Is Vehicle Data = Personal Data according to GDPR?
- 24.02.2026
- Business, Data Privacy, Top articles
Kate Gudzenko
CIPP/E, GDPR DPP, Cyber in Privacy, DPO Europe consultant
When it comes to personal data, most people think of names, phone numbers, or email addresses. Technical vehicle data doesn’t usually make this list, nor do other data that at first glance relate exclusively to a device or piece of equipment. However, such data has increasingly become the subject of disputes, and even experienced privacy professionals may face difficulties when assessing their status in another jurisdiction. The question of classifying vehicle data requires examination of legal regulation, court practice, regulator positions, and market approaches.
In this article, we’ll examine when and why vehicle data is considered personal in the European and British context.
Table of Contents
Nuances of Qualifying Information as Personal Data
According to Article 4(1) of the European Union’s General Data Protection Regulation (General Data Protection Regulation, GDPR), personal data is any information relating to a data subject, that is, an identified or identifiable natural person. Even if data doesn’t directly name a person, it may be recognized as personal if it allows indirect identification.
Context is important here. Recital 26 of the GDPR recommends taking into account all means reasonably likely to be used by a third party to identify the subject. One should consider the costs and time required for identification, as well as the technology available at the time of processing. For example, a company publishes anonymized statistics in which age, a rare profession, and a small locality are listed together. Given public registries and search engines, a specific person can be identified in a few hours. In such a situation, the data would be personal, since identification is possible with reasonable effort and available technology.
The British regulator ICO (Information Commissioner’s Office) explains: if a third party possesses the means to link information to a specific person, then the original information is considered personal.
What is Personal Data? Closer look into GDRP Definition
How Do Laws and Regulations View Vehicle Data?
🔹 EDPB: most data generated by a “smart” vehicle relates to an identified or identifiable natural person and is therefore personal data. This can include both directly identifying data (about the driver’s identity) and indirect data—trip routes, driving style, mileage, technical condition, geolocation data, and service metadata, which can be linked to a person through the VIN or other combinations.
VIN (Vehicle Identification Number) is a unique 17-character code that identifies the manufacturer, basic characteristics, and year of manufacture of a vehicle.
🔹 UK, ICO: vehicle registration marks (VRM) are personal data in combination with other information, such as geographic data, manufacturer, model, and color of the vehicle.
🔹 France, CNIL (Commission nationale de l’informatique et des libertĂ©s): any vehicle data that can be linked to a specific or identifiable subject—vehicle identification number or registration number, trip routes, degree of wear of parts, dates of technical inspection, mileage, or driving style—is personal data.
🔹 Germany, DSK (Datenschutzkonferenz): data arising from vehicle use is personal if it can be linked to the vehicle identification number or registration number.
🔹 Norway, Datatilsynet: vehicle registration numbers are personal data, and the processing of images of such numbers is considered processing of personal data.
🔹 Finland, Tietosuojavaltuutettu (Data Protection Ombudsman): a vehicle’s service history is personal data of its owner in the sense of GDPR only during the period of ownership. The new owner of a used vehicle does not have the right to access such information as their personal data. Nevertheless, disclosure of the service history is possible on other lawful grounds, for example, in the presence of legitimate interest under GDPR.
🔹 Poland, UODO (Urząd Ochrony Danych Osobowych): a vehicle registration number allows identification of a specific person not only by authorized authorities but also by private individuals. Such a number can serve as an identifier of the owner and, like an IP address or personal identification number, belongs to the category of personal data.
What Do Courts Say About Vehicle Data?
🔹 European Court of Justice (ECJ) judgmentin case C-319/22 (Gesamtverband Autoteile-Handel e.V. v Scania CV) dated 09.11.2023: a VIN by itself does not necessarily contain information about a specific person, i.e., is not inherently personal. By its nature, a VIN is a number linked to a thing—a vehicle. However, if there are reasonably available means to link the VIN to a specific person, then for a person possessing such means, the VIN becomes personal data. The court referred to its previous test (the Patrick Breyer case on recognizing dynamic IP addresses as personal data) and Recital 26 of the GDPR: all means (including extraction of records relating to that person) must be taken into account where there is a reasonable likelihood that they will be used for direct or indirect identification of a natural person.
Applying this principle, the court stated: a VIN is personal data of the natural person listed in the registration certificate if the person with access to the number has reasonable means to identify the vehicle’s owner or lawful user. In other words, for an independent party who can find out through registries or other sources who owns the car with that VIN, this number is personal data.
Moreover, the court noted that even a car manufacturer transmitting the VIN to such independent operators must consider the personal nature of this data. The judgment states: if independent services can identify a person by VIN, then such a number should be considered personal data also for car manufacturers who provide it, even if the VIN itself was not information about a person for them (for example, when the vehicle is not owned by a natural person). Thus, the chain of responsibility extends to all processing participants.
Also note the court’s clarification: if a vehicle is registered to a legal entity, the VIN may not be considered personal data (until the car is sold to a natural person). For vehicles in private ownership, the VIN will almost inevitably be personal data, given the existence of state registration databases and the mandatory inclusion of the VIN and owner’s name in the registration certificate.
🔹 Kassel District Court decisionin case 435 C 584/13 dated 07.05.2013: the court found that data stored by an insurance company (registration number and VIN) is not personal data, because the insurer itself cannot directly determine identity from these numbers without involving authorities. The court indicated that the insurer only stores vehicle characteristics, not the owner’s name. There are no grounds to believe that the insurer or database operator can reconstruct the owner’s identity from the number using its own means. Yes, theoretically data can be requested through the road authority, but this requires a separate procedure and justification of interest, which the court considered disproportionate effort—and therefore concluded that within the means available to the insurer, the person is not identifiable.
🔹 Supreme Administrative Court of Poland ruling in case OSK 2063/17 dated 28.06.2019: a motor vehicle registration number is not personal data.
If Vehicle Data Falls Under GDPR, Which Basis Should Be Chosen for Processing?
If vehicle information is recognized as personal data, any service that collects, matches, and provides this data to users must rely on one of the lawful bases for processing under Article 6(1) GDPR. Let’s consider which bases apply to vehicle history check services:
Legitimate interest (Article 6(1)(f) GDPR: the most likely (and commonly used) basis for private vehicle check services. As a data controller, the service can point to its legitimate interest and/or the interest of third parties (car buyers). They provide reliable information about a vehicle’s history, prevent fraud, and protect buyers from hidden defects. Such an interest is recognized as justified. Moreover, Recital 47 of the GDPR explicitly names fraud prevention as an example of a legitimate interest that can justify processing of personal data. Selling a car with rolled-back mileage or concealing a serious accident is consumer fraud, and detecting such cases serves to combat fraud.
Performance of legal obligations (Article 6(1)(c) GDPR): this basis applies if there is a special legislative provision requiring someone to disclose or process certain vehicle data. In the EU, there are indeed regulations aimed at transparency and consumer protection that can serve as such legal basis. For example, Regulation (EU) 2018/858 (“Motor Regulation”) requires car manufacturers to provide independent operators (repair shops, spare parts distributors, technical information publishers) with all information necessary for the repair and maintenance of vehicles, including access to VINs.
At the national level, there are laws against odometer fraud (in simple terms, mileage tampering) and consumer information requirements. For example, Belgium has introduced the Car-Pass system: the seller must provide the buyer with a Car-Pass certificate when selling a used car. It contains the mileage history: mileage data transmitted to the central database at each technical inspection. The absence of a Car-Pass makes the sale illegal or invalid. Thus, in Belgium, the transfer of certain vehicle data to the new owner is mandated, and the processing of this data—collection of readings, certificate generation, and issuance to the buyer—is carried out on the basis of a legislative provision.
Another example is Ireland: the Consumer Protection Act 2007 requires car sellers to provide accurate and non-misleading information about the product. The Irish association SIMI (Society of the Irish Motor Industry) has organized access to a vehicle history database for its members so they can check the car and fulfill their legal obligation to inform the buyer of all truthful information. A report by the CCPC (Competition and Consumer Protection Commission of Ireland) indicates that dealers use history checks to meet legal consumer information requirements. It turns out that in such cases, the basis for processing is compliance with a legal obligation: the dealer must check and disclose the data, otherwise they will violate consumer protection law.
Even if the law does not prescribe a specific format for data transfer, general obligations for fair trading can justify the processing. The Unfair Commercial Practices Directive (Directive 2005/29/EC) prohibits concealing material information about a product. Thus, concealing a serious accident or tampered mileage can be considered misleading the buyer. Therefore, the seller must disclose such information if known—otherwise they face sanctions. In a number of countries, this concept has transformed into a direct service for buyers: government agencies or partner organizations collect and provide access to vehicle history.
The CCPC notes that 20 EU countries (for example, Belgium, Estonia, Poland, etc.) already provide public access to key information about used cars, recognizing this as best practice. Brian McHugh, head of CCPC, notes: “Sharing vehicle history with buyers will protect all road users by helping to prevent dangerous vehicles from appearing on Irish roads. It is in society’s interest to have an open, free, and accessible public database with basic vehicle history information. Much of this information is already collected by the state. Some of it is provided to sellers and vehicle history providers, but not directly to consumers. We also know that information from third-party services can be incomplete. Consumers deserve better“.
Want to learn how to quickly and correctly identify legal bases for processing?
Join the GDPR Data Privacy Professional course. Trainers provide clear rules and visual diagrams to make finding legal bases easy.
How does this work in practice in European Union?
In many EU countries, there are legal mechanisms for third-party access to some vehicle data. This creates the foundation for “lookup” services.
For example, in Finland, the Traficom agency (the local equivalent of the DMV) provides an online service for checking vehicle history by registration number or VIN. Technical specifications, inspection records, and tax information are available for free, and for a small fee anyone can obtain data about the current owner’s name, one previous individual owner, and the overall registration history. Access to such data is restricted: electronic user identification and compliance with terms of use are required (for example, information is provided primarily to buyers to verify the seller’s claims and cannot be used to harm people’s privacy). The Finnish registry thus explicitly allows disclosure of vehicle owners’ personal data in the interests of buyer verification.
Speaking of Poland, there is a free government portal where anyone who knows the VIN and vehicle number (and date of first registration) can obtain basic history: inspection data, number of owners, accidents, etc.
Among private vehicle lookup services, carVertical and CARFAX are worth mentioning.
carVertical is a European service that was founded in Lithuania and focused on the EU market. In its Privacy Policy, carVertical explicitly cites legitimate interest as the primary legal basis for processing data to compile reports. They formulate this interest as “preventing fraud in the used car market and providing transparent information to buyers“.
CARFAX is the European division of the American service. Similar to carVertical, their business model in Europe relies on legitimate interest. Additionally, this service participates as a partner in the Autonomous Ready project, which is implemented by the Spanish transport authority DGT and the municipality of Barcelona. It provides installation of sensors and driver assistance systems in 150 vehicles. The project aims to predict and prevent driver errors, such as changing lanes without signaling, sudden acceleration or braking. Over 1.5 years of operation, the system has activated tens of thousands of times. And this contributes to improving road safety.
Summary
In Europe, vehicle data is generally considered personal if it allows direct or indirect identification of the owner or user. Regulators (EDPB, national authorities, courts) emphasize: VIN, registration number, mileage, routes, driving style, and even technical metadata can be personal data because they are linked to a natural person through registries or other sources. However, emphasis is placed on context: the same identifier (for example, VIN) may be non-personal for a manufacturer but personal for services with access to registry data.
Special attention is paid to the balance between privacy protection and consumer and market interests. European regulators recognize the importance of transparency in the used car market to combat fraud (mileage tampering, concealment of accidents), and permit data disclosure when there is a lawful basis: “legitimate interest“, compliance with a legal obligation, or consumer protection. Examples from Belgium (the Car-Pass system) and Finland (the Traficom service) show that national laws directly prescribe or permit access to vehicle history data, despite their personal nature.
Vehicle history checking services in the EU are considered quite legitimate, but they must comply with GDPR and national regulation. They must rely on lawful bases for processing, limit the scope of disclosed data, and ensure protection of data subjects’ rights. At the same time, European practice demonstrates a commitment to legitimizing such services as a tool for consumer protection and improving road safety.
This information was collected as part of legal research for one of our clients
Such research is needed when a company initiates processing that is difficult to interpret uniformly. In the future, it helps avoid misunderstandings between the company and supervisory authorities.
If you also have a large complex question that requires studying official positions and case law, we can help you with this.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
