Dealers need to ensure they’re staying on the right side of the law when processing customers’ data, one legal firm has told Car Dealer.
The warning comes after a Land Rover dealer was accused of downloading a customer’s personal data without permission.
Ian Ferguson of Rejectmycar.com, which specialises in dispute resolution, claims Park’s Land Rover Ayr downloaded data from client Mario Bonfanti’s Range Rover Evoque without permission, thereby breaking the Data Protection Act 2018, reported Autocar.
Bonfanti bought the Evoque in September 2018, but a diesel particulate filter problem led to it breaking down four times by February 2020.
He said court proceedings showed that the dealership had downloaded all of the car’s electronic data.
The dealership said it had wanted to examine the session file for when the vehicle broke down.
But it’s alleged the download didn’t just take the ECU’s data but also data from the infotainment system synced to Bonfanti’s phone – which had personal details including his phone’s ID, messages and contacts.
The car is still unrepaired while Bonfanti waits for a decision on his claim for the alleged illegal data access as well as rejecting the Evoque under the Consumer Rights Act 2015.
Ferguson says hundreds of drivers are probably making their data available to dealers without realising it.
‘My firm alone represents 24 people who claim their vehicle data was accessed without permission by car dealers,’ he told Autocar.
‘Based on this, I would guess that each day, hundreds of motorists are unwittingly making their data available to car dealers. Who knows where it ends up?’
Park’s failed to get back to Autocar after it was asked for a comment.
Dealers need to stay lawful
Dealers need to ensure they process a customer’s data lawfully and notify them of how they intend to use their data, Car Dealer was told.
Speaking to us, Thomas Prince from CG Professional said: ‘Accessing and downloading customers’ personal data presents a number of specific challenges to ensure that dealers do not open themselves up to risks of enforcement action and adverse publicity.’
He explained that any organisation or person who has collected or uses personal data must have a lawful basis for how they use it, and he offered some guidance to dealers.
Processing is lawful under data protection law if one of the following applies:
- The individual has consented to the processing – this must be specific to what is actually proposed as being done with the data.
- The processing is necessary:
- For a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- For you to comply with the law (not including contractual obligations)
- To protect the vital interests of the individual (ie, to protect someone’s life)
- For you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- For your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
‘Even where any of these apply, dealers must be clear with the relevant individuals about their purposes for processing the data and must specify them in the privacy information provided to customers,’ Prince said.
‘Dealers may only use the personal data for a new purpose if either this is compatible with their original purpose or it meets one of the other requirements.
‘Individuals also have the right to be informed about how dealers use their personal data.
‘On that basis, dealers should ensure that, where they propose to use personal data, they are comfortable that they are doing so lawfully and explain how individuals can exercise their rights.’
Prince added: ‘Finally, personal data should not be retained for longer than needed for the purpose for which it is held, and so storing personal data indefinitely is unlikely to meet this requirement.’
He concluded: ‘Ensuring a legal basis to use personal data can most readily be achieved by obtaining the individual’s consent to the processing which specifically calls out the type of data which will be used, why and which informs individuals of their rights.’