Security
Knowing who is on site, where and why helps you protect restricted areas and reconstruct anything that goes wrong.
Privacy & GDPR
How long should you keep visitor logs?
Privacy, GDPR and best practice for handling the data of everyone who enters your premises. A careful, practical guide for data protection leads, HR, facilities and security managers: what the Regulation really requires, and how to set a retention rule that stands up.
In short
No — there is no single mandatory retention period. The GDPR does not set a fixed number of days or months for a visitor log. The Regulation lays down a principle — storage limitation — which says personal data must be kept only for as long as it is needed for the purpose it was collected for, and then deleted.
So the right thing to do is to set a clear internal rule: which data you collect, why, how long you keep it and when you delete it. A period that is proportionate to the purpose and written down is the correct answer — far more so than any number claimed to be valid for everyone.
Anyone who runs a reception desk or a site soon asks the same question: how long should I keep visitor data? It is a fair question, because keeping it too long — or forever — is one of the most common and most avoidable mistakes. At the same time, deleting it too soon can leave you without information you genuinely need for security, audits or investigations.
This guide walks through what the GDPR actually says (accurately, without arbitrary interpretation), why keeping a log is worthwhile, which data is worth collecting and for how long, the most frequent mistakes, and a practical checklist to test whether you are handling your visitors’ data well. It is not legal advice: it is a framework for building a solid process.
What the GDPR says about keeping visitor data
Visitor data — name, company, host, times — is personal data. Keeping it is therefore governed by the UK GDPR and the EU GDPR (Regulation 2016/679), and in particular by Article 5, which sets out the principles that apply to every kind of processing. It is not a list of deadlines, but of criteria that should guide your decisions.
- Storage limitation (Art. 5(1)(e)) — data must be kept in a form that allows identification for no longer than is necessary for the purposes. This is the central principle whenever the question is “how long”.
- Data minimisation (Art. 5(1)(c)) — collect only data that is adequate, relevant and limited to what is necessary. The less you collect, the less you have to keep and protect.
- Purpose limitation (Art. 5(1)(b)) — data is collected for specified, explicit purposes. The purpose is what justifies — and measures — the retention period.
- Accountability (Art. 5(2)) — the controller must not only comply with the principles but be able to demonstrate it. Hence the importance of a written policy.
One important note: this page is for general information and does not replace legal advice. In larger organisations, or where you carry out unusual processing, it is sensible to consult your data protection officer (DPO) or a specialist. For a dedicated look at compliance, see our guide to visitor logs and the GDPR.
Why keep a visitor log at all
Before asking how long, it helps to be clear about why you keep the data. It is the purposes that drive the duration: every legitimate reason maps to a different retention horizon.
Access control
Telling apart who is allowed in, managing entrances and permissions and keeping the flow of arrivals and departures in order.
Emergency response
In an evacuation you need to know at once who is in the building: an up-to-date list of people present makes the roll call fast and reliable.
Audits and inspections
During inspections, ISO audits or internal reviews, a tidy access history is immediate proof of traceability.
Managing suppliers
Suppliers, drivers, technicians and maintenance staff come and go constantly: a record gives you clear checks and accountability.
Investigating past events
After a theft, damage or a dispute, being able to reconstruct who was present, when and why is evidence that memory cannot provide.
Which data to keep and which to avoid
The minimisation principle is your best ally: the less you collect, the easier it is to keep and delete it properly. The table below lists the data typically found in a visitor log, how useful it is and the level of GDPR caution it calls for. It is a general assessment, to adapt to your real purposes.
| Data | Usefulness | GDPR caution |
|---|---|---|
| Full name | Identifies the visitor | Required the minimum data for most purposes. |
| Company | Puts the visit in context | Recommended useful and barely intrusive. |
| Internal host | Links the visit to a member of staff | Recommended helps traceability and organisation. |
| Time in | Traceability and security | Required core to the security purpose. |
| Time out | Who is still on site, emergencies | Required essential for the evacuation roll call. |
| Reason for visit | Context and audit | Optional collect it only if you genuinely need it. |
| Signature | Acknowledging rules or an NDA | Optional makes sense with a clear purpose (safety, confidentiality). |
| Copy of ID | Verifying identity | Not advised almost always disproportionate: avoid keeping copies. |
| Photo of the visitor | Visual recognition | Not advised intrusive: only with a strong, justified purpose. |
How long to keep it, in practice
Because there is no single time limit, it is more useful to think in terms of indicative horizons tied to the purpose. The examples below are not rules or thresholds set by law: they only illustrate how the duration shifts with the purpose. The final choice must be proportionate, justified and documented by your organisation.
| Prevailing purpose | Typical horizon (indicative) | Note |
|---|---|---|
| Daily presence and security only | A few days | if the data only tells you who is on site, it can be deleted quickly. |
| Security, access control, routine audits | A few weeks or months | an intermediate horizon for routine checks and traceability. |
| Specific needs, disputes, sector obligations | Longer periods, where justified | acceptable only with a clear reason tied to the purpose. |
The thread is always the same: the duration follows the purpose. Keeping data “just in case” without deciding when to delete it is not good practice; keeping it for a defined period, consistent with the purpose and set out in a procedure, is.
Common mistakes in managing the log
The same mistakes keep recurring around visitor data retention. Knowing them helps you build a more solid, compliant process from the start.
- Keeping data forever — piling up logs with no deletion rule breaches storage limitation. You need a defined period and a procedure that applies it.
- Collecting more than you need — ID copies, photos or pointless fields breach minimisation. Collect only what the stated purposes require.
- Leaving paper logs on show — the open book where everyone reads the entries above theirs is the classic, often-overlooked confidentiality problem.
- Not informing the visitor — without a clear privacy notice under Article 13, the visitor doesn’t know who processes their data, why or for how long.
- Not assigning responsibility — if no one is tasked with managing and deleting the data, the procedure stays on paper and is never applied.
- Forgetting copies and backups — deleting the main file but leaving copies in emails, on USB sticks or in backups means you haven’t really deleted anything.
- Confusing “useful” with “necessary” — data that might come in handy one day is not, for that reason alone, data to keep. What counts is the current purpose.
Paper logs and the retention problem
The book at reception is the most common solution, but it is also the one that makes retention hardest to manage properly. The limits aren’t only about convenience: they touch confidentiality and security directly.
- Bulky physical archives — completed logs pile up in binders and cupboards, and over time it’s easy to lose track of what you even hold.
- Uncontrolled access — an open book on the desk can be read by anyone passing by: every visitor sees the details of those before them.
- Destroying records — deleting expired data means physically and securely shredding the pages, an operation that often never happens.
- Other visitors’ privacy — you can’t selectively delete a single name without affecting the whole page, where others are recorded too.
Excel logs and data retention
An Excel sheet is a step up from paper: the data is legible, searchable and can be deleted row by row. On retention, though, it brings a specific risk — the spread of copies — that has to be managed with discipline.
- Multiple copies — the file gets duplicated, emailed and saved to USB sticks: at some point no one knows how many versions of the data exist, or where.
- Shared files — on a network folder or in the company cloud, the log can be opened by more people than necessary if permissions aren’t looked after.
- Access permissions — Excel doesn’t distinguish roles: whoever opens the file sees everything. Limiting access depends entirely on how the containing folder is set up.
- Backups — automatic backups are valuable, but they also keep the data you thought you had deleted: deletion has to extend to them too.
- Deletion — removing expired rows is only easy in theory: it needs a steady routine, or the file grows and keeps data well beyond what is necessary.
The digital visitor log and scheduled retention
A digital visitor log tackles retention structurally, because the rules you have to apply by hand with paper and Excel can be set once and then enforced by the system. It doesn’t make an organisation “automatically compliant”, but it makes doing what you decided to do far simpler.
Permission management
Only authorised people can consult the log, with distinct roles and access: the data isn’t exposed to anyone passing reception.
A tidy history
Entries are stored in a structured, searchable way, with no scattered copies: one reliable source instead of many files.
Scheduled deletion
You can set data to be removed automatically once the chosen period has passed: retention follows the rule, not forgetfulness.
Greater control
Privacy notice at sign-in, confidentiality between visitors and traceable actions: the tools to apply GDPR principles are built in.
IRIGuest was built precisely as the next step on from the logbook and the spreadsheet: it replaces paper with an app on iPad and Android tablets, where each visitor signs in independently, reads the privacy notice and signs on screen. There is a free version, usable offline too, and a cloud version for those running several sites who want reports and centralised management. We mention it here not to sell it, but because it is exactly the kind of tool this section is about.
Practical checklist: are you handling visitor data well?
A quick check to see whether your retention practice is in order. If you can answer “yes” to every item you’re on the right track; each “no” is a point to fix.
- Have you pinned down why you collect visitor data (the purposes of the processing)?
- Do you collect only the data needed for those purposes, avoiding superfluous fields (minimisation)?
- Have you decided how long to keep the data and written it into a procedure?
- Is there a concrete way to delete expired data (paper shredded, rows and backups removed, scheduled deletion)?
- Do you give visitors a clear privacy notice at sign-in (Article 13 GDPR)?
- Is one visitor’s data shielded from the view of the others?
- Can only authorised people consult the log?
- Do you avoid keeping ID copies or photos without a genuine need?
- Have you named an internal owner for managing the log and deletion?
- Do you review your retention policy periodically (for example once a year)?
Start from a ready-made base
Download the free visitor log kit: an Excel template, a printable PDF version and a GDPR reception checklist. A tidy starting point for setting up the collection, retention and deletion of your data.
Frequently asked questions
How long should you keep visitor records?
There is no single duration that suits every organisation. The GDPR sets no precise number of days or months: the period depends on the purpose the data was collected for. The guiding principle is storage limitation (Article 5 of Regulation 2016/679): keep the data only as long as it is needed for the stated purpose, then delete it. The best approach is to set a proportionate period and state it in your privacy notice and an internal procedure.
Can I keep visitor data indefinitely?
No. Keeping data for an open-ended period, with no criterion, conflicts with the storage limitation principle. Even though no fixed deadline is imposed by law, you must decide when the data is no longer needed and delete it. Piling up logs forever is one of the most common and most avoidable mistakes.
Does the GDPR give a specific number of months?
No. The GDPR sets principles, not a table of durations. It requires personal data to be kept for no longer than is necessary for the purposes it is processed for. It is for the controller to choose a period consistent with its purposes and to document it. Be wary of anyone quoting “the” number of months valid for everyone: it doesn’t exist.
What does the retention period depend on?
It depends on the purpose. If the data only tells you who is present for security and emergencies, the horizon is short. If it also supports audits, checks or supplier management, it can be longer. Where there are disputes or specific obligations, it can extend further, but always with a reason. The rule is proportionality between duration and purpose.
Who decides how long to keep the data?
The decision rests with the controller — your organisation — under the accountability principle in Article 5 of the GDPR. It is not arbitrary: it must be justified against the purposes, documented in an internal policy and communicated to visitors in the privacy notice. In larger organisations it helps to involve the data protection officer or DPO, where one is appointed.
How do I delete visitor data when it’s no longer needed?
You need a deletion routine consistent with the period you set. With a paper log that means securely destroying expired pages; with an Excel file, deleting the rows (and copies and backups) in a controlled way; with dedicated software, setting scheduled deletion or exporting and then removing. What matters is that deletion actually happens, in a traceable way — not “whenever someone gets round to it”.
Is a visitor log in Excel GDPR-compliant?
It can be, but it depends entirely on how you manage the file: who can open it, where it is stored, how it is protected, how many copies exist and when they are deleted. Excel won’t handle the privacy notice, confidentiality between visitors or scheduled deletion on its own: that’s down to you. It’s a good starting point, but it takes discipline. See our guide to a paper, Excel or digital visitor log.
Should visitors sign the log?
A signature is not a general requirement: it depends on the purpose. It makes sense when you need to record acknowledgement of safety rules, an internal policy or a non-disclosure agreement (NDA), typically on industrial sites. Without a clear purpose, the signature becomes one more piece of data to manage and keep for no real reason — in which case it’s better to leave it out.
Can I ask visitors for ID?
Asking to see an ID to verify identity in a specific case is one thing; keeping a copy or scan of it is quite another, and far more intrusive. Taking copies of ID is almost always disproportionate to the purpose of a visitor log, and unless a specific obligation requires it, it’s better avoided. Stick to the essential data.
Do I need a privacy notice for the visitor log?
Yes. The moment you collect a visitor’s name, company and times you are processing personal data, so you must provide clear information under Article 13 of the GDPR: who processes the data, for which purposes, on what basis and for how long it is kept. The notice should be available at sign-in, so the visitor can read it before handing over their details.
Who can consult the visitor log?
Only authorised people, according to their role: typically reception, the security manager or whoever handles access. The log should not be visible to everyone passing the front desk, and this is exactly where the open paper book shows its most serious weakness. Limiting and tracking access to the log is part of the security the GDPR expects.
How do I stop one visitor seeing another’s details?
On paper this is the weak point: whoever signs reads the names of those before them. With Excel it depends on who can open the file. A digital log solves it at the root, because each guest fills in only their own record and never sees anyone else’s. Confidentiality between visitors is one of the main reasons organisations leave paper behind.
Is keeping a visitor log a legal requirement?
Keeping a visitor log is not imposed across the board on all private companies: it is often a security and organisational best practice, while in some settings it can become necessary for sector duties or certifications. Once the data is collected, however, its retention is subject to GDPR principles. We have a dedicated guide to whether a visitor log is required by law.
What’s the risk of keeping data too long or without a rule?
Keeping data beyond what is necessary, with no purpose and no deletion routine, exposes you to challenge in an inspection or complaint and needlessly increases the risk if the data is ever accessed without authorisation. The issue, before any penalty, is substance: the more data you hold beyond need, the more data you have to protect. A clear retention policy reduces both the risk and the workload.
Do I need to keep data on suppliers and contractors too?
Yes — the same rules apply as for other visitors: data on suppliers, drivers, technicians and maintenance staff should be collected sensibly and kept for as long as the purposes require (security, traceability, audit). On industrial sites it is sometimes kept a little longer for verification needs, but always with a proportionate reason, not out of habit.
How often should I review my retention policy?
It is good practice to review periodically — once a year, say — which data you collect, why, and how long you keep it, checking that the deletion routine actually works. Needs change: new sites, new visitor flows or new tools can make a policy written long ago obsolete. A regular check keeps your handling consistent over time.
Sources and references
Regulatory and institutional references for further reading. This page is for general information and does not replace legal advice.
- GDPR — Regulation (EU) 2016/679 — in particular Article 5 on the principles of processing (storage limitation, minimisation, purpose limitation, accountability) and Article 13 on the privacy notice.
- ICO (UK) and the European Data Protection Board (EDPB) — the reference authorities for data protection guidance in the UK and the EU.
- IRIGuest internal resources — visitor logs and the GDPR, is a visitor log required by law? and paper, Excel or digital.
Visitor data under control
A digital log makes it easy to collect only what you need, protect confidentiality and delete at the right time. Try it online or start free, with no commitment.