GDPR & Data Protection
Built with GDPR in mind. VisitorPass was designed from the ground up to help organisations comply with EU data protection law without burdening your staff. Automatic anonymisation, built-in data subject rights workflows and a one-click GDPR information page for visitors are all included in every plan.
1. Controller & Processor Roles
Your Organisation (Controller)
You decide why and how long visitor data is collected. You are responsible for communicating the lawful basis and purpose to each visitor.
VisitorPass (Processor)
We store and process visitor data only on your instructions. We act as a Data Processor and sign a Data Processing Agreement (DPA) with every customer.
2. Data Stored by the Platform
| Category | Examples | Default retention |
|---|---|---|
| Visitor identity | Name, email, phone, company | Configurable; auto-anonymised after set period |
| Visit records | Check-in / check-out times, host name, site | Configurable; auto-anonymised after set period |
| Pre-registration | Full name, expected arrival | Deleted automatically if visit does not occur |
| Signed documents | NDA, Health & Safety declarations | Retained as long as legally required; configurable |
| Visitor photo | Optional badge photo | Deleted on anonymisation |
| Employee timesheets | Clock-in/out timestamps, project codes | Managed by your organisation |
3. Automatic Anonymisation
VisitorPass includes a scheduled anonymisation process that replaces personal identifiers with anonymised tokens after a configurable number of days. Statistics and visit counts are preserved; personal data is removed. This means you can demonstrate compliance-by-design to your Data Protection Officer.
4. Visitor-Facing GDPR Information
At every check-in point (kiosk, web registration or QR invite), visitors are shown a GDPR information page explaining:
- Who the Data Controller is (your organisation)
- What data is being collected and why
- How long data will be retained
- Their rights under GDPR (access, rectification, erasure, objection)
- The contact details of your DPO (if configured)
The visitor must acknowledge this information before their visit is registered. A timestamp of acknowledgement is stored as a compliance record.
5. Data Subject Rights Workflow
When a visitor submits a data subject request (right of access or erasure), the administrator receives a notification in the VisitorPass dashboard. The admin can export or delete all records relating to that visitor with a single action. The platform logs the request and action for your compliance records.
6. Security Measures
- All data transmitted over HTTPS (TLS 1.2+)
- Data stored on servers within the European Economic Area (EEA)
- Database access restricted to application layer only
- Regular backups with encryption at rest
- Role-based access control — staff see only the data needed for their role
7. Sub-processors
We use a small number of sub-processors to deliver the service (e.g. cloud hosting, email delivery). A full list is available in the DPA. All sub-processors are EU-based or covered by an appropriate adequacy decision or Standard Contractual Clauses.
8. Data Processing Agreement
A signed DPA is required for all paid customers. The DPA is based on the standard EU model clauses and covers:
- Scope and purpose of processing
- Technical and organisational security measures
- Sub-processor authorisation
- Data subject rights assistance obligations
- Breach notification procedures
- Audit rights
To request a DPA, email legal@visitorpass.eu.
9. Supervisory Authorities
Visitors and customers have the right to lodge a complaint with their national supervisory authority. Examples include:
- Austria: Datenschutzbehörde — dsb.gv.at
- Germany: BfDI — bfdi.bund.de
- France: CNIL — cnil.fr
- UK: ICO — ico.org.uk
- EU list: edpb.europa.eu
10. Contact
For data protection queries: privacy@visitorpass.eu
For DPA requests: legal@visitorpass.eu