Access Control and GDPR: What Door Logs and Biometrics Mean for UK Businesses

What in an access system is personal data?

• Event logs: who opened which door when — the core dataset, and clearly personal data
• User records: names, photos, departments, credential IDs in the platform
• Biometric templates: special category data with extra conditions
• Integration footage: door-triggered CCTV clips inherit video surveillance rules
• Visitor management entries: sign-in data, often retained far too long by default

The five obligations in practice

Purpose and lawful basis: legitimate interests (security of premises, safety, audit) documented in your record of processing — straightforward for standard door control. Transparency: staff privacy notices must mention access logging; quiet monitoring is where complaints start. Retention: set a defensible log retention (commonly 3–12 months) and configure the platform to enforce it rather than keeping everything forever. Security: admin accounts, role-based access to the platform, audit of who views logs. Rights: be able to extract one person's events for a subject access request — test that you actually can.

Biometrics: the special case

Fingerprint and facial templates are special category biometric data when used to identify individuals: deploying them requires a Data Protection Impact Assessment, an Article 9 condition (in employment contexts, explicit consent only counts if genuinely refusable — so a real alternative like a fob must exist), secure template storage (modern readers store irreversible mathematical templates, not images — say so in your DPIA), and proportionality: the ICO has acted against employers using biometrics where less intrusive options existed. Translation: biometrics for the server room with a documented case — not for clocking everyone through the front door because the reader looked impressive.