All companies that collect or process the personal information of EU residents
must ensure they have a compliant GDPR (General Data Protection Regulation) data retention policy.
What is GDPR?
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection
and privacy for all individual citizens of the European Union and the European Economic Area.
It also addresses the transfer of personal data outside the EU and EEA areas.
The GDPR gives every EU citizen the right to know and decide how their personal data is being
used, stored, protected, transferred and deleted.
GDPR Data Retention Rules
Article 5 explains that when personal data is collected or processed, it must only be for
purposes that are “adequate, relevant, and limited to what is necessary in relation to the
purposes for which [data] are processed.” Those purposes must be clearly explained at the time
Under GDPR, organizations are required to adhere to the minimization principle, which applies
to the amount of personal data stored and the length of time the information is retained.
When data needs to be retained, appropriate security controls should be applied to prevent
unauthorized access, use, or processing of data and measures should be implemented to
prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data
retained remain accurate and are kept up to date and inaccurate data is removed.
GDPR data retention is covered in Article 5(e), which explains that data should only be retained
for as long as is required to achieve the purpose for which data were collected and are being
processed. The exceptions to this are when data need to be retained “for archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes.”
Recital 39 of GDPR explains that when data is retained, strict time limits should be established
by the data controller to ensure data is not retained for longer than is strictly necessary. The
data controller is required to conduct periodic reviews and ensure that data is securely erased
when no longer required. GDPR applies to personal data that could be used to identify an individual. If data is required to
be kept for longer, the information should be de-identified to prevent individuals from being
identified from the data.
PassagePoint Features Related to GDPR
PassagePoint is on-premise platform, therefore policies and compliance with GDPR is up to the
organization that purchases PassagePoint and collects and stores visitor data.
However, PassagePoint has built in the following features to allow an organization to configure
the system to comply with GDPR privacy regulations.
PassagePoint can be configured to extract only desired information from an ID scan. The
extracted data from an ID (drivers license, passport, military ID, etc.) is determined by your
organization based on your policies; Personally Identifiable Information (PII) does not have to be
extracted. Visitor information can be captured, masked or ignored based on your configuration
in the software. ALL visitor information is encrypted in transit and retained in the database on
your secure network.
PassagePoint has data retention policies which allow the organization to determine how long
they keep visitor information and can automatically delete it after a specified amount of time.
This feature will Delete all information of visitors and employees after a certain period of time