Fleets, leasing firms and automotive service firms have been reminded of their obligations on deleting data from vehicles under UK and EU GDPR regulations.

Under GDPR, fleets must delete driver data before selling vehicles and can’t push this liability to the user

A newly published white paper from Privacy4Cars includes a full legal opinion from Aidan Eardley, King’s Counsel, a barrister at the London Bar, stating categorically that fleets, not drivers, are ultimately responsible for deleting driver data before selling them and that not doing so renders them non-compliant with GDPR data protection requirements.

Andrea Amico, founder of Privacy4Cars, said: “The King’s Counsel is categorical: under GDPR, fleets must delete the data of the drivers before selling them, and can’t push this liability to the vehicle users whose data was recorded.

“In practice: if you manage your own fleet, vehicles must be added to the device management and data disposal policy that your company already has for laptops and smartphones: cars aren’t different under the law. If you use a fleet management company, call them and demand they delete the data (an established standard of care in the United States and Canada); same if you use an inspection company or auction. Require [that] they use tools and not simply rely on the knowledge and imagination of their employee alone because the King’s Counsel warns that is unlikely to meet GDPR compliance – hence you get no real protection for what they charge you.”

The white paper also explores what type of companies have legal obligations on vehicle data and the risks of not complying. It warns that firms across the automotive industry have a mandatory duty to safeguard and delete drivers’ personal data once the car is in their possession. Alongside fleets and leasing firms, this also includes rental, car sharing and shared fleet companies, fleet management firms, dealerships, plus motor finance and insurance businesses.

Automotive businesses become ‘controllers’ of the personal data of prior drivers and passengers under GDPR every time a vehicle returns to their financial or physical control, and is destined to be handed off to a future user or owner.

Adrian Eardley KC commented: “Upon return of the vehicle, it seems to me, the hiring company will become the controller of any personal data stored on the vehicle’s systems, and the only thing that it can lawfully do with those data is delete them. If it re-lets the vehicle without doing so, such that the next hirer can see the previous hirer’s personal data, then there will be a strongly arguable case that the hirer has processed the data in contravention of the Art 5(1) principles.”

The paper also looks at how current practices differ from what the law requires, including statistics and anecdotes.

The legal advice sets out what steps those companies need to undertake to fulfil their legal duty to protect customers’ data. It also gives insights on the broader implications for businesses in the automotive sector on the growing risks but also opportunities that privacy brings and can shape their strategy.

With the rise of smart and connected cars, the storage of personal data in vehicles is a growing privacy concern. Vehicles retain sensitive personal information such as phone contacts, call logs, home addresses, navigation history and more. As these vehicles change hands, the risk of personal data being exposed increases if steps are not taken to ensure its deletion.

Personal data is often left in vehicles – likely making this the largest unreported GDPR breach, affecting millions each year, according to Privacy4Cars. In the UK alone, more than 1.6 million cars are leased annually, and across Europe, this figure rises to nearly four million cars. Similarly, the UK sees approximately three million car rentals every year.

The Privacy4Cars white paper is available to download here.