GDPR and Identity Management: Why Printer Authentication Is Mandatory

Q: What is follow-me printing?

Follow-me printing (also called pull printing) means that print jobs are only released when the user personally authenticates at the printer. The print job 'follows' the user and can be collected at any MFP on the network. Uncollected jobs are automatically deleted after a defined period.

An MFP in the corridor of a medical practice. In the output tray sit three medical letters with patient data, two referrals and a sick note. The next patient walking past could see them — or take them. What sounds like an everyday scenario is a data protection violation under Article 32 GDPR.

The General Data Protection Regulation requires "appropriate technical and organisational measures" to protect personal data. Authentication at the printer is one such measure — and for organisations processing personal data, it is effectively mandatory. This article explains the legal basis, shows typical risk scenarios and describes the technical solution.

The Legal Basis: GDPR Articles 5 and 32

Why the printer is a data-protection-relevant device

Article 32 — Security of Processing

Article 32 GDPR obliges controllers to implement "appropriate technical and organisational measures" to "ensure a level of security appropriate to the risk". The measures include "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services".

An unsecured printer where any employee — or visitor — can view personal documents does not meet this requirement.

Article 5(1)(f) — Integrity and Confidentiality

Personal data must be processed in a manner that ensures "appropriate security of the personal data, including protection against unauthorised or unlawful processing". If payslips sit in the output tray where colleagues can see them, confidentiality is breached.

Article 5(2) — Accountability

The controller must be able to demonstrate compliance with the data protection principles. During a supervisory authority inspection, it must be proven that only authorised persons had access to personal data. Without printer authentication and an audit trail, this proof is impossible.

Fine risk: Violations of Article 32 can result in fines of up to 10 million euros or 2% of annual global turnover. Violations of Article 5 can reach up to 20 million euros or 4%. Even SMBs have already received five-figure fines.

Risk Scenarios: What Happens Without Authentication

Everyday situations that become data protection violations

Medical Practice

A medical assistant prints medical letters and reports. Because she is simultaneously attending to patients at reception, she collects the printouts 10 minutes later. In the meantime, patient data — diagnoses, medications, treatment plans — sits openly in the output tray. Anyone walking past the printer can see them.

Law Firm

A lawyer prints a 40-page client file. The first page prints immediately; the last page arrives 2 minutes later. During this time, another lawyer, a client in the waiting area or the cleaner could see the already-printed pages. Client confidentiality is breached.

HR Department

The HR manager prints payslips for 50 employees. Because the printer is in the open-plan office, colleagues walking to the printer can see other employees' salaries. A classic violation of the need-to-know principle and the confidentiality of personal data.

Government Agency with Public Access

In a local authority, an MFP stands in an area accessible to members of the public. Without authentication, a visitor could use the device or view abandoned documents — notices, applications, registration data.

The Solution: Follow-Me Printing + Badge Authentication

Three measures that together establish GDPR compliance

1. Badge Authentication at the MFP

The MFP is locked and only unlocks after authentication via badge or PIN. No unauthorised access to print, scan or copy functions. Every access is logged with user identification and timestamp.

2. Follow-Me Printing (Pull Printing)

Print jobs are not released immediately but held in a secure queue. Only when the user personally authenticates at the MFP does printing begin. The user is standing at the device when pages are output — no unattended documents in the output tray.

3. Automatic Deletion of Uncollected Prints

Print jobs not collected within a defined period (e.g. 24 hours) are automatically deleted. This prevents forgotten print jobs from being released by unauthorised persons at a later time.

The three measures combined: Badge authentication ensures only authorised users can operate the device. Follow-me printing ensures documents are only output in the presence of the person who printed them. Automatic deletion ensures forgotten jobs cannot be printed later. Together, they meet the requirements of GDPR Article 32.

Case Study: Medical Practice with 3 MFPs

From vulnerability to GDPR-compliant solution

Before: The practice has three MFPs — at reception, in the consulting room and in the laboratory. All devices are accessible without login. Medical letters, reports and prescriptions are printed and sometimes sit in the output tray for minutes.

After: All three MFPs are equipped with card readers. The doctor authenticates via badge before printing patient records. The medical assistant only has access to prescriptions and referrals. Print jobs are only released when the user is present at the device. Uncollected prints are automatically deleted after 4 hours. The audit trail documents every access.

Result: GDPR compliance established, patient data protected, evidence for the supervisory authority available at any time.

Experience GDPR-Compliant Printing in Practice

Docuflair Access Control provides badge authentication, follow-me printing and automatic deletion — the three measures that fulfil GDPR Article 32 at the printer. Schedule a free demo.

Request Free Demo Discover Access Control

Frequently Asked Questions

Answers to the most important questions about GDPR and printer authentication

Is an unsecured printer a GDPR violation?

An unsecured printer is not a GDPR violation in itself, but it poses a significant risk. If personal data sits unprotected in the output tray and can be viewed by unauthorised persons, this constitutes a violation of Article 32 and Article 5(1)(f).

What is follow-me printing?

Follow-me printing means that print jobs are only released when the user personally authenticates at the printer. The job "follows" the user and can be collected at any MFP on the network. Uncollected jobs are automatically deleted.

Which GDPR articles are relevant for printers?

Three articles are particularly relevant: Article 32 requires technical measures, Article 5(1)(f) requires confidentiality, Article 5(2) establishes accountability. Together, they require authentication, access control and logging at the printer.

How high are fines for GDPR violations at the printer?

GDPR violations can result in fines of up to 20 million euros or 4% of annual global turnover. Even SMBs have already received five-figure fines.