GDPR Compliance: Your Obligation to Delete Personal Data from Vehicles
GDPR requires organizations to delete personal data from vehicles using objective technical measures when the car changes hands (i.e. remarketing, resale, repossession, car sharing, total loss, and more)
What 11 European Data Protection Regulators Say:

The UK
Information Commissioner’s Office (ICO)
According to the UK’s Information Commissioner’s Office (ICO), “The entity owning or lawfully repossessing the vehicle is the data controller and must ensure deletion before onward use. Passing the vehicle to another user without erasure of the personal data held on its systems could amount to unlawful processing and a personal data breach. Continuing to store or disclose that data without identifying a lawful basis would breach: Article 5(1)(a) (lawfulness, fairness, transparency) Article 5(1)(c) (data minimisation) Article 5(1)(f) and Article 32 (security of processing).
Our guidance stresses that ‘appropriate technical and organisational measures’ must be in place. Relying solely on employees’ subjective judgment or ‘best endeavours’ is unlikely to meet this standard because: It is not objective, repeatable, or auditable; It cannot reliably prevent unauthorised disclosure; It fails to provide evidence of compliance if challenged.”
Source: December 2025 advice of the Information Commissioner’s Office (ICO) to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
Spain
Spanish Data Protection Agency (AEPD) (Agencia Española de Protección de Datos (AEPD))
“…the data stored in a vehicle’s systems (such as telephone directories, call logs, GPS navigation destinations, etc.) make it possible to identify, or render identifiable, a natural person. Therefore, such data fully fall within the definition of personal data.”
“In the context of fleet operators, rental companies, or leasing entities, these organizations become controllers of the data stored in the vehicles once they regain possession of them.”

“According to the processing principles established in Article 5 GDPR, personal data may be retained only for as long as necessary for the purposes of the processing. Once a customer’s use of the vehicle has ended, the original processing purpose ceases to exist (Article 5(1)(e) GDPR). The controller must ensure an appropriate level of security, including protection against unauthorized or unlawful processing (Article 5(1)(f) GDPR), must comply with these principles, and must be able to demonstrate such compliance (Article 5(2) GDPR).”
“Furthermore, Article 25 GDPR requires controllers to implement data protection by design and by default, ensuring that only the personal data necessary for each specific purpose are processed. The EDPB Guidelines on data protection by design and by default emphasize the need to integrate effective technical and organizational measures throughout the entire lifecycle of the processing.”
“From this perspective, when a vehicle is to be returned, resold, reused, reassigned, or otherwise transferred to a third party, the controller must assess the risks associated with the continued presence of personal data in the vehicle’s systems and adopt appropriate measures to prevent unauthorized access or improper disclosure of personal information. The absence of reasonable measures to prevent third parties from accessing personal data stored in the vehicle may constitute a breach of the above-mentioned GDPR principles and obligations and, in certain circumstances, a personal data breach within the meaning of Article 4(12) GDPR. The EDPB Guidelines on personal data breach notification remind controllers that unauthorized access to, or accidental disclosure of, personal data may constitute a personal data breach.”
“… from the perspective of the accountability principle, it is advisable for organizations to have objective, documented, verifiable, and auditable procedures for the deletion or dissociation of personal data stored in vehicles before their transfer or reuse.”
Source: June 2026 advice of the Agencia Española de Protección de Datos (AEPD) to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.

Poland
The Personal Data Protection Office (Urząd Ochrony Danych Osobowych)
“Personal data processed in vehicle systems – e.g. location history, addresses, or phone numbers – constitute personal data within the meaning of the GDPR and are subject to all obligations arising therefrom, where Article 2(2)(c) GDPR applies. In the event of a change of vehicle user, in particular upon resale, return after leasing, or take-over of the vehicle, the acquiring entity becomes the controller of the personal data stored in it and is obliged to process such data in accordance with the GDPR.”
“The controller, in particular an entity engaged in vehicle rental, leasing, fleet management, or resale, is obliged to permanently delete the personal data of previous users stored in the vehicle’s systems before transferring the vehicle to the next user or placing it on the market. This obligation derives from the principles of storage limitation and data minimisation set out in Article 5 GDPR, as well as from EDPB Guidelines 01/2020 on connected vehicles.”
“Transferring a vehicle to a subsequent user without first deleting the previous user’s personal data may constitute a personal data breach within the meaning of Article 4(12) GDPR, thereby giving rise to the obligations under Articles 33 and 34 GDPR, including the obligation to notify the breach to the supervisory authority and, where appropriate, to communicate it to the data subjects concerned. Failure to implement appropriate technical and organisational measures should be regarded as a breach of the security of processing principle set out in Article 5(1)(f) and Article 32 GDPR.”
“The obligation to delete personal data stored in vehicle systems rests solely with the controller, not with the data subjects. Data subjects are entitled to request erasure of their data under Article 17 GDPR; however, the controller — as the entity exercising actual control over the data — is obliged to ensure their deletion before the vehicle is transferred, without the need for a prior request from the data subject.”
“The process of deleting personal data from vehicle systems must be objective, repeatable, and verifiable, as required by the accountability principle set out in Article 5(2) GDPR and the obligation to implement appropriate technical and organisational measures under Article 32 GDPR. An approach based solely on the subjective judgment of employees or on informal “best efforts” practices is insufficient to demonstrate compliance with the regulation.”
“The process of deleting personal data from vehicle systems must be not only effective but also auditable and properly documented, as required by the accountability principle set out in Article 5(2) and Article 24 GDPR. The controller is obliged to implement clearly defined, repeatable, and verifiable technical and organisational procedures, and maintaining reliable documentation of the data deletion process should be regarded as an indispensable element for meeting the requirements of the GDPR.”
Source: July 2026 advice of the Urząd Ochrony Danych Osobowych (UODO) to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
Croatia
The Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka)
“The Agency believes that personal data stored in the vehicle’s information and communication systems, if they relate to an identified or identifiable natural person, are subject to the General Data Protection Regulation.
It should be noted that the status of data controller is always assessed depending on the specific circumstances of the individual case, i.e. who determines the purposes and means of processing personal data. If, upon re-taking possession of the vehicle, the entity has actual control over

the personal data stored in the vehicle’s systems and decides on the further handling of such data, the obligations of the General Data Protection Regulation apply to such processing.
Accordingly, the Agency considers that, in a situation where there is no valid legal basis for the continued storage of personal data of the previous user of the vehicle, the controller must ensure their deletion, or permanent removal or irreversible disabling of access to such data, before the vehicle is made available to another user or offered for sale. Failure to take such action may lead to unlawful processing of personal data and a personal data breach.
This follows in particular from the principles of lawfulness, fairness and transparency, data minimisation, integrity and confidentiality under Article 5(1) of the General Data Protection Regulation, as well as from the principle of accountability under Article 5(2), the obligation to implement appropriate technical and organisational measures under Articles 24 and 32 and the obligation to protect data by design and by default under Article 25.
With regard to your specific question on the methods of deletion, the Agency considers that relying solely on the subjective assessment of employees or on informal procedures is generally not sufficient to fulfil the obligations under the General Data Protection Regulation. The controller must be able to demonstrate compliance with the regulations, which implies the existence of clearly defined, documented and verifiable procedures. We therefore believe that the procedures for removing personal data from vehicles should be objective, consistent, repeatable and verifiable, so that the controller can demonstrate that it has taken appropriate technical and organizational measures to prevent unauthorized access and unauthorized disclosure of data.
The form of the specific technical measure may depend on the type of vehicle, manufacturer, technical architecture of the system and the types of data processed in the vehicle, but this technical complexity does not exclude the controller’s obligation to ensure compliance with the General Data Protection Regulation. If effective deletion requires the involvement of the manufacturer, authorized service or other contractual partner, the controller is obliged to organize such processes organizationally and contractually in a way that allows for the lawful and secure processing of personal data.
In light of all the above, the Agency agrees in principle that data controllers, when they regain possession of the vehicle and before its further use, transfer or resale, are obliged to ensure the deletion of personal data of previous users if there is no appropriate legal basis for their further storage, and that this obligation must be implemented through appropriate technical and organizational measures that are documented and verifiable.”
Source: April 2026 advice of the Agencija za zaštitu osobnih podataka to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.

Lithuania
The Data Protection Office (Valstybinė duomenų apsaugos inspekcija)
“Under Article 4(1) GDPR, data are considered personal data only where the information relates to a natural person who can be identified, directly or indirectly. Accordingly, if data such as location history, home address, telephone number of a natural person, etc. are processed in a vehicle, such data would be considered personal data and their processing would be subject to the GDPR. Meanwhile, Article 4(7) GDPR defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data. In light of this definition, in the Inspectorate’s opinion, vehicle owners (controllers) engaged in activities such as car rental, provision of replacement vehicles, and similar activities would be regarded as controllers of personal data and would therefore be subject to the GDPR. On the principle of storage limitation Recital 39 GDPR states that personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; this requires, in particular, ensuring that the period for which the personal data are stored is strictly limited. In order to ensure that personal data are not kept longer than necessary, the controller should establish time limits for erasure or for a periodic review. The principle of storage limitation, laid down in Article 5(1)(e) GDPR, provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. In order to ensure that personal data are not kept longer than necessary, the controller must determine a justified and reasonable retention period in accordance with the GDPR. Accordingly, in implementing the above-mentioned principle of storage limitation, in cases where personal data contained in a vehicle (for example, contacts, call history, navigation addresses,login data, or other data related to a specific user) are no longer necessary for the purposes for which they were collected, they must be erased. Consequently, vehicle owners (controllers) engaged in car rental, car-sharing or similar activities should establish a clear procedure and time limits ensuring that, once the period of use of the vehicle has ended, any personal data of the previous user remaining in the vehicle are removed and do not become accessible to other persons. On a personal data breach Article 5(1)(f) GDPR provides that personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality). The controller is required to ensure appropriate technical and organisational measures for the security of personal data, one of which is to ensure that personal data are accessible only to those persons who have the right (a lawful purpose and legal basis) to access or otherwise process them. Article 4(12) GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Therefore, if, after the end of the vehicle use period, personal data of the previous user remaining in the vehicle became accessible to another user, such a case could, depending on the factual circumstances, be regarded as a personal data breach within the meaning of Article 4(12) GDPR.”
Source: April 2026 advice of the Valstybinė duomenų apsaugos inspekcija to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
Estonia
The Data Protection Inspectorate (Andmekaitse Inspektsioon – AKI)
The Estonian Data Protection Inspectorate (AKI) affirms the ICO position that marks to data controllers whose business processes involve vehicles (such as leasing companies, rental providers, fleet operators, insurers, lenders, or car dealerships) must ensure that personal data stored in a vehicle is handled in accordance with GDPR principles, including lawfulness, data minimization, security of processing, and accountability. This includes the obligation to delete personal data of previous users when a vehicle returns to the controller’s possession and before it is provided to another user.”

“The AKI agrees that the responsibility to ensure an objective, repeatable, and verifiable deletion process follows directly from GDPR requirements. Relying solely on the subjective judgment or discretion of individual employees does not meet the standards of Article 5(2) or Article 32 GDPR.”
Source: March 2026 advice of the Estonian Andmekaitse Inspektsioon to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.

Latvia
The Data State Inspectorate (Datu valsts inspekcija, DVI)
“Information that is available in an automated manner in a vehicle, in the systems therein, and is attributable to an identifiable natural person is subject to the General Data Protection Regulation.”
“The controller (dealer, lessee, etc.) would be obliged to delete personal data from the vehicle before transferring it to another person or entity for use or ownership, thus implementing the principles of storage limitation, etc.”
“A data breach in this context would be detected if such data were accidentally or unlawfully disclosed or transferred to others. It would also be considered a data breach if the data were not deleted upon expiry of the retention period.”
“When the vehicle is planned to be transferred to another person or entity (or sooner, in accordance with internal procedures), the data must be deleted, and this is the controller’s obligation. As previously stated, the data subject may perform such actions themselves, but the company as controller must ensure compliance with the GDPR, again including ensuring that personal data is not unreasonably transferred to another person.”
“Secure data processing is ensured by default. Thus, data deletion processes should be stipulated in internal procedures so that these actions are repeatable on a regular basis and employees cannot miss them due to ignorance.”
“As stipulated in recital 82 of the GDPR, in order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. The same applies to data deletion.”
Source: June 2026 advice of the Latvian Data State Inspectorate to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
Romania
The National Supervisory Authority for Personal Data Processing (Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP)
“With regard to your request, we specify that according to art. 4 point 1 of Regulation (EU) 2016/679 (GDPR), “personal data means any information regarding an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more

elements specific to their physical, physiological, genetic, mental, economic, cultural or social identity.”
Thus, personal data stored in vehicles represent personal data and are subject to the provisions of GDPR.
In this context, we mention that art. 4 point 7 of GDPR defines the “controller” as the natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be provided for by Union or national law.
Therefore, the controllers referred to in your address (the legal owners of the vehicles) have the status of personal data controllers and, consequently, the obligation to comply with the provisions of Regulation (EU) 679/2016.”
Source: April 2026 advice of Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.

Slovenia
The Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec)
“For the processing of personal data stored in vehicles, no exception applies; rather, the same rules apply as for the processing of other personal data.
These rules apply fully to the controller, and their application is in no way conditional on whether the IP, as a supervisory authority, issues the relevant guidelines or not.”
Source: March 2026 advice of Informacijski pooblaščenec to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
Bulgaria
The Commission for Personal Data Protection (Комисия за защита на личните данни)
“Controllers are required to implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR” and that “this general principle applies to the case described.”
“In the event that the processing of personal data results in: unauthorized or accidental disclosure of or access to personal data (breach of confidentiality); unauthorized or accidental alteration of personal data (breach of integrity);

and/or unauthorized or accidental loss of access to or destruction of personal data (breach of availability), such an incident should be considered a personal data security breach Pursuant to Article 32(1) of the GDPR, the controller and the processor are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of technical progress, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons. We share Lithuania’s position that “if, after the end of the period of use of the vehicle, the personal data of the previous user remaining in the vehicle becomes accessible to another user, such a case could, depending on the factual circumstances, be considered a personal data breach within the meaning of Article 4(12) of the GDPR.”
“We believe that the obligation to erase personal data should rest with data controllers. It would be good practice to draw the attention of data subjects to this, but the GDPR does not impose such an obligation or corresponding liability on them. It should be noted that the controller is obligated to provide data subjects with transparent information regarding the processing of personal data, as well as the opportunity (not an obligation) for them to delete it themselves, but cannot transfer the responsibility to fulfill its obligations under the GDPR.”
“In addition to our previous response, it should be noted that controllers must be able to demonstrate that processing is carried out in accordance with the GDPR. To this end, they are required to implement appropriate technical and organizational measures to protect the rights of data subjects. Furthermore, through these measures, they must ensure the transparency of the processing and notify data subjects of it in a clear manner. It would be good practice for for the controller to provide measures that allow the data subject to either delete the data themselves or easily verify that the data has been deleted by the controller before the vehicle is transferred to the next user.”
Source: June 2026 advice of the Bulgarian Commission for Personal Data Protection (CPDP) to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.

Finland
The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto/Dataombudsmannens byrå)
“The controller must comply with the principles relating to the processing of personal data, such as the principle of integrity and confidentiality. The principle of integrity and confidentiality requires the controller to protect personal data from unauthorized and unlawful processing and against accidental loss, destruction or damage. The controller must therefore ensure, through appropriate measures, that third parties do not gain access to personal data of data subjects.
According to the principle of storage limitation, the controller may retain personal data only for as long as necessary for the purpose for which the data are used. The controller must therefore assess and be able to justify how long the retention of personal data is necessary, for example after a car rental event has ended. When personal data are no longer needed, they must be deleted. The controller must ensure that its information systems and other processing processes support compliance with retention periods and regular review.
The General Data Protection Regulation also provides for data protection by design and by default. This provision requires the controller to implement appropriate measures and necessary safeguards to ensure that data protection principles are implemented by design and by default.”
Source: March 2026 advice of Tietosuojavaltuutetun toimisto/Dataombudsmannens byrå to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
The Only Objective, Auditable Vehicle Personal Data Deletion Solution
Award-winning, multi-patented technology — trusted by companies managing 20+ million vehicles annually.

Privacy4Cars®: the ONLY approved supplier under NAMA’s UK Data Deletion Certification, welcomed by the Vehicle Remarketing Association, for GDPR-compliant vehicle data erasure.

Meet FTC Safeguards requirements.
Meet GDPR obligations.
And other globally recognized security requirements: NIST 800-88r2, ISO 27001/27002, ISO/SAE 21432
Meet GDPR Compliance with Privacy4Cars

Deleting Personal Data from Vehicles: a GDPR Obligation for Automotive Businesses
Why Leading Automotive Companies Choose Privacy4Cars®
Enables Compliance
GDPR requires deleting personal data when vehicles change hands.
New Revenue Stream
Monetise a service that customers want and need.
Accurate Results, Auditable Proof
Every vehicle cleared with Privacy4Cars’ AutoCleared™ receives an individual Certificate of Deletion creating auditable compliance documentation.
Quick and accurate
Automotive businesses staff can delete personal data from vehicles in 60 seconds or less in most cases.
Simple to Implement. Easy to Scale
It’s an app – no complex integrations. No operational disruption. Just straightforward compliance that works with your existing processes.

Ready to Transform Vehicle Privacy?
Join hundreds of successful auto companies already benefiting from Privacy4Cars® vehicle privacy solutions.



