Organisations must delete personal data from vehicles before remarketing or resale using objective technical measures
Relying solely on the subjective judgment or discretion of individual employees does not meet the standards of GDPR.
The UK GDPR:
According to the UK’s Information Commissioner’s Office (ICO), “The entity owning or lawfully repossessing the vehicle is the data controller and must ensure deletion before onward use. Passing the vehicle to another user without erasure of the personal data held on its systems could amount to unlawful processing and a personal data breach. Continuing to store or disclose that data without identifying a lawful basis would breach: Article 5(1)(a) (lawfulness, fairness, transparency) Article 5(1)(c) (data minimisation) Article 5(1)(f) and Article 32 (security of processing).
Our guidance stresses that ‘appropriate technical and organisational measures’ must be in place. Relying solely on employees’ subjective judgment or ‘best endeavours’ is unlikely to meet this standard because: It is not objective, repeatable, or auditable; It cannot reliably prevent unauthorised disclosure; It fails to provide evidence of compliance if challenged.
Source: December 2025 advice of the Information Commissioner’s Office (ICO) to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers, including dealerships.
The EU GDPR:
The Estonian Data Protection Inspectorate (AKI) affirms the ICO position that data controllers whose business processes involve vehicles (such as leasing companies, rental providers, fleet operators, insurers, lenders, or car dealerships) must ensure that personal data stored in a vehicle is handled in accordance with GDPR principles, including lawfulness, data minimization, security of processing, and accountability. This includes the obligation to delete personal data of previous users when a vehicle returns to the controller’s possession and before it is provided to another user.
The AKI agrees that the responsibility to ensure an objective, repeatable, and verifiable deletion process follows directly from GDPR requirements. Relying solely on the subjective judgment or discretion of individual employees does not meet the standards of Article 5(2) or Article 32 GDPR.
Source: March 2026 advice of the Estonian Andmekaitse Inspektsioon to Privacy4Cars on the applicability of GDPR to personal data stored in vehicles and obligations of controllers.
The Only Objective, Auditable Vehicle Personal Data Deletion Solution
Award-winning, multi-patented technology — trusted by companies managing 20+ million vehicles annually.
Meet GDPR Compliance with Privacy4Cars
Why Leading Automotive Companies Choose Privacy4Cars®
Enables Compliance
GDPR requires deleting personal data when vehicles change hands.
Quick and accurate
Automotive businesses staff can delete personal data from vehicles in 60 seconds or less in most cases.
New Revenue Stream
Monetise a service that customers want and need.
Accurate Results, Auditable Proof
Every vehicle cleared with Privacy4Cars’ AutoCleared™ receives an individual Certificate of Deletion creating auditable compliance documentation.
