In the recent case of Gesamtverband Autoteile-Handel v Scania C-319/22Opens in new window, the Court of Justice of the European Union ("CJEU") agreed with the Advocate General's view that a Vehicle Identification Number ("VIN") is not personal data per se, but it "becomes personal data as regards someone who reasonably has means of enabling that datum to be associated with a specific person".

The CJEU refrained from clearly stating that an assessment as to whether information is personal data must be solely undertaken from the perspective of the party that holds the personal data (i.e. a "relative" approach), or whether it must also be undertaken from the perspective of third parties (an "objective" approach). Rather the CJEU simply states that data "becomes personal data as regards someone who reasonably has means enabling that datum to be associated with a specific person", but also that "account should be taken of all the means likely reasonably to be used either by the controller...or by any other person to identify that person". However, the decision arguably reflects a move by the CJEU towards a more relative approach when assessing whether information is personal data.

The Facts

The German trade association for wholesalers of motor vehicle parts ("Gesamtverband") brought proceedings against the vehicle manufacturer, Scania CV AB ("Scania"), before the regional court of Cologne, Germany. Scania grants independent operators manual access to information on the repair and maintenance of vehicles via a website. That website enables searches to be carried out either on the basis of general vehicle information, such as the model, engine or the year of manufacture, or on a given vehicle, by entering the last seven figures of the VIN of that vehicle. Scania does not make the VINs available to independent operators. Only repairers have access to those data, by virtue of the registration documents or the indication on the chassis of the vehicle entrusted by the customer for the maintenance or repair of the vehicle. Gesamtverband asserted that Scania's provision of vehicle information failed to meet the standards set out in Regulation 2018/858.

Regulation 2018/858 seeks to ensure a competitive market for motor vehicle repairs and the trade in parts for such vehicles by requiring manufacturers of motor vehicles to make available detailed information on the repair history of the vehicles produced by them, including the VIN associated with such vehicles. Where such information being provided is "personal data" within the meaning of the GDPR, processing of that information must be done in accordance with the GDPR.

In addition to two questions as to the interpretation of Regulation 2018/858, the regional court of Cologne asked the CJEU whether Regulation 2018/858 imposed a "legal obligation" within the meaning of Article 6(1)(c) GDPR on vehicle manufacturers to make the VIN of manufactured vehicles available to independent operators.

In order to answer the latter question, the CJEU had to consider whether a VIN constitutes "personal data" for "independent operators" (i.e. providers of vehicle repair and maintenance services who are not authorised dealers/repairers), and whether vehicle manufacturers are required to provide VINs to such independent operators. We will focus on this data protection aspect of the decision for the purposes of this briefing.

The Decision

Whether a VIN constitutes personal data under the GDPR

The CJEU examined whether a VIN, an alphanumeric code assigned to a vehicle by its manufacturer, constitutes "personal data" within the meaning of Article 4(1) GDPR. The CJEU noted that information is personal data where due to its "content, purpose or effect" it is linked to a specific individual. Furthermore, per it's prior judgment in Breyer (C-582/14), the CJEU noted that in order to determine whether a natural person is identifiable, directly or indirectly, from information, account should be taken of all the means likely reasonably to be used either by the controller, within the meaning of Article 4(7) of the GDPR, or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity.

The CJEU found that the VIN does not, on its own, per se constitute personal data. However, it could become "personal" to someone who has access to it and has means enabling him to use it to identify the owner of the vehicle to which it relates.

It found that "where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person...that VIN constitutes personal data for them". In addition, the CJEU found that the VIN would also constitute personal data "indirectly, for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, and is not personal data for them in particular where the vehicle to which the VIN has been assigned does not belong to a natural person".

The CJEU left it to the referring court to assess whether "independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable person" (i.e. to consider if a VIN is personal data).

It follows that since the VIN may constitute personal data for vehicle manufacturers, it must be processed on one of the lawful grounds set out in Article 6 of the GDPR.

Whether there is "legal obligation" under Regulation 2018/858 for vehicle manufacturers to make VINs available to independent operators

The CJEU found that Regulation 2018/858 imposes a "legal obligation", within the meaning of Article 6(1)(c) GDPR, on vehicle manufacturers (such as Scania), to make the VINs of vehicles which they manufacture available to independent operators, as controllers under the GDPR.

Such a legal obligation meets the lawfulness requirements set down in Article 6(3) GDPR, to the extent that it is based on an EU law to which the controller is subject, and the legal basis in Regulation 2018/858 defines:

  1. the purposes of the processing (i.e. to provide independent operators with unrestricted, standardised and non-discriminatory access to, inter alia, vehicle repair and maintenance information);
  2. meets a public interest objective (i.e., ensuring effective and undistorted competition on the market for vehicle repair and maintenance information service); and
  3. is proportionate to that objective.

As regards the latter proportionality requirement, the CJEU noted firstly that, only the website search using the VIN enables the data corresponding to a particular vehicle to be accurately identified and, secondly, that the file before the CJEU does not refer to any other less restrictive means of identification which, at the same time, would be as effective as search on the basis of the VIN and would enable the public interest objective to be pursued.

Comment

The decision helpfully confirms that information may constitute "personal data" under the GDPR for one party, but not for another.

To the extent that the decision finds that VINs constitute personal data in the hands of those independent operators who have reasonable means of linking the VIN to a specific individual, the decision arguably reflects a similar approach to that taken by the General Court in Single Resolution Board ("SRB") v European Data Protection Supervisor ("EDPS") Case T-557/20 (previously discussed here), and a shift towards a more relative interpretation of the concept of personal data under the GDPR.

However, it is worth noting that the primary focus of this case was not on the scope of the concept of personal data, and it is therefore difficult to draw any concrete inferences from this case that the test for what constitutes personal data has changed or shifted in any material way away from that set out in the leading case of Breyer (C-582/14). The latter case arguably endorses a more objective interpretation of the concept of personal data, by taking account of the means likely reasonably to be used either by the controller, or by any other person to identify the person to whom the information relates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.