Oy BMW Suomi Ab – Dismissed (Finland, 2022)

The data subject purchased a used BMW vehicle and discovered defects requiring repair. Assuming that the defects were known to the BMW dealership (controller), the data subject requested information about the maintenance and repair history for the vehicle's entire lifecycle. However, the controller declined to comply with the request. When assessing the controller's response, the Finnish DPA checked whether the vehicle's service history was personal data within the meaning of Article 4(1) GDPR. It also analysed whether it would be the personal data of the new owner, giving them the right to access this information under Article 15 GDPR. The DPA held that the vehicle maintenance and repair history might directly or indirectly describe the activities of the vehicle's owner or holder. For example, it may tell how the owner used the vehicle, including its running distance and the owner's driving style. In addition, although the service history usually does not indicate the owner's name, the person can be identified when combining information from other sources, such as a public transportation registry. Hence, the DPA considered that the vehicle service history information relates to an identifiable natural person and thus is personal data under Article 4(1) GDPR. Nevertheless, this information may also include non-personal data to which the GDPR does not apply. Finally, the vehicle service history information cannot be considered the new owner's personal data due to the minimal effect this information has on them. Consequently, the DPA held that the new vehicle owner does not have the right to access this information under Article 15 GDPR when the information relates to another person. However, under other grounds, such as legitimate interest, the controller could still disclose this information to new buyers if it wished to.