Car dealers should redact used car previous keeper personal information from service history or face expensive court cases for breaching GDPR laws.
That’s the advice from legal experts after one car dealer was forced to settle a case for £3,000 following a service invoice with the previous keeper’s details was left in the glovebox of a used car.
The boss of the large dealer group – who has asked not to be named, but is sharing their case to warn other dealers – said the ‘innocent mistake’ had served as a costly reminder on GDPR laws.
‘We sold a used car with one key and clearly stated it only had one,’ the boss told Car Dealer.
‘The new owner found an old service invoice in the glovebox that had the previous keeper’s address on it so decided to write them a letter and ask if they still had a spare key.
‘All it was, was a letter, but the old owner kicked up a fuss and got a no-win, no-fee solicitor involved who wrote to us threatening court action for a breach of GDPR.
‘My lawyers advised us to settle out of court, which I have done, but all because we left service history in the car. I’ve been advised now to black out all names and addresses on invoices in service history.’
Legal experts from both Lawgistics and CG Professionals advised car dealers to be cautious with previous owners’ details and remove any personal information from invoices.
Lawgistics solicitor Nona Bowkis said she had seen more ‘ambulance chasing’ law firms get involved with GDPR and data breach claims and target dealers.
She said: ‘These types of claims can be heard in the High Court, so if a dealer loses, the costs can run into thousands of pounds very quickly.
‘Furthermore, the customer will nearly always be protected under some sort of no-win, no-fee arrangement and so any dealer on the end of one of these claims, is already on the back foot.’
She advised that if there had been a genuine breach – even an innocent one like this example – then it is ‘probably wise to settle’ out of court.
Bowkis added that the dealer could have argued there had not been a breach as the previous keeper had left the service records in the car, but legal fees on the court case would have been expensive.
She added: ‘This will be an expensive lesson and one which must lead to a thorough review of all data processes.
‘We know some dealers have chosen to redact personal information of this nature as a matter of course – a decision they took as part of their GDPR risk assessments.
‘With ambulance chasing ever present, dealers must regularly review their data policies and procedures to avoid this sort of accusation. In the event one has slipped through the net, dealers should seek legal advice immediately before it gets out of control.’
Stacey Turner, managing partner at motor trade legal firm CG Professionals, explained that personal data is classed as ‘anything that can identify a living individual’, including service history.
She said that dealers should redact personal data – by blacking out names and addresses – to protect themselves.
She added: ‘Alternatively, a dealership could keep its own record of customer details and include customer reference numbers on their servicing history so that if they were ever contacted about a certain entry, they could make an informed decision at that point as to whether there is any legal requirement for disclosure.’
Turner confirmed that disclosure of previous keeper details on a V5 certificate is allowed as it is a legal requirement.