NordVPN and ExpressVPN Failed Their GDPR Data Requests (So Much for Privacy)

“We protect your privacy.” That’s what every VPN says. Then someone asked them to prove it — and 9 out of 10 failed.

GDPR Data Request Test Results: Who Actually Respects Your Rights?

VPN Provider	Response Time	Legal Limit	Response Quality	Result
Surfshark	4 hours	30 days	Detailed PDF report with all personal data	✅ PASSED
NordVPN	8+ weeks	30 days	No data delivered	❌ FAILED
TunnelBear	8+ weeks	30 days	No data delivered	❌ FAILED
Hotspot Shield	8 weeks	30 days	Unreadable CSV files (no column headers)	❌ FAILED
ProtonVPN	Within 30 days	30 days	Canned response pointing to privacy policy	❌ FAILED
ExpressVPN	Unknown	30 days	Problematic response	❌ FAILED
Other 4 VPNs	Varied	30 days	Failed to meet standards	❌ FAILED

Source: TechRadar exclusive GDPR data request test, January 2026. Requests sent January 5, 2026 under GDPR Article 15 (right of access).

In January 2026, TechRadar sent GDPR Article 15 data access requests to 10 major VPN providers. This is a basic legal right under European law — you ask a company what personal data they hold about you, and they have 30 days to respond.

One VPN responded properly. One out of ten.

The rest? They either blew past the legal deadline, sent unreadable garbage, pointed to their privacy policy instead of providing actual data, or simply didn’t respond at all.

These are companies that spend hundreds of millions on marketing telling you they protect your privacy. They can’t even comply with a basic legal request about your own data.

Commission disclosure:

ProtonVPN: ~$25/sale
Mullvad: $0 (no affiliate program)
NordVPN, ExpressVPN, Surfshark: Not recommending despite $60-150/sale available
I’m calling out ProtonVPN despite being an affiliate. That’s the deal on this site.

⚡ 30-Second Verdict

Only Surfshark responded properly — detailed PDF within 4 hours
NordVPN and TunnelBear blew past the 30-day legal deadline — no data delivered after 8 weeks
Hotspot Shield sent unreadable CSV files with cryptic column names (“field_0” through “field_32”)
ProtonVPN sent canned responses pointing to their privacy policy instead of providing actual user data
9 out of 10 VPNs failed to provide a thorough and timely GDPR response
The legal penalty for non-compliance: up to €20 million or 4% of global turnover
70%+ of VPN providers breach GDPR according to broader research

Before we get into who failed, let’s be clear about what the law demands.

GDPR Article 15 — the “right of access” — says you can ask any company processing your personal data to tell you:

What personal data they hold about you
Why they’re processing it
Who they share it with
How long they keep it
Your rights to have it corrected or deleted

The company has 30 days to respond. If the request is complex, they can extend by two months — but they must notify you within the first month that they need more time.

This isn’t a suggestion. It’s EU law. The penalty for non-compliance is up to €20 million or 4% of global annual turnover — whichever is higher.

For NordVPN (estimated $500M+ revenue), that’s potentially $20 million in fines.

The Test Results

Surfshark: The Only One That Passed

Response time: 4 hours.

Not 4 days. Not 4 weeks. Four hours.

Surfshark sent a detailed, professional PDF report containing all personal data held on the account, formatted in a readable, organized layout. They treated the GDPR request as a serious legal obligation — because it is one.

The irony? Surfshark is owned by Nord Security — the same company that owns NordVPN. Same parent company, completely different compliance standards.

I wrote about this fake competition problem before. Now it extends to legal compliance too.

NordVPN: The Privacy Company That Doesn’t Respect Your Privacy Rights

Response time: 8+ weeks. No data delivered.

NordVPN — the company that spends more on YouTube sponsorships than probably any other VPN — couldn’t respond to a basic data access request within the legally mandated 30 days. Or 60 days. Or even 8 weeks.

Their excuse? They claimed issues with “identity verification.”

This is the same company that markets itself on privacy and transparency reports. The same company that quietly reversed its “will not comply” policy to “will only comply.” The same company that got hacked and lied about it.

Now they can’t even comply with your basic legal right to see what data they hold about you.

TunnelBear: Same Failure, Less Excuse

Response time: 8+ weeks. No data delivered.

TunnelBear has a Privacy Center where users can supposedly view the data the service collects. But when tested with an actual formal GDPR request? Nothing. Same failure as NordVPN — past the legal deadline with no data provided.

Hotspot Shield: The Unreadable Response

Response time: 8 weeks. Data delivered — but unreadable.

Hotspot Shield eventually sent seven CSV files. The problem? No column headers. Data points labeled cryptically as “field_0” through “field_32.” Without knowing what each field represents, the data is useless. It might as well have been encrypted.

Technically, they responded. Practically, they complied with nothing. GDPR requires data to be provided in a “commonly used electronic format” that the data subject can actually understand. Random numbered columns don’t qualify.

ProtonVPN: The Disappointing One

Response time: Within 30 days. But didn’t actually comply.

ProtonVPN didn’t blow past the deadline. But instead of providing actual personal data, they sent canned responses directing the user to read their public privacy policy.

That’s not how Article 15 works. A company’s obligation to provide your specific personal data cannot be satisfied by pointing to a generic public document. “Read our privacy policy” is not a valid GDPR response.

This is particularly disappointing from Proton — a company I actually recommend and make money from. Their privacy policy is genuinely good. Their VPN passed four consecutive no-logs audits. But GDPR compliance is a separate thing, and they handled it poorly.

I’m still recommending them for the VPN itself. But this needs to be called out.

This wasn’t a one-off test. Broader research paints an even worse picture.

According to TechRadar’s analysis, more than 70% of VPN providers breach GDPR. A separate VPN Ranks study found that 46 out of 83 VPN providers fail to comply.

The VPN industry has a systemic GDPR problem. These companies market themselves as privacy tools while failing to respect the most basic privacy law in the world.

What This Tells You About “No-Logs” Claims

Here’s the uncomfortable question: if a VPN can’t even handle a GDPR data request properly, what does that tell you about their operational maturity?

Companies that lie about their no-logs policies are one problem. Companies that use audits as marketing props are another. But companies that can’t comply with a straightforward legal request? That’s a competence problem.

If NordVPN’s systems are so disorganized that they can’t locate and compile your personal data within 30 days, what confidence should you have that they’re properly managing (or not managing) your connection logs?

VPNs that can’t even handle GDPR probably aren’t handling much else properly either. And when governments actively block VPNs, compliance failures like these become more than just paperwork problems.

What You Can Do

Exercise Your Rights

You can send a GDPR Article 15 request to any VPN you use. Here’s what to include:

State that you’re making a request under GDPR Article 15
Ask for all personal data they hold about you
Ask for the purposes of processing
Ask who they share your data with
Ask how long they retain your data
Send it to their Data Protection Officer (usually listed in their privacy policy)

They have 30 days. If they don’t respond, you can file a complaint with your local Data Protection Authority.

Choose VPNs That Actually Respect Your Rights

The VPNs I recommend:

Mullvad VPN — €5/mo (Commission: $0)

Proven in court — can’t hand over data they don’t have
Account number system — no email, no name, no personal data to request
The GDPR question barely applies because they barely collect data
Commission: $0 (no affiliate program)

ProtonVPN — From $4.99/mo (Commission: ~$25)

Four consecutive no-logs audits (Securitum)
Swiss jurisdiction with strong privacy laws
Handled the GDPR request poorly (canned response) — but the VPN itself is solid
Commission: ~$25/sale (disclosed)

Why not Surfshark? They passed the GDPR test with flying colors, but they’re owned by Nord Security — the same company whose other product (NordVPN) failed miserably. Read our Surfshark review for the full picture.

The Bottom Line

Nine out of ten VPN companies failed a basic legal privacy test.

These are companies that spend hundreds of millions on marketing telling you they protect your privacy. They buy YouTube sponsorships. They pay influencers. They run scary ads about hackers on public WiFi. They promise military-grade encryption and no-logs policies.

Then someone asks them to prove they respect your data rights — a legal requirement, not a favor — and 90% of them can’t do it.

NordVPN couldn’t respond in 8 weeks. Hotspot Shield sent unreadable garbage. ProtonVPN pointed to their privacy policy. Only Surfshark — ironically owned by the same company as NordVPN — treated it like the legal obligation it is.

If they can’t handle GDPR, do you really need a VPN from companies like these? Maybe the answer is free privacy tools that actually work — for $0.

Don’t Trust Me — Verify Everything

Full disclosure: I make money from ProtonVPN (~$25/sale) and $0 from Mullvad. I called out ProtonVPN’s GDPR failure in this article despite being their affiliate. NordVPN, ExpressVPN, and Surfshark offer $60-150/sale — I’m not recommending them.