Visitor management, event access, workforce safety, campus ID. Every system that identifies or tracks individuals in India is now subject to DPDPA 2023. The governance layer is not optional — it is pre-deployment.
These are legal requirements under the Digital Personal Data Protection Act 2023. They apply to every system that processes personal data of individuals in India — which includes any system that can identify a specific person through their data.
Free, specific, informed, and unambiguous consent before personal data is collected. For a visitor management system: the visitor must affirmatively opt in to data collection, be told exactly what is collected and why, and have a way to withdraw consent. A "by entering this building you consent" sign does not meet this standard.
Data collected for building access cannot be used for visitor analytics, marketing, or any purpose beyond what was consented to. If you collect entry/exit data for security purposes, you cannot use the same data to send promotional communications — without fresh consent for that purpose.
Collect only what is actually needed. If a visitor needs to enter the building, you need their name and the host they are visiting. You probably do not need their phone number, photo, vehicle number, and ID document scan — unless each of those serves a specific stated purpose. Collecting excess data creates legal exposure with no operational benefit.
Individuals have the right to access their data, correct inaccuracies, and withdraw consent. Your system needs a documented process for responding to these requests. This is an operational requirement, not just a policy — someone needs to own it and be able to act on a data access request within a reasonable timeframe.
Pre-deployment requirement: Document what personal data your system collects, where it is stored, who has access, how long it is retained, and what the deletion process is — before any hardware is purchased. This governance document is the foundation; the technology is built on top of it.
For the majority of Indian visitor management and event access applications, barcode (QR code) is the right technology. RFID earns its cost in specific, high-throughput or multi-day scenarios where the operational gap between technologies is significant.
| Application | Barcode / QR | RFID | Right Choice |
|---|---|---|---|
| Corporate visitor management (low-medium volume) | ✓ Sufficient | Overkill | QR code badge, handheld or fixed scanner at reception |
| Single-day event gate access (under 5,000) | ✓ Sufficient | Not justified | QR on ticket or phone app; scan speed adequate |
| Large festival (10,000+ over multiple days) | Queue bottleneck | ✓ Justified | RFID wristband — faster tap, re-entry, cashless payment |
| Multi-zone access control at event | Manageable at low volume | ✓ Better experience | RFID wristband zones programmed per ticket type |
| Cashless payments at event | Not suited | ✓ Right answer | RFID wristband linked to pre-loaded wallet |
| Industrial safety tracking (confined space) | Not suited | ✓ Required | Active RFID or UWB for precise real-time location |
| Campus access (building + cafeteria + parking) | Separate systems | ✓ One credential | RFID card or wristband — one tag, multiple integrated systems |
Industrial safety RFID for confined space, hazardous area, and permit-to-work applications is categorically different from event or visitor management RFID. The technology requirements, the regulatory context, and the vendor selection process are all distinct.
Emergency mustering: Real-time headcount at muster stations during facility evacuation. Every worker's tag is registered; the muster reader at each assembly point reports who is present. The emergency coordinator sees immediately who is not accounted for. This is a life-safety application that requires 99%+ tag registration compliance and reader performance that can be relied upon in emergency conditions.
Confined space entry: Workers entering confined spaces (tanks, vessels, below-grade chambers) in Indian manufacturing and oil & gas are tracked in and out. If a worker does not check out within a defined time, an alert is triggered. Active RFID at the confined space entry point provides the in/out read without any manual action by the worker.
Proximity warning: Workers wearing RFID tags receive vibration or audio alerts when they approach machinery exclusion zones — cranes, heavy vehicles, stamping presses. This requires real-time location accuracy that passive RFID cannot deliver — active RFID or UWB is the technology for these applications.
The two main RFID frequencies for people-sector applications serve different use cases:
HF/NFC (13.56 MHz): Short range, 1–10 cm read distance. Used for tap-to-pay, door access control, and physical access credentials (cards, wristbands). High security, low risk of reading tags at unintended range. The technology in access control cards, contactless payment cards, and hotel room keys. Good for access control where intentional proximate tap is the right interaction model.
UHF (865–868 MHz in India): Longer range, 0.5–10 metres. Used for portals where many tags need to be read simultaneously or at a distance — event gates where people walk through, zone readers for asset and personnel tracking, dock portals. Not suitable for single-tap access because the range means tags read from unintended distances.
"When someone calls me about a visitor management RFID system, the first question I ask is: how many visitors per day? The answer is almost always between 20 and 150. At that volume, QR code on a paper badge is cheaper, simpler, and sufficient. RFID makes sense at visitor volumes above 300–400 per day where the gate throughput and badge processing time creates operational friction. At lower volumes, you are solving a problem you do not have."
— Vishal Singh · LinkedIn · @VishalSinghRFID · Hello@vishalsinghrfid.com
Have you mapped exactly what personal data the system will collect? Name, phone, biometric, vehicle number, entry/exit timestamp — each has different DPDPA weight.
Is your consent mechanism designed and documented? Opt-in, purpose-specific, with a clear withdrawal process. Not a checkbox buried in T&Cs.
What is the actual throughput requirement at your access points? At what volume does QR code gate speed become inadequate? Build your answer from actual data, not assumption.
How long will data be retained and what is the deletion process? For visitor logs, 30–90 days is typically defensible for security purposes. Longer requires documented justification.
For industrial safety: what specific safety obligation are you addressing? Each use case (mustering, confined space, proximity) has different accuracy and reliability requirements.
These come from real conversations. If your question is not here, email me directly.