CJEU case C‑319/22 Gesamtverband Autoteile-Handel (Access to vehicle information) – CJEU Judgment (European Union, 2023)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice of the European Union ruled that Vehicle Identification Numbers (VINs) can be considered personal data. This decision is important because it means that companies must handle VINs carefully to protect user privacy. Vehicle manufacturers should be aware that they may need to provide access to this information under certain conditions.
What happened
The Court ruled that VINs can be classified as personal data under GDPR.
Who was affected
Vehicle owners whose information can be identified through their VINs.
What the authority found
The Court held that VINs constitute personal data because they can potentially identify vehicle owners.
Why this matters
This ruling sets a precedent that VINs are subject to data protection laws, impacting how vehicle manufacturers manage and share this information. Companies in the automotive sector need to ensure compliance with privacy regulations when dealing with VINs.
GDPR Articles Cited
Scania, a manufacturers of heavy goods vehicles in Europe, grants car repairers access to repair and maintenance information via a website. That website enables searches to be carried out either on the basis of general vehicle information, such as the model, engine or the year of manufacture, or on a given vehicle, by entering the last seven figures of the Vehicle Identification Number (VIN) of that vehicle. VINs in this context are serial numbers and should not be confused for license plates. Gesamtverband, a competitor of Scania, argued that the information granted by Scania to repairers is anti-competitive. It requested the court to order Scania to grant also independent operators (rather than just repairers) access to the above information. Allowing indepenant operators this information would ensure effective competition in the market for vehicle repair and maintenance information services, as it ensures that the independent vehicle repair and maintenance market as a whole can compete with authorised dealers. Alongside other questions, the referring court (while taking the view that, as a general rule, the VIN does not constitute personal data) asked whether Article 61 of Regulation 2018/858 must be interpreted as imposing on vehicle manufacturers a legal obligation to process data, within the meaning of Article 6(1)(c) GDPR. The CJEU informally split the question into two topics. Firstly, whether a VIN can be considered personal data. Secondly, if a VIN is personal data, is an obligation to provide a VIN compatible with the GDPR? On the first point, the CJEU held that VINs constitute personal data within the meaning of Article 4(1) GDPR, in so far as the natural person who has access to a VIN may have means which reasonably allow them to use the VIN to identify the owner of the vehicle to which it relates. It is for the referring court to examine whether that occurs in each case. To come to this decision, the court referenced Article 4(1) GDPR which states
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C‑319/22 Gesamtverband Autoteile-Handel (Access to vehicle information) in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
9 November 2023
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-6447About this data
Cite as: Cookie Fines. CJEU case C‑319/22 Gesamtverband Autoteile-Handel (Access to vehicle information) - European Union (2023). Retrieved from cookiefines.eu
Last updated: