Under GDPR, a visitor log stores personal data — at minimum a name and often an email, phone number, and time of arrival. The host (or their organization) is the data controller.
Key obligations: a lawful basis for processing (usually legitimate interest), a stated retention period (commonly 30–90 days for visitor logs), the right of the visitor to request access or deletion, and appropriate security measures for the log itself.
Visitor management tools help by retaining data for a configurable period and providing export/delete endpoints. They do not absolve the host of controller responsibilities.