How can you continue using employee electronic entrance cards after 25.05.2018?


Even though the primary function of entrance chips/cards is to ensure a safe and quick entrance onto company premises, in many companies these cards are linked to a certain employee, sometimes even printing the company name, employee’s name, surname, photo on it.

After GDPR comes into force, the reveal of personal data will have to be justified.

First, you will have to define the purpose of linking a card to a certain person, not only ensure the sole function of allowing employees to enter the premises.

Second, if the cards are necessary to track the time when employees arrive/leave work, the need for this will have to be justified by, e.g., developing internal policy related to counting working hours, the bonus system, etc. In this case, the company must receive approval that the employee agrees to data processing since the use of such data cannot be justified with the information required by the employment contract.

Third, if cards are linked to certain employees and they have agreed to it, the company must ensure data pseudonymisation. This means that you must develop a system where a certain employee receives a code and the employer is allowed to print it on the entrance card in place of personal information.