The visitor process in your company – what were the data protection requirements like in times of Corona?

von Carola

The first impression counts, and this is especially true for visitors to your company. You can score points here with a professional visitor process. In the following, you will find out how to comply with data protection requirements but still meet requirements from the various areas.

Visitor process and visitor management the flagship of your company

Due to the current pandemic, personal visits to your company may have become less frequent and many meetings are taking place digitally. Nevertheless, you will inevitably greet visitors (suppliers, customers, applicants, etc.) in your rooms. Careful handling of visitor data is therefore essential. Admittedly, not every visitor will immediately pay attention to the data protection precautions in connection with the visitor process. For attentive data protection officers among the visitors, however, this ensures the first positive impression.

Visitor lists or visitor form what is correct?

We strongly recommend that you refrain from using an open visitor list. On these lists, the names and possibly other personal data of the previous visitors can be seen by all following persons, which can turn out to be extremely sensitive, especially with regard to applicants. The use of individual visitor forms per visitor is recommended. These are stored separately after they have been filled out. These visitor forms can be adapted to all the requirements that apply in your company (e.g. accident regulations, fire protection briefing, infection protection law, etc.). The retention period of the visitor forms is based on the legal bases relevant to you.

Use of splash screens

A nicely meant idea – to announce and greet the visitor on a screen in the entrance area – is not harmless from a data protection point of view. Mentioning the name of one or more visitors on a screen constitutes data processing. Therefore, you have to support this on a legal basis.

The BayLDA had commented on this in the past and stated that the relevant legal basis, as unfortunately so often, depends on the individual case. In individual industries and areas in which addressing customers by name is socially customary, it can be based on legitimate interests. As a rule, however, the consent of the guests is required. This also agrees with those in the activity report ( the facts shown by the Saxon supervisory authority.

Visitor IDs or name tags

If the surname of visitors is mentioned on name tags or visitor ID cards, the company can rely on a legitimate interest (Art. 6 Para. 1 f GDPR). Equipping visitors with visitor badges or name tags is necessary and helpful so that company employees can clearly identify people as visitors.

Use of visitor management systems

Visitor management systems promise uncomplicated handling of visitor data and entice visitors with efficient and simple administration. Before using such systems, we recommend subjecting them to a thorough check to determine to what extent the functions offered comply with data protection regulations. Sometimes these go so far that it is possible to record the time and whereabouts of the visitors.

For security reasons, it is relevant to know which visitors have been in the company for how long. However, the length of stay may not be linked to the various locations. Usually there is no justification for recording whereabouts. In addition, it is necessary to conclude an order processing agreement with the service providers of the visitor management software.

An established visitor process protects against uninvited guests and helps with controls by the authorities

Intruders represent an acute security risk for companies. The GDPR stipulates that every company must guarantee the security of the processing of personal data. Companies are obliged to take technical and organizational measures for this, including access controls for visitors. It is important to note that visitor data is recorded in accordance with the General Data Protection Regulation.

At the moment, the employers’ liability insurance association is increasingly carrying out controls with regard to compliance with hygiene measures to protect against infection. Among other things, also checks whether there are records of visitors that can be used to track an infection chain in the event of an infection.

Be prepared by consistently executing your existing visitor process.

If you have not yet established a visitor process in your company, please contact us! We are happy to support you at any time. Just contact us.


Freundlich und kompetent finden Sie hier immer ein offenes Ohr für Ihre Wünsche und Anforderungen. „Ich bin Ihre Ansprechpartnerin für alle Fragen rund um den Ablauf, die Organisation oder die Buchhaltung – Ordnung muss sein! Als TÜV zertifizierte Datenschutzbeauftragte stehe ich Ihnen, auch als externe Datenschutzbeauftragte, zur Verfügung und mit Rat und Tat zur Seite.“