GDPR-Compliant Access Control: What Your Door Logs Must Contain

Every time an employee swipes a badge, scans a fingerprint, or taps a phone at a door reader, that event creates a data record. Under GDPR, that record is personal data — and how you collect, store, and manage it matters as much as whether the door opens.

Organizations that treat access logs as mere security data are sitting on a compliance liability. Here is what your door logs must contain, what they must not contain, and how to structure the entire system to stay on the right side of Article 5.

Why Door Logs Fall Under GDPR

Access control data is personal data. It identifies an individual, records their physical location at a specific time, and in the case of biometrics, falls under Article 9 as a special category requiring explicit consent and heightened protections.

Even RFID and NFC credentials — which seem less sensitive than fingerprints — create a timestamped movement record tied to a named individual. That is enough to trigger full GDPR obligations: lawful basis, data minimization, retention limits, and subject access rights.

What Every Door Log Entry Must Include

A GDPR-compliant door log entry needs to contain enough information to be useful while remaining as lean as possible. At minimum, each record should capture:

• Credential identifier — the card number, device ID, or biometric token. Not the raw biometric data itself, which should never leave the reader.
• Timestamp — precise to the second, with timezone. Vague timestamps create audit problems.
• Reader or door ID — which specific entry point was used, not just a building name.
• Access outcome — granted or denied. Denied entries matter as much as successful ones for security audits.
• Credential type — RFID, NFC, biometric, mobile wallet. This helps with incident investigation and is relevant to your lawful basis documentation.

What door logs should not contain: raw biometric templates, full cardholder names in the event log itself (link to an identity record instead), or location data beyond the access point.

The Lawful Basis Question

Most organizations rely on legitimate interests (Article 6(1)(f)) for standard access logs — physical security is a genuine operational need. For biometric data, you need explicit consent or a specific legal obligation under Article 9.

Document your lawful basis before you deploy readers. If you switch credential types later — say, adding fingerprint readers to an existing RFID system — you need to reassess and potentially recollect consent.

Retention: The Rule Nobody Follows Correctly

GDPR requires you to keep personal data only as long as necessary. For access logs, "necessary" is not a fixed number. It depends on your specific purpose:

• General site security: 30–90 days is defensible for most low-risk environments
• Regulated industries (finance, healthcare, defense contractors): may require 12 months or more based on sector-specific rules
• Incident investigation: retain relevant records until the matter is resolved

The mistake organizations make is keeping everything indefinitely because storage is cheap. Set automated purge policies. If your access control software does not support scheduled deletion, that is a gap worth addressing.

Attendance and Access: One Event, Two Records

Here is where modern access control creates an interesting efficiency. When an employee badges in using TimeClock 365, that single hardware event simultaneously opens the door and records their attendance — no separate time clock or manual punch-in required. The same credential read that grants physical access creates a payroll-ready attendance record.

This dual-purpose logging has GDPR implications worth understanding. You are using one piece of personal data for two purposes: security and HR. Both purposes need lawful bases, and both sets of retention rules apply. In practice, HR records often need to be kept longer than security logs, so your retention policy needs to account for both.

The upside is data minimization in action: one event, two uses, no duplication. Systems achieving 99% time tracking accuracy through this method also eliminate the discrepancies that come from employees badging into the building but forgetting to clock in at a separate terminal.

Subject Access Requests and Audit Trails

Under Article 15, employees can request all personal data you hold about them — including their full access history. Your system needs to be able to extract that data by individual, not just by date range or door.

TimeClock 365 structures records in a way that makes subject access requests straightforward: each event is tied to a single identity record, and reports can be filtered and exported per employee. This matters when you receive a SAR with a 30-day response deadline.

Audit trails also need to be tamper-evident. If a security incident ends up in litigation, you need to demonstrate that the logs have not been altered. Immutable logging with checksums or a separate audit log of log modifications is the standard approach.

Data Minimization at the Reader Level

The access point itself is where data minimization starts. Biometric readers should process and match the template on-device, transmitting only a match result — not the raw biometric. Modern readers from most major vendors support this by default, but verify your configuration.

For mobile credentials (Apple Wallet, Google Wallet), the credential is stored in the device's secure element. Your system receives a token, not any data from the phone. This is inherently more privacy-preserving than legacy RFID, where card data is transmitted in plaintext.

Organizations that have made this shift report a 90% reduction in unauthorized access incidents, partly because mobile credentials cannot be cloned the way older proximity cards can.

Putting It Together

GDPR-compliant access control is not a product feature — it is a set of decisions about what you collect, why you collect it, how long you keep it, and who can see it. The technical infrastructure needs to support those decisions: per-individual data extraction, automated retention enforcement, tamper-evident logs, and credential types that minimize raw data transmission.

If you are running a combined access-and-attendance system, those requirements compound. You need to satisfy both security and HR data governance standards from a single event stream.

Ready to see how a unified access and attendance system handles these requirements in practice? Start a free trial of TimeClock 365 and explore the compliance-ready reporting tools built into the platform.