Can security staff require presentation of an identity document to verify a guest?

PRACTICAL ANSWER

The GDPR does not prohibit requesting presentation of an identity document for the purpose of verifying persons entering premises owned by the data controller in any article. It is for the data controller to assess whether verifying persons entering the premises by presentation of an identity document is adequate to the purposes for which personal data are processed, i.e. ensuring the safety of persons present at the controller's premises and the security of property.

When implementing procedures relating to personal data protection within its organisation, the data controller is obliged to comply with the principles arising from the GDPR, namely the purpose limitation principle (Article 5(1)(b) GDPR) and the data minimisation principle (Article 5(1)(c) GDPR). At the same time, when verifying a natural person's identity, the data controller should remember the need to fulfil the information obligation towards them under Article 13 GDPR. The legal basis for processing personal data in connection with maintaining so-called entry and exit records may be Article 6(1)(f) GDPR, as in that case processing personal data will be necessary for the purposes of the legitimate interests pursued by the controller.