GDPR Compliance:  Your Obligation to Delete Personal Data from Vehicles

According to the UK’s Information Commissioner’s Office (ICO), “The entity owning or lawfully repossessing the vehicle is the data controller and must ensure deletion before onward use. Passing the vehicle to another user without erasure of the personal data held on its systems could amount to unlawful processing and a personal data breach. Continuing to store or disclose that data without identifying a lawful basis would breach: Article 5(1)(a) (lawfulness, fairness, transparency) Article 5(1)(c) (data minimisation) Article 5(1)(f) and Article 32 (security of processing).

Our guidance stresses that ‘appropriate technical and organisational measures’ must be in place. Relying solely on employees’ subjective judgment or ‘best endeavours’ is unlikely to meet this standard because: It is not objective, repeatable, or auditable; It cannot reliably prevent unauthorised disclosure; It fails to provide evidence of compliance if challenged.”

“The Agency believes that personal data stored in the vehicle’s information and communication systems, if they relate to an identified or identifiable natural person, are subject to the General Data Protection Regulation.

It should be noted that the status of data controller is always assessed depending on the specific circumstances of the individual case, i.e. who determines the purposes and means of processing personal data. If, upon re-taking possession of the vehicle, the entity has actual control over

the personal data stored in the vehicle’s systems and decides on the further handling of such data, the obligations of the General Data Protection Regulation apply to such processing.

Accordingly, the Agency considers that, in a situation where there is no valid legal basis for the continued storage of personal data of the previous user of the vehicle, the controller must ensure their deletion, or permanent removal or irreversible disabling of access to such data, before the vehicle is made available to another user or offered for sale. Failure to take such action may lead to unlawful processing of personal data and a personal data breach.

This follows in particular from the principles of lawfulness, fairness and transparency, data minimisation, integrity and confidentiality under Article 5(1) of the General Data Protection Regulation, as well as from the principle of accountability under Article 5(2), the obligation to implement appropriate technical and organisational measures under Articles 24 and 32 and the obligation to protect data by design and by default under Article 25.

With regard to your specific question on the methods of deletion, the Agency considers that relying solely on the subjective assessment of employees or on informal procedures is generally not sufficient to fulfil the obligations under the General Data Protection Regulation. The controller must be able to demonstrate compliance with the regulations, which implies the existence of clearly defined, documented and verifiable procedures. We therefore believe that the procedures for removing personal data from vehicles should be objective, consistent, repeatable and verifiable, so that the controller can demonstrate that it has taken appropriate technical and organizational measures to prevent unauthorized access and unauthorized disclosure of data.

The form of the specific technical measure may depend on the type of vehicle, manufacturer, technical architecture of the system and the types of data processed in the vehicle, but this technical complexity does not exclude the controller’s obligation to ensure compliance with the General Data Protection Regulation. If effective deletion requires the involvement of the manufacturer, authorized service or other contractual partner, the controller is obliged to organize such processes organizationally and contractually in a way that allows for the lawful and secure processing of personal data.

In light of all the above, the Agency agrees in principle that data controllers, when they regain possession of the vehicle and before its further use, transfer or resale, are obliged to ensure the deletion of personal data of previous users if there is no appropriate legal basis for their further storage, and that this obligation must be implemented through appropriate technical and organizational measures that are documented and verifiable.”

“Under Article 4(1) GDPR, data are considered personal data only where the information relates to a natural person who can be identified, directly or indirectly. Accordingly, if data such as location history, home address, telephone number of a natural person, etc. are processed in a vehicle, such data would be considered personal data and their processing would be subject to the GDPR. Meanwhile, Article 4(7) GDPR defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and

means of the processing of personal data. In light of this definition, in the Inspectorate’s opinion, vehicle owners (controllers) engaged in activities such as car rental, provision of replacement vehicles, and similar activities would be regarded as controllers of personal data and would therefore be subject to the GDPR. On the principle of storage limitation Recital 39 GDPR states that personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; this requires, in particular, ensuring that the period for which the personal data are stored is strictly limited. In order to ensure that personal data are not kept longer than necessary, the controller should establish time limits for erasure or for a periodic review. The principle of storage limitation, laid down in Article 5(1)(e) GDPR, provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. In order to ensure that personal data are not kept longer than necessary, the controller must determine a justified and reasonable retention period in accordance with the GDPR. Accordingly, in implementing the above-mentioned principle of storage limitation, in cases where personal data contained in a vehicle (for example, contacts, call history, navigation addresses,login data, or other data related to a specific user) are no longer necessary for the purposes for which they were collected, they must be erased. Consequently, vehicle owners (controllers) engaged in car rental, car-sharing or similar activities should establish a clear procedure and time limits ensuring that, once the period of use of the vehicle has ended, any personal data of the previous user remaining in the vehicle are removed and do not become accessible to other persons. On a personal data breach Article 5(1)(f) GDPR provides that personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality). The controller is required to ensure appropriate technical and organisational measures for the security of personal data, one of which is to ensure that personal data are accessible only to those persons who have the right (a lawful purpose and legal basis) to access or otherwise process them. Article 4(12) GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Therefore, if, after the end of the vehicle use period, personal data of the previous user remaining in the vehicle became accessible to another user, such a case could, depending on the factual circumstances, be regarded as a personal data breach within the meaning of Article 4(12) GDPR.”

The Estonian Data Protection Inspectorate (AKI) affirms the ICO position that marks to data controllers whose business processes involve vehicles (such as leasing companies, rental providers, fleet operators, insurers, lenders, or car dealerships) must ensure that personal data stored in a vehicle is handled in accordance with GDPR principles, including lawfulness, data minimization, security of processing, and accountability. This includes the obligation to delete personal data of previous users when a vehicle returns to the controller’s possession and before it is provided to another user.”

“The AKI agrees that the responsibility to ensure an objective, repeatable, and verifiable deletion process follows directly from GDPR requirements. Relying solely on the subjective judgment or discretion of individual employees does not meet the standards of Article 5(2) or Article 32 GDPR.”

“In response to your email, we note that overall we agree with the view of Information Commissioner’s Office.”

“With regard to your request, we specify that according to art. 4 point 1 of Regulation (EU) 2016/679 (GDPR), “personal data means any information regarding an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more

elements specific to their physical, physiological, genetic, mental, economic, cultural or social identity.”

Thus, personal data stored in vehicles represent personal data and are subject to the provisions of GDPR.

In this context, we mention that art. 4 point 7 of GDPR defines the “controller” as the natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be provided for by Union or national law.

Therefore, the controllers referred to in your address (the legal owners of the vehicles) have the status of personal data controllers and, consequently, the obligation to comply with the provisions of Regulation (EU) 679/2016.”

“For the processing of personal data stored in vehicles, no exception applies; rather, the same rules apply as for the processing of other personal data.

These rules apply fully to the controller, and their application is in no way conditional on whether the IP, as a supervisory authority, issues the relevant guidelines or not.”

“It should be taken into account that within the meaning of Article 24(1) GDPR, controllers are obliged to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is carried out in accordance with GDPR, taking into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. This general principle is also valid for the case indicated by you.”

“The controller must comply with the principles relating to the processing of personal data, such as the principle of integrity and confidentiality. The principle of integrity and confidentiality requires the controller to protect personal data from unauthorized and unlawful processing and against accidental loss, destruction or damage. The controller must therefore ensure, through appropriate measures, that third parties do not gain access to personal data of data subjects.

According to the principle of storage limitation, the controller may retain personal data only for as long as necessary for the purpose for which the data are used. The controller must therefore assess and be able to justify how long the retention of personal data is necessary, for example after a car rental event has ended. When personal data are no longer needed, they must be deleted. The controller must ensure that its information systems and other processing processes support compliance with retention periods and regular review.

The General Data Protection Regulation also provides for data protection by design and by default. This provision requires the controller to implement appropriate measures and necessary safeguards to ensure that data protection principles are implemented by design and by default.”