture confirms a claim without ever possessing the underlying data
• Rethink how you determine user jurisdiction: credential-based location verification gives you more reliable signals than IP-based methods, without the consent obligations and accuracy issues that come with processing IP addresses

What Comes Next?

Digital identity is becoming infrastructure rather than a standalone product. The organizations still treating it as a data collection exercise are running into escalating compliance costs and breach exposure. Those moving toward portable, credential-based verification, especially with built-in location awareness, are finding that compliance becomes structural rather than reactive.

The direction is clear: identity that’s verifiable, privacy-preserving, jurisdiction-aware, and verifiable without being visible. That’s the model that holds up under the regulatory pressure defining 2026 and beyond.

Identity verification used to be about knowing your customer. Under GDPR, it’s about proving you can confirm what you need, including where they are, without collecting more than the question requires.

Sources

1. Kiteworks. “GDPR Fines Hit €7.1 Billion: Data Privacy Enforcement Trends in 2026.” March 2026. kiteworks.com
2. Secure Privacy. “Complete GDPR Compliance Guide (2026-Ready).” November 2025. secureprivacy.ai
3. Beyond Identity. “The Attacker Gave Their API Key: Why AI Agents Need Hardware-Bound Identity.” February 2026. beyondidentity.com
4. IAPP. “How to Verify Identity of Data Subjects for DSARs Under the GDPR.” iapp.org
5. Investing Cube. “Moca Foundation Announces Moca Chain for Self-Sovereign Identity.” June 2025. investingcube.com