GDPR for Car Dealerships and Automotive Retailers: Finance Applications, Test Drive Data, and Customer Follow-Up
Car dealerships sit at an unusual intersection of retail, financial services, and ongoing customer relationships. A single vehicle purchase involves credit applications, identity verification, insurance referrals, and years of aftersales contact. That is a substantial volume of personal data — much of it sensitive — flowing through DMS systems, manufacturer portals, and third-party finance providers.
This guide covers every major GDPR compliance area for car dealerships and automotive retailers operating in the UK and EU.
Why Car Dealerships Are High-Risk Data Controllers
Most retailers collect names, emails, and purchase history. Car dealerships go significantly further:
- Finance applications contain salary details, employment history, and credit scores — financial data that is among the most sensitive GDPR covers
- Driving licences are government-issued identity documents retained in both digital and paper form
- Credit checks pull data from credit reference agencies (Experian, Equifax, TransUnion) and generate hard or soft searches that affect individuals' credit files
- FCA authorisation brings additional regulated data handling requirements on top of GDPR
- Long customer relationships — spanning purchase, servicing, MOTs, part-exchange, and resale — mean data accumulates over years
The ICO has made clear that financial services businesses, including FCA-authorised dealers, are expected to operate at a higher standard of data hygiene. A dealership that holds a customer's finance application from 2019 without a clear retention policy is already in breach.
Finance Applications: Credit Data Under GDPR
When a customer applies for dealer finance — whether through Black Horse, Santander Consumer Finance, Close Brothers, or another lender — the application process generates a significant trail of personal data.
What counts as special category or sensitive financial data:
Income, employment status, salary, outstanding debts, and credit scores are not technically "special category" data under Article 9 (which covers health, race, religion, etc.), but they are high-risk personal data under Article 5. Credit reference agency data carries its own framework under GDPR Recital 47 and the ICO's guidance on credit referencing.
Legal basis for processing:
Finance applications are processed under contractual necessity (Article 6(1)(b)) — you need the data to assess and arrange the finance. You do not need consent to run a credit check as part of a finance application the customer has initiated. However, you must be transparent: the privacy notice must explain that a credit search will be conducted, which agency will be used, and that a footprint may appear on the customer's credit file.
Retention:
FCA rules for consumer credit records require retention for at least 6 years from the end of the relationship. GDPR's storage limitation principle (Article 5(1)(e)) requires you to delete data that is no longer needed. These are not in conflict — retain for 6 years for FCA compliance, then delete. The mistake dealerships make is retaining indefinitely "just in case."
Driving Licence Checks and Document Retention
Driving licence checks serve two purposes: identity verification and confirmation of driving entitlement for test drives. Both are legitimate, but they require different handling.
For finance applications: Licence copies are used for identity verification under anti-money laundering (AML) regulations. This is a legal obligation basis (Article 6(1)(c)). Retention should match AML requirements — 5 years from the end of the business relationship under the Money Laundering Regulations 2017.
For test drives: Holding a copy of a licence solely to confirm the customer could legally drive is legitimate but proportionate. Once the test drive has occurred and no finance application follows, there is no ongoing basis to retain a copy. Most dealerships retain test drive licence copies indefinitely as a default — this is a data minimisation violation.
Practical rule: If no finance application results from a visit, delete the licence copy within 30 days. If a finance application follows, the AML retention period applies.
Test Drive Logs: What Data You Need and For How Long
Test drive logs typically capture name, contact number, licence number, date, vehicle registration, and mileage out/in. This is justified under legitimate interest (Article 6(1)(f)) — you have a clear business interest in knowing who took a vehicle and for insurance purposes.
What you do not need:
- Licence copies after the event (unless finance follows)
- Home addresses on the test drive form
- Passport copies as a "belt and braces" ID check
Retention: Insurance purposes justify retention for the duration of the relevant insurance policy year plus a reasonable claims period. In practice, 13 months covers most scenarios. There is no legal basis to retain test drive logs for 5+ years unless a specific incident occurred.
Aftersales Data: Service Records, MOT Reminders, and Recall Notices
Aftersales data is where dealerships often have the healthiest GDPR position — and where they most frequently over-reach on marketing.
Service records — mileage, work carried out, parts replaced — are legitimately retained under contractual necessity and warranty obligations. Retention of 7 years is standard for automotive service records.
MOT and service reminders are legitimate interest marketing where there is a genuine ongoing service relationship. The key test under GDPR Recital 47: would the customer reasonably expect to receive these communications? Yes — a customer who serviced their car with you last year would expect a reminder this year. However, the right to object must be clearly communicated, and opt-outs must be honoured immediately.
Recall notices issued by manufacturers are a legal obligation and do not require consent or legitimate interest justification. You must be able to contact customers about safety-critical recalls regardless of marketing preferences.
FCA Authorisation and GDPR Overlap
Most new car dealers are FCA-authorised as credit brokers, and many used car dealers are too. FCA authorisation brings Consumer Duty obligations (effective July 2023) which overlap substantially with GDPR principles.
Where they intersect:
- Fair treatment under Consumer Duty maps to transparency and lawfulness under GDPR Article 5
- Suitability assessments require processing income and expenditure data — this must be disclosed in the privacy notice
- Complaints records must be retained for 3 years (FCA DISP rules), and contain personal data
Key compliance point: Your privacy notice must cover both GDPR processing purposes and FCA-related processing. A generic "we process your data to provide services" notice is insufficient. Customers applying for finance need to know specifically: why their credit is being checked, which agencies are used, and how long the data is kept.
Marketing Follow-Up After Test Drives: Legitimate Interest vs Consent
The post-test-drive follow-up call or email is one of the most contested GDPR areas for dealerships.
The core question: Can you follow up with a prospect who test drove a car but did not purchase?
Yes, under legitimate interest, provided:
- You have a genuine commercial interest (following up a serious sales prospect)
- The follow-up is reasonably expected (they came to your showroom, they know you sell cars)
- You are not overriding their privacy rights
- You offer a clear opt-out
Limits: Legitimate interest does not justify indefinite follow-up. One or two contacts within 30 days of the visit is defensible. Contacts months later without any re-engagement signal are harder to justify. If the prospect has told you they are not interested, you have no legitimate interest basis to continue.
PECR consideration: If the follow-up is by email or SMS, PECR applies in addition to GDPR. For existing customers there is a soft opt-in available; for prospects who have not purchased, you need prior consent for electronic marketing unless you can argue the enquiry constitutes a prior relationship.
Third-Party Finance Providers as Joint Controllers
When a customer applies for finance through Black Horse, Santander Consumer Finance, or Close Brothers via your dealership, both you and the lender are processing the same application data. Under GDPR Article 26, joint controllers must have a written agreement establishing their respective responsibilities.
What this means in practice:
- Your dealership and the lender both determine the purposes and means of processing
- You need a joint controller agreement specifying who responds to DSARs, who handles breach notifications, and what each party retains
- Your privacy notice must identify the finance providers as joint controllers and signpost their privacy notices
Most lender agreements include standard data sharing clauses, but Article 26 requires more than a data sharing clause — it requires a clear allocation of responsibilities. Dealers who rely solely on the lender's terms without reviewing joint controller obligations are non-compliant.
CCTV on Forecourts and in Showrooms
CCTV is near-universal in automotive retail. Under GDPR and the ICO's CCTV guidance:
Legal basis: Legitimate interest — security, prevention of vehicle theft and fraud.
Mandatory requirements:
- Signage at the point of entry to the forecourt and showroom, explaining the purpose and the data controller
- A written CCTV policy covering purpose, retention, access, and deletion
- Retention limited to what is necessary — 30 days is the ICO's standard recommendation unless an incident requires longer preservation
Recordings of finance conversations in private offices raise additional considerations. If your showroom finance desk is within range of CCTV cameras that capture audio, you are recording conversations that include sensitive financial information. This requires a specific justification and should be disclosed.
Part-Exchange Valuations and the Previous Owner's Data
When a customer brings in a car for part-exchange, the vehicle may contain the previous owner's personal data — particularly in infotainment systems (saved addresses, phone contacts, navigation history).
Your obligations:
- Advise customers before trade-in to factory reset the vehicle and delete paired devices
- Have a documented process for resetting traded-in vehicles before they enter your forecourt or go to auction
- If you fail to delete this data and it reaches a subsequent buyer, you are a data controller for that third party's personal data — without any lawful basis
This is a frequently overlooked GDPR risk. The ICO has received complaints about connected cars sold with previous owners' home addresses accessible in the navigation system.
Online Lead Generation: Quote Tools and Finance Calculators
Online finance calculators and quote tools that capture name, email, monthly budget, and employment status are collecting personal data before any purchase decision is made.
Compliance requirements:
- A privacy notice link at the point of data collection
- Clear statement of purpose: "We will use your details to contact you about your finance enquiry"
- If the form data is passed to a CRM and used for ongoing marketing, this must be disclosed and a legal basis established
- If the data is passed to third-party lenders or comparison platforms, these must be named as recipients
Pre-populated fields in online tools that pull from cookies or session data without disclosure are a common issue. If your quote tool pre-fills a returning user's details from a cookie, PECR consent for that cookie is required.
Used Car History Data: DVLA and HPI Checks
HPI checks pull vehicle history data that includes previous keeper information — name and address history is not shown to the dealer, but the check generates a processing event. DVLA data access through HPI's systems is governed by the DVLA's data sharing framework and your HPI agreement.
Practical compliance points:
- HPI checks on a vehicle you are considering purchasing do not involve the current customer's personal data — they relate to the vehicle
- However, HPI checks on part-exchange vehicles to assess outstanding finance do involve the customer indirectly and should be disclosed in the privacy notice
- Retain HPI check results as part of the vehicle purchase record — they form part of the contractual basis for the transaction
Data Sharing with Manufacturers: JLR, BMW, VW, and OEM Portals
Franchise dealerships share significant customer data with manufacturers through dealer management portals (DMS integrations, manufacturer CRM systems, and after-sales platforms).
The data controller question: When you input a customer's service record into a manufacturer portal, are you a controller, a processor, or a joint controller?
In most franchise arrangements:
- You are the controller for your customer relationship
- The manufacturer is a separate controller for their own purposes (product improvement, recall management, customer satisfaction surveys)
- You are sharing data with a third party, which requires disclosure in your privacy notice and a lawful basis
Common failing: Many franchise dealerships do not name their manufacturer in the privacy notice as a data recipient. If BMW, JLR, or Volkswagen Group has access to your customers' service records through a shared portal, they must be identified.
10 Common GDPR Mistakes Car Dealerships Make
1. No retention schedule for finance applications. Applications are kept indefinitely. The FCA requires 6 years; GDPR requires deletion after that period.
2. Driving licence copies retained after the test drive. No ongoing legal basis — delete within 30 days unless finance follows.
3. Generic privacy notice. A template that does not reference credit checks, HPI checks, manufacturer data sharing, or CCTV is non-compliant.
4. Sending marketing emails to prospects without consent. Post-test-drive follow-ups by email require either consent or a prior relationship — a single visit may not be sufficient under PECR.
5. No joint controller agreement with finance providers. Article 26 requires a written agreement — a data sharing clause in a lender's terms is not enough.
6. CCTV with no signage or retention policy. Common in smaller independent dealers. ICO fines have been issued for exactly this failing.
7. Trade-in vehicles sold without factory reset. Previous owner data in the infotainment system reaches the next buyer. No lawful basis for that processing exists.
8. DMS system contains data going back 15+ years. Without a retention policy and regular data purges, legacy DMS data is a GDPR liability.
9. Manufacturer portal data sharing not disclosed. Franchise dealers sharing data with OEM portals without naming the manufacturer as a recipient.
10. No process for subject access requests. Customers have 30 days to receive all data held on them. If your SAR process relies on manually searching a DMS, paper files, and email inboxes, you will struggle to comply.
Start with a Compliance Audit
If you are not sure what personal data your dealership website and online tools are currently collecting and sharing, that is the place to start. Most automotive retail websites carry undisclosed trackers, finance comparison scripts, and advertising pixels that your privacy notice does not mention.
Scan your dealership website free at app.custodia-privacy.com/scan →
A scan takes 60 seconds and shows you every tracker, cookie, and third-party data transfer your website is making — before you or your customers know about it.
Last updated: March 2026
Top comments (0)