Document Access Control: Who Can View, Print and Scan What?

Q: What does the GDPR require regarding access control?

Article 32 GDPR requires 'appropriate technical and organisational measures' to protect personal data. This includes ensuring that only authorised persons have access to personal data. Access control at the MFP with authentication and role-based permissions is one such technical measure.

Q: What does the audit trail at the MFP record?

The audit trail documents every MFP access: who logged in and when, which function was used (print, scan, copy), how many pages were processed, and which scan destination was used. This logging is essential for GDPR accountability under Article 5(2) and for internal compliance requirements.

Every organisation has documents not intended for all eyes. Personnel files, payslips, client records, contracts, medical reports — they all contain personal or business-critical information. Yet at many MFPs, the principle is "first come, see everything": anyone can print, scan and copy whatever they want.

Article 32 of the GDPR requires "appropriate technical and organisational measures" to protect personal data. Access control at the MFP is one such measure. This article explains how role-based permissions work, which rights you should define, and how the audit trail fulfils the accountability obligation under Article 5(2) GDPR.

GDPR Article 32: The Legal Basis

Why access control is not optional but mandatory

The GDPR sets clear requirements for the protection of personal data:

Art. 32 (Security of processing): Controllers must implement "appropriate technical and organisational measures" to ensure a level of protection appropriate to the risk. This includes the ability to control access to personal data.
Art. 5(1)(f) (Integrity and confidentiality): Personal data must be processed in a manner that ensures "appropriate security, including protection against unauthorised processing".
Art. 5(2) (Accountability): The controller must be able to demonstrate compliance with the principles. An audit trail at the MFP provides this evidence.

Need-to-know principle: A fundamental principle of information security states that every employee should only have access to the information they need for their work — nothing more. At the MFP, this means: the HR employee can print personnel files, the marketing employee cannot.

Role-Based Access Control (RBAC) at the MFP

AD groups define who can do what — automatically and centrally

Role-Based Access Control (RBAC) is the most established model for permission management. Instead of assigning rights to individual users, permissions are tied to roles. Users are assigned to roles via Active Directory groups.

Practical Permission Examples

Role (AD Group)	Print	Colour	Scan	Scan Destinations	Copy
Management	All devices	Yes	Yes	All folders	Yes
HR	All devices	No	Yes	HR folder, personal folder	Yes
Marketing	All devices	Yes	Yes	Marketing folder, personal folder	Yes
Administration	Dept. device	No	Yes	Personal folder	Yes
Intern	Dept. device	No	No	—	Mono only, max 10 pages

Law Firm Example

In a law firm, each lawyer has a personal scan profile that only scans into their client folder. The assistant can scan and print general correspondence but has no access to other lawyers' client folders. Reception staff can only copy — no scan or print functions.

Medical Practice Example

The doctor can print patient records and reports. The medical assistant can print referrals and prescriptions but not patient records. Office staff can process general correspondence but have no access to medical documents whatsoever.

Audit Trail: Who Printed What and When?

Meeting the accountability obligation under GDPR Article 5(2)

The audit trail is the digital logbook of your document processing. It records every MFP access without gaps and provides the evidence that GDPR accountability demands:

User identification: Who logged in to the device? (Name, AD account)
Timestamp: When was the action performed?
Action: What was done? (Print, scan, copy, fax)
Details: How many pages? Colour or monochrome? Which scan destination?
Device: At which MFP was the action performed?

During a data protection audit or security incident, it is possible to trace exactly who accessed which documents and when. This is relevant not only for the GDPR but also for internal compliance requirements and client confidentiality in law firms.

Implementation: From AD Groups to MFP Permissions

Three steps to GDPR-compliant access control

Step 1: Define AD Groups

Create groups in Active Directory that correspond to your organisational roles: HR, Marketing, Management, Administration, Reception. Assign each employee to the appropriate group.

Step 2: Configure Permissions in Docuflair

Map AD groups to Docuflair permission profiles. Define for each group: which devices are accessible, which functions are available, which scan destinations are offered, and whether colour printing is permitted.

Step 3: Automatic Synchronisation

Docuflair automatically synchronises users and groups with AD. When a new employee is added or transferred to a different department, MFP permissions update automatically. No manual intervention required.

Offboarding: When an employee leaves and their AD account is deactivated, access to all MFPs is revoked immediately. No forgotten access, no security gaps.

Experience Access Control in Action

Docuflair Access Control provides role-based permissions, Active Directory integration and a complete audit trail. In a free demo, we will show you how to protect confidential documents in a GDPR-compliant manner.

Request Free Demo Discover Access Control

Frequently Asked Questions

Answers to the most important questions about document access control

What does the GDPR require regarding access control?

Article 32 GDPR requires "appropriate technical and organisational measures" to protect personal data. This includes ensuring that only authorised persons have access to personal data. Access control at the MFP with authentication and role-based permissions is one such technical measure.

What is Role-Based Access Control (RBAC)?

With RBAC, permissions are assigned to roles rather than individual users. Each role defines which functions and resources are available. Users are assigned to roles via Active Directory groups. This greatly simplifies administration, as permission changes only need to be made at the role level — not for each individual user.

What does the audit trail at the MFP record?

The audit trail documents every access: who logged in and when, which function was used, how many pages were processed and which scan destination was used. This logging is essential for GDPR accountability under Article 5(2).

How are MFP permissions managed?

Permission management is handled centrally via Active Directory. AD groups are mapped to Docuflair roles that define which MFP functions are available. Changes in AD are automatically synchronised across all devices.