Deleting data from cars: Who is responsible under the GDPR?

Modern cars collect a lot of personal data, from location history to phone contacts and even garage door codes. The General Data Protection Regulation (GDPR) sets out rules and principles for collecting and processing these types of personal data across the European Economic Area (EEA) and the UK. 

GDPR principles such as storage limitation, data protection by design, and data security require controllers to minimize privacy risks and, in some cases, proactively delete the personal data they collect.  

This article explores how GDPR applies to connected car data where cars are used by multiple people, most notably in the car hire sector. 

Data controllers in the car hire sector

Most of the GDPR’s rules apply to the “(data) controller”: The entity that “determines the purposes and means of the processing of personal data”. 

In many situations, the identity of the controller is clear. In the car hire sector, things get a little more complicated. 

According to some interpretations, the person hiring the car is initially the controller for their own data. However, when the customer returns the vehicle, they lose control of the data that the car has collected, and the car hire company becomes the controller. 

Do car hire companies have to delete personal data collected by their vehicles?

If we accept that a car hire company is the controller of the personal data collected by the cars they rent to consumers, certain obligations arise once the car is returned by the customer. 

If the customer fails to delete their personal data from the car’s systems, it could remain accessible to the next customer. If the next customer accesses the previous customer’s personal data, this could constitute a “personal data breach” within the meaning of Article 4 (12) of the GDPR: 

“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed…” 

Is one person seeing another person’s connected vehicle data really a data breach?

Arguably, yes – it could constitute the “unauthorized disclosure of, or access to, personal data….” 

However, even setting the definition of a “data breach” aside, the GDPR provides many obligations that would apply to a car hire company acting as a controller. For example: 

• Storage limitation: Personal data should be retained only as long as necessary in relation to a specified purpose. Once a customer returns a hire car, the controller has no need to retain the associated personal data and should automatically delete it. 
• Security: Controllers must implement “technical and organizational measures” to protect personal data against unauthorized disclosure. Such measures could include employing a policy or software tool to routinely erase personal data once a car is returned by a customer. 
• Data protection by design: Controllers must design any system used to process personal data – such as a car – to ensure GDPR compliance. This could include integrating processes to automatically erase personal data once it’s no longer needed. 

Isn’t deleting the data the customer’s responsibility?

The GDPR doesn’t cover this issue directly. But arguably, a car hire company cannot shift the responsibility for deleting personal data onto its customers. 

The GDPR recognizes data protection as a fundamental right. As such, people are entitled to the protection of their personal data regardless of whether they have the technical awareness or ability to ensure this protection themselves. 

If car hire companies are the controllers of their customers’ data – even if a customer willingly provided this data when using the company’s car – then the responsibility for deleting the data falls on the car hire company itself. 

As such, car hire companies should consider taking the following steps to ensure GDPR compliance: 

• Provide comprehensive notice to customers about how their hire car collects and uses personal data 
• Request consent for any data processing unless necessary to provide services requested by the customer 
• Once a customer returns their hire car, ensure any data collected by the car is deleted and inaccessible to the next customer