GDPR + Service History - what is legally correct?
Discussion
I thought this subject merited it's own topic as it's a big issue and I feel... having read the GDPR directive in full that car dealers (and other do-gooder types) getting rid of service history because of GDPR is factually the wrong thing to do.
I'm up for debating this with anybody else who has read the GDPR directive. It was a while ago and how I interpreted it and how much of it I remember are open to doubt with me being as flawed a soul as any of the rest of us.
My understanding of the directive and the act of parliament which follows is that it's very important to pay attention to the exclusions from the act. Things like companies with under 250 employees for instance! How many of you knew they were excluded from following GDPR? Maybe I'm wrong for the reasons mentioned above but nevertheless... there are hundreds of exclusions and many of them will surprise you.
In the specific area of vehicle service history I believe there is no requirement to try to remove or disguise information or to prevent it from being disclosed. As I've found out recently even main dealers are prone to engaging in this erroneous behaviour. I managed to recover some of the disposed service history for a car I recently purchased but with names and the prices removed from the invoices.
The basic tenets of GDPR are that you have 'data controllers' and 'data subjects'. The data controller is the person looking after the data and the data subject is the individual named within the data being held by the data controller.
The obligation for the data controller is to treat the information they have from the data subject respectfully. So what they cannot do is collect information for ordering a pizza and then sell that information to an advertising company who will then send them offers for laundry detergent. There are other things like 'yes by default' where information is collected in a deceptive fashion. For instance 'yes by default' opting in to a scheme for the pizza company to sell your information to someone else who has no connection to your pizza order is illegal under the act.
This can get very boring! But if you're still reading...
So... this means you give consent for your information to be used.
The data controller then has an obligation to treat your consent for your information to be used only for the purpose it was collected unless otherwise agreed.
This means when you provide your information to a car servicing organisation to be used in connection with car servicing they are within the law so long as that data is not used for anything else. I would say any data controller pretending they are unable to disclose service records in connection with maintaining a service history is probably ignorant of the purpose of the act and the spirit of it. I say 'pretending' because in my view they won't have received proper guidance on how to handle information if they're citing GDPR as a reason to be uncooperative.
I'm up for debating this with anybody else who has read the GDPR directive. It was a while ago and how I interpreted it and how much of it I remember are open to doubt with me being as flawed a soul as any of the rest of us.
My understanding of the directive and the act of parliament which follows is that it's very important to pay attention to the exclusions from the act. Things like companies with under 250 employees for instance! How many of you knew they were excluded from following GDPR? Maybe I'm wrong for the reasons mentioned above but nevertheless... there are hundreds of exclusions and many of them will surprise you.
In the specific area of vehicle service history I believe there is no requirement to try to remove or disguise information or to prevent it from being disclosed. As I've found out recently even main dealers are prone to engaging in this erroneous behaviour. I managed to recover some of the disposed service history for a car I recently purchased but with names and the prices removed from the invoices.
The basic tenets of GDPR are that you have 'data controllers' and 'data subjects'. The data controller is the person looking after the data and the data subject is the individual named within the data being held by the data controller.
The obligation for the data controller is to treat the information they have from the data subject respectfully. So what they cannot do is collect information for ordering a pizza and then sell that information to an advertising company who will then send them offers for laundry detergent. There are other things like 'yes by default' where information is collected in a deceptive fashion. For instance 'yes by default' opting in to a scheme for the pizza company to sell your information to someone else who has no connection to your pizza order is illegal under the act.
This can get very boring! But if you're still reading...
So... this means you give consent for your information to be used.
The data controller then has an obligation to treat your consent for your information to be used only for the purpose it was collected unless otherwise agreed.
This means when you provide your information to a car servicing organisation to be used in connection with car servicing they are within the law so long as that data is not used for anything else. I would say any data controller pretending they are unable to disclose service records in connection with maintaining a service history is probably ignorant of the purpose of the act and the spirit of it. I say 'pretending' because in my view they won't have received proper guidance on how to handle information if they're citing GDPR as a reason to be uncooperative.
ingenieur said:
My understanding of the directive and the act of parliament which follows is that it's very important to pay attention to the exclusions from the act. Things like companies with under 250 employees for instance! How many of you knew they were excluded from following GDPR?
This is categorically an incorrect statement. GDPR does apply to companies with fewer than 250 employees, but they are granted limited exceptions, such as not having to record all of their processing (if they fall under the exceptions listed). ingenieur said:
So... this means you give consent for your information to be used.
Again, this is at best an uninformed position to take. There are 6 lawful bases for collecting personal data, each of which is equally valid - consent is just one of them. The data controller can choose which they are using, and thus many businesses use legitimate interests, or contract, rather than consent (which many of the general public seem to think is the only way)ingenieur said:
I would say any data controller pretending they are unable to disclose service records in connection with maintaining a service history is probably ignorant of the purpose of the act and the spirit of it. I say 'pretending' because in my view they won't have received proper guidance on how to handle information if they're citing GDPR as a reason to be uncooperative.
Not necessarily ignorant, perhaps they have (or haven’t) done a Data Protection Impact Assessment, and as part of their risk mitigation have chosen that the ‘least riskiest’ action to take as a company is to delete/destroy documentation. It may not legally be a necessity under GDPR to do it, but that may be how they choose to safeguard themselves against potential issues (such as massive fines - though in reality fines have been few and far between, but that’s a different story…). CheesecakeRunner said:
Handling information correctly and legally under the Data Protection Act 2018, which is how GDPR is implemented in law in the UK, can be difficult and expensive. It’s simply easier and cheaper for companies to bin personal data than it is to comply with the law. So it gets binned.
One of the big challenges comes with continually checking they are still allowed to use your data. Just asking once and forgetting about it isn’t enough, they have to regularly check then can still use it and for what purpose. With a service history this is a problem when a car passes through multiple hands and dealers. Conceivably all future dealer would need to check they’re allowed to process your data.
It’s easier now with electronic histories as you can separate the data about the car from the data about the owner, and just keep the car data with the car.
When a GDPR fine can up 4% of global turnover or 17.5 million quid whichever is greater, you can see why they don’t want to risk it.
I think this sums it up; the risk of falling foul of it is far beyond the benefit to them of trying to work with it.One of the big challenges comes with continually checking they are still allowed to use your data. Just asking once and forgetting about it isn’t enough, they have to regularly check then can still use it and for what purpose. With a service history this is a problem when a car passes through multiple hands and dealers. Conceivably all future dealer would need to check they’re allowed to process your data.
It’s easier now with electronic histories as you can separate the data about the car from the data about the owner, and just keep the car data with the car.
When a GDPR fine can up 4% of global turnover or 17.5 million quid whichever is greater, you can see why they don’t want to risk it.
Edited by CheesecakeRunner on Tuesday 23 August 14:22
2x friends work as salesmen at a main dealer for one of the large car brands, as I understand it whenever a partex comes in the accompanying stack of paperwork with personal details (invoices with name/address) is normally binned
SL22 said:
ingenieur said:
My understanding of the directive and the act of parliament which follows is that it's very important to pay attention to the exclusions from the act. Things like companies with under 250 employees for instance! How many of you knew they were excluded from following GDPR?
This is categorically an incorrect statement. GDPR does apply to companies with fewer than 250 employees, but they are granted limited exceptions, such as not having to record all of their processing (if they fall under the exceptions listed). 
darreni said:
They have more to lose by potentially falling foul of the law, than to gain by supplying the new owner with the details.
This is partly why I'm highlighting the issue. They should try to establish what the law actually says before using it to prevent them offering customer service. CheesecakeRunner said:
Handling information correctly and legally under the Data Protection Act 2018, which is how GDPR is implemented in law in the UK, can be difficult and expensive. It’s simply easier and cheaper for companies to bin personal data than it is to comply with the law. So it gets binned.
You mean securely destroyed? Because to put somebodies personal information into an ordinary waste paper bin would be mishandling their data. lol.
CheesecakeRunner said:
One of the big challenges comes with continually checking they are still allowed to use your data. Just asking once and forgetting about it isn’t enough, they have to regularly check then can still use it and for what purpose. With a service history this is a problem when a car passes through multiple hands and dealers. Conceivably all future dealer would need to check they’re allowed to process your data.
No, this is quelled by whether or not the data subject would reasonably expect you to keep the vehicle service history with the vehicle.
CheesecakeRunner said:
It’s easier now with electronic histories as you can separate the data about the car from the data about the owner, and just keep the car data with the car.
You're probably right, this could easily be done if managing the records electronically and modern software should be written to enable data controllers to manage personal information that way. But being able to do it now should not mean retrospectively that all old data has to be destroyed.
It is indeed frustrating for us OCD types that they now do this. I’ve recently bought a bargain basement Audi A4 for a run round and it’s a blinding little thing, expect it came with nothing other than 2 keys and a V5, not even a book pack ! If it wasn’t such a good car ( and price!) I would have walked away.
Tried getting the service history from various dealers and even with the new V5 in my name it’s just a closed door quoting GDPR blah blah . Certainly wouldn’t be buying anything expensive or high end blind like this one though .
Tried getting the service history from various dealers and even with the new V5 in my name it’s just a closed door quoting GDPR blah blah . Certainly wouldn’t be buying anything expensive or high end blind like this one though .
Edited by fastbikes76 on Tuesday 23 August 15:56
SL22 said:
ingenieur said:
So... this means you give consent for your information to be used.
Again, this is at best an uninformed position to take. There are 6 lawful bases for collecting personal data, each of which is equally valid - consent is just one of them. The data controller can choose which they are using, and thus many businesses use legitimate interests, or contract, rather than consent (which many of the general public seem to think is the only way)Also, don't forget about the exclusions. They are vast and it probably excludes vehicle service history one way or another anyway. But that would require further research.
DanL said:
No one is except we car nuts cares about seeing the various bills and receipts. A stamped service book (or the electronic equivalent these days) is all it takes to sell a car with full service history, so where’s the reward for doing more?
If doing more means combing through the paperwork meticulously filed by the previous owner and taking out all the important information then there is no reward, only disappointment for the new owner when they find all the information about their new car has been binned. ingenieur said:
DanL said:
No one is except we car nuts cares about seeing the various bills and receipts. A stamped service book (or the electronic equivalent these days) is all it takes to sell a car with full service history, so where’s the reward for doing more?
If doing more means combing through the paperwork meticulously filed by the previous owner and taking out all the important information then there is no reward, only disappointment for the new owner when they find all the information about their new car has been binned. It’s a business, and unless a car with these extra records is worth more then there’s no incentive to provide the docs.
DanL said:
ingenieur said:
DanL said:
No one is except we car nuts cares about seeing the various bills and receipts. A stamped service book (or the electronic equivalent these days) is all it takes to sell a car with full service history, so where’s the reward for doing more?
If doing more means combing through the paperwork meticulously filed by the previous owner and taking out all the important information then there is no reward, only disappointment for the new owner when they find all the information about their new car has been binned. It’s a business, and unless a car with these extra records is worth more then there’s no incentive to provide the docs.
CheesecakeRunner said:
ingenieur said:
CheesecakeRunner said:
One of the big challenges comes with continually checking they are still allowed to use your data. Just asking once and forgetting about it isn’t enough, they have to regularly check then can still use it and for what purpose. With a service history this is a problem when a car passes through multiple hands and dealers. Conceivably all future dealer would need to check they’re allowed to process your data.
No, this is quelled by whether or not the data subject would reasonably expect you to keep the vehicle service history with the vehicle.
I’m exiting this conversation now, because it’s into work territory for me. But in case you’re wondering, I’ve written Data Protection Impact Assessments for some of this country’s biggest organisations, a couple of which I can guarantee hold your personal data.
ingenieur said:
But what is the incentive for destroying the docs?
It’s easier than keeping all that crap together - it takes storage space. V5 fits in an A4 plastic sleeve, or folded into the service book if it’s a car old enough / low tech enough to not have the history on board.A4 folders full of old bills that nearly no one is ever going to look at are probably more annoying than useful to a used car dealer…
Edited by DanL on Tuesday 23 August 16:24
Maybe a solution to this issue is for the Service History to be split in to 2 parts:
Part One: Details of the parts that have been replaced on the car with date they were replaced, this is the important part for a new owner, I'm sure they don't really care how much or who paid. If they care about how much, then this information can be gathered from other sources and would be anonymous.
Part Two: Could be a copy of Part One with the additional Customer and Pricing information.
This way, Part One can be kept with the car and transferred between owners and Part Two can be kept (or not) by the person who paid the parts/labour.
Part One: Details of the parts that have been replaced on the car with date they were replaced, this is the important part for a new owner, I'm sure they don't really care how much or who paid. If they care about how much, then this information can be gathered from other sources and would be anonymous.
Part Two: Could be a copy of Part One with the additional Customer and Pricing information.
This way, Part One can be kept with the car and transferred between owners and Part Two can be kept (or not) by the person who paid the parts/labour.
CheesecakeRunner said:
No it’s not. It’s impossible for a data subject to give permanent permission for their data to be used under any circumstances. Which is what leaving personal data with a service history would be, because the subject has no idea how that service history is going to be used in the future, or who will have access to it.
I’m exiting this conversation now, because it’s into work territory for me. But in case you’re wondering, I’ve written Data Protection Impact Assessments for some of this country’s biggest organisations, a couple of which I can guarantee hold your personal data.
I tend to disagree having worked with personal data for over 20 years and GDPR from its inception , if the owner of the car is asked to fill in a form detailing how their data will be used and they sign it, providing its explicit that the service history will be shared with the new owner of the car and not used for any other purpose then there's no issue.I’m exiting this conversation now, because it’s into work territory for me. But in case you’re wondering, I’ve written Data Protection Impact Assessments for some of this country’s biggest organisations, a couple of which I can guarantee hold your personal data.
Its just a lazy cop out by car dealers which helps them as they can just say every car has FSH but not evidence it.
GDPR relates to individual people not cars.
IME service history has always been demonstrated by stamps in a service book or from online website with manufacturer.
In the latter when I had my first second hand Lexus I had both stamped book and electronic record. Neither had personal information about any individual who had the car serviced, nor records of any individual who serviced it.
Sounds like some dealers are using GDPR to either being lazy or obfuscate the real history of the car.
Edited to add: If a customer requests more detail than standard service records, e.g. copies of original invoices etc,, that may contain personal information and if the dealer had such documents they could either refuse (citing DPA) or charge an admin fee to redact (to comply with DPA). The customer cannot demand data with other people's information, as the customer is not the data subject.
However, the Police or other agencies could request such if required by law or legal proceedings.
Hence why many dealers may destroy any documentation not required for the legal transfer of ownership, i.e everything but the V5 - they should keep service history if they use service history as part of the sale/transfer.
IME service history has always been demonstrated by stamps in a service book or from online website with manufacturer.
In the latter when I had my first second hand Lexus I had both stamped book and electronic record. Neither had personal information about any individual who had the car serviced, nor records of any individual who serviced it.
Sounds like some dealers are using GDPR to either being lazy or obfuscate the real history of the car.
Edited to add: If a customer requests more detail than standard service records, e.g. copies of original invoices etc,, that may contain personal information and if the dealer had such documents they could either refuse (citing DPA) or charge an admin fee to redact (to comply with DPA). The customer cannot demand data with other people's information, as the customer is not the data subject.
However, the Police or other agencies could request such if required by law or legal proceedings.
Hence why many dealers may destroy any documentation not required for the legal transfer of ownership, i.e everything but the V5 - they should keep service history if they use service history as part of the sale/transfer.
Edited by FunkyGibbon on Tuesday 23 August 18:10
Buy a car. A problem is found. PH has numerous occurences of problems with cars bought.
It then can deteriorate to an absolute crap scenario of proving the fault was there at purchase for warranty/ repair etc..
Buyer side.....You buy on evidence of full service history and details of any work done, parts replaced.
Dealer side...the service book shows service history to the schedules specified.
The thread about a blown engine on a car sold as having full dealer/ manufacture warranty with a query about remap/ after market exhaust shows how problems arise.
The CAR having full history is the key point. It sets a description of history that sits between both parties. Dealer uses it to enhance selling and buyer has it as a reference should problems arise. Personal details are not necessarily needed. Finding previous owners might help in disputes ( the remap thread contained claims by previous owner of a remap yet dealer said the new owner did it and blew the engine. Their pre- sale approval checks were being contested).
Finding a previous owner to query and get evidence of such disputed points can be useful. If GDPR hides their personal details then can a legal challenge allow tracing them so that relevant facts can be verified? This can have a big influence on any legal dispute.
It then can deteriorate to an absolute crap scenario of proving the fault was there at purchase for warranty/ repair etc..
Buyer side.....You buy on evidence of full service history and details of any work done, parts replaced.
Dealer side...the service book shows service history to the schedules specified.
The thread about a blown engine on a car sold as having full dealer/ manufacture warranty with a query about remap/ after market exhaust shows how problems arise.
The CAR having full history is the key point. It sets a description of history that sits between both parties. Dealer uses it to enhance selling and buyer has it as a reference should problems arise. Personal details are not necessarily needed. Finding previous owners might help in disputes ( the remap thread contained claims by previous owner of a remap yet dealer said the new owner did it and blew the engine. Their pre- sale approval checks were being contested).
Finding a previous owner to query and get evidence of such disputed points can be useful. If GDPR hides their personal details then can a legal challenge allow tracing them so that relevant facts can be verified? This can have a big influence on any legal dispute.
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff