An industry-wide initiative to strengthen data deletion practices in the used car and van sector is being backed by the Vehicle Remarketing Association.
The new Data Deletion and Privacy Protection Certificate has been launched by the National Association of Motor Auctions (NAMA) and developed with input from auction operators, compliance experts, and technology providers.
It addresses areas including data deletion procedures, auditability and reporting, operational workflows, and GDPR-aligned governance.
Jonathan Butler, VRA legal counsel and partner at Geldards explained, “Legal analysis and regulatory expectations make clear organisations handling vehicles – including rental, leasing, fleet and remarketing businesses – become data controllers for personal data stored in a vehicle once it returns to their possession.
“Failing to delete this data before the vehicle is passed to another user may constitute unlawful processing and a personal data breach, potentially contravening several articles of UK GDPR.
“The new NAMA certificate provides the means for the automotive industry to take decisive action to protect consumer privacy as connected vehicle features continue to expand the volume of personal data stored in modern vehicles.”
VRA member Privacy4Cars has been named the first approved supplier under the initiative, following assessment of its data-deletion platform. The company met key requirements, ensuring that personally identifiable information and other sensitive data are removed from vehicles in a consistent and verifiable manner prior to resale.
Philip Nothard, VRA chair, said: “As cars and vans incorporate more and more digital technology, the responsible management of the personal data stored in them is becoming an increasingly acute issue.
“From navigation histories and call logs to synced contacts and messages, modern vehicles routinely store sensitive information – and when those vehicles are returned, resold, or remarketed, that data frequently remains.
Under UK GDPR, any organisation that determines the purposes and means of processing personal data becomes a data controller. When a rental, leasing, fleet, or remarketing business regains possession of a vehicle, it assumes control over the data stored within it.
Continuing to store or disclose that data without a lawful basis risks breaching:
• Article 5(1)(a) – lawfulness, fairness, transparency
• Article 5(1)(c) – data minimisation
• Article 5(1)(f) and Article 32 – security of processing
Passing a vehicle to another user without erasing the data may amount to unlawful processing and a personal data breach.
The ICO has the power to impose significant penalties for breaches of UK GDPR, with fines reaching up to £17.5 million or 4% of global annual turnover – and reinforces this expectation.
