Tietosuojavaltuutetun toimisto (Finland) - 8896/152/2019: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 63: Line 63:
}}
}}


The Finnish DPA held, among other things, that the BMW dealership did not have to disclose the service history of a used vehicle to a new buyer under [[Article 15 GDPR|Article 15 GDPR]] because it contained the previous owner's personal data.
The Finnish DPA held that a BMW dealership did not have to disclose the service history of a used vehicle to a new buyer under [[Article 15 GDPR|Article 15 GDPR]] because it contained the personal data of the previous owner, not the new one.  


== English Summary ==
== English Summary ==
Line 73: Line 73:


=== Holding ===
=== Holding ===
The DPA held that the vehicle maintenance and repair history might directly or indirectly describe the activities of the vehicle's owner or holder. For example, it may tell how the owner used the vehicle, including its running distance and the owner's driving style. In addition, although the service history usually does not indicate the owner's name, the person can be identified when combining information from other sources, such as a public transportation registry. Hence, the DPA considered that the vehicle service history information relates to an identifiable natural person and thus is personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]]. Nevertheless, this information may also include non-personal data to which GDPR does not apply.
The DPA held that the vehicle maintenance and repair history might directly or indirectly describe the activities of the vehicle's owner or holder. For example, it may tell how the owner used the vehicle, including its running distance and the owner's driving style. In addition, although the service history usually does not indicate the owner's name, the person can be identified when combining information from other sources, such as a public transportation registry. Hence, the DPA considered that the vehicle service history information relates to an identifiable natural person and thus is personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]]. Nevertheless, this information may also include non-personal data to which the GDPR does not apply.


Finally, the vehicle service history information cannot be considered the new owner's personal data due to the minimal effect this information has on them. Consequently, the DPA held that the new vehicle owner does not have the right to access this information under [[Article 15 GDPR|Article 15 GDPR]] when the information relates to another person. However, under other grounds, such as legitimate interest, the controller could still disclose this information to new buyers if it wished to.
Finally, the vehicle service history information cannot be considered the new owner's personal data due to the minimal effect this information has on them. Consequently, the DPA held that the new vehicle owner does not have the right to access this information under [[Article 15 GDPR|Article 15 GDPR]] when the information relates to another person. However, under other grounds, such as legitimate interest, the controller could still disclose this information to new buyers if it wished to.

Latest revision as of 13:20, 15 June 2022

Tietosuojavaltuutetun toimisto - 8896/152/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 4(1) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started: 18.11.2019
Decided: 08.06.2022
Published:
Fine: n/a
Parties: Oy BMW Suomi Ab
National Case Number/Name: 8896/152/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Vadym Kublik

The Finnish DPA held that a BMW dealership did not have to disclose the service history of a used vehicle to a new buyer under Article 15 GDPR because it contained the personal data of the previous owner, not the new one.

English Summary

Facts

The data subject purchased a used BMW vehicle and discovered defects requiring repair. Assuming that the defects were known to the BMW dealership (controller), the data subject requested information about the maintenance and repair history for the vehicle's entire lifecycle. However, the controller declined to comply with the request.

When assessing the controller's response, the Finnish DPA checked whether the vehicle's service history was personal data within the meaning of Article 4(1) GDPR. It also analysed whether it would be the personal data of the new owner, giving them the right to access this information under Article 15 GDPR.

Holding

The DPA held that the vehicle maintenance and repair history might directly or indirectly describe the activities of the vehicle's owner or holder. For example, it may tell how the owner used the vehicle, including its running distance and the owner's driving style. In addition, although the service history usually does not indicate the owner's name, the person can be identified when combining information from other sources, such as a public transportation registry. Hence, the DPA considered that the vehicle service history information relates to an identifiable natural person and thus is personal data under Article 4(1) GDPR. Nevertheless, this information may also include non-personal data to which the GDPR does not apply.

Finally, the vehicle service history information cannot be considered the new owner's personal data due to the minimal effect this information has on them. Consequently, the DPA held that the new vehicle owner does not have the right to access this information under Article 15 GDPR when the information relates to another person. However, under other grounds, such as legitimate interest, the controller could still disclose this information to new buyers if it wished to.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Use of a registered inspection right for vehicle maintenance history information

Keywords: Right of inspection
Conveyance
Service information

Legal basis: Decision in accordance with the EU General Data Protection Regulation

Diary number: 8896/152/2019

Decision of the EDPS

Thing

The concept of personal data and the data subject's right of access

Registrar

Oy BMW Suomi Ab

Applicant 's claims and reasons

On 18 November 2019, the applicant has initiated a case with the Office of the Data Protection Officer concerning the data subject's right of access to the data. This is a matter of so-called vehicle service history data. The applicant has stated that he purchased a 2010 model year, a used BMW brand vehicle, from X Oy on 11 January 2019. The vehicle had traveled a total of 151,000 kilometers at that time. Defects had immediately occurred in the vehicle which, in the applicant's view, had been known to the dealer. The applicant has stated that certain signs would indicate that the fault had already been detected by the previous owner and that the vehicle had also been serviced by an authorized BMW dealer during the previous owner. The applicant has stated that the most significant of these defects is related to the transmission of the vehicle, which should be completely replaced. The applicant stated that he had been in contact with the dealership, which, however, had not taken the necessary corrective action. The applicant has stated that he has requested the maintenance history information of the vehicle in question from Oy BMW Suomi Ab for the entire life cycle of the vehicle. However, Oy BMW Suomi Ab has not agreed to the applicant's request. The applicant has referred the dispute to the Consumer Disputes Board. The applicant has also filed an editorial lawsuit in the District Court of Eastern Uusimaa.

Statement received from the controller

A preliminary investigation and clarification has been requested from the registrar. The registrar submitted his report on 15.9.2020.

Background: vehicle maintenance history and data protection regulations

The report initially states that the concept of “maintenance history” of a vehicle is not defined in the legislation. In any case, the concept is not very well-established or well-defined in content.

Vehicle service books: periodic maintenance accounts

The report states that the “service book” of a vehicle traditionally spoken in Finland has been used. This is a physical record or booklet in which entries are made to indicate that the scheduled maintenance of the vehicle has been performed in accordance with the maintenance plan specified by the manufacturer. In practice, the vehicle manufacturer prints a ready-made blank service book with pre-labeled boxes and / or sections for certain scheduled maintenance. Blank service books are also sold in stores. When the vehicle has been serviced periodically, the service center will make a note of this in the service book.

In principle, no entries are made in the service book for periodic maintenance other than in accordance with the maintenance plan. Thus, the service manual does not normally contain any information on all maintenance performed on the vehicle.

The concept of a service manual is not defined by law either, but rather is a well-established practice in the field. A carefully completed service record can show that the vehicle has been properly serviced. Maintaining a service book is not a statutory obligation. The possible obligation to hand over the service book to the purchaser of the vehicle is resolved mainly in the light of the general principles of contract law.

Electronic vehicle maintenance information

More and more vehicle manufacturers are also offering their customers electronic service manuals. In the electronic service manuals, the entries are stored in the manufacturer's information systems (and usually also in the vehicle's own trip computer). Nor is the maintenance of an electronic service record a statutory obligation.

Electronic service records may also contain vehicle maintenance information other than that related to periodic maintenance. In some situations, the systems may also store information or fault codes about, for example, the technical operation of the vehicle or automatic diagnostics. Statistical services related to the fuel consumption or emissions of the vehicle or other similar value-added services may also be available. In this context, the study also states that these developments make it more difficult to draw precise boundaries with regard to the concepts of the vehicle service manual and, in particular, the wider service history. Oy BMW Suomi Ab has stated that it is unclear what the applicant has meant by the term “service history” in general.

The nature of the data as personal data

Notwithstanding the above, the controller has stated that in principle it considers maintenance history data to be personal data. Such information describes, for example, how the owner (or holder) of the vehicle has used his vehicle, how much he has driven on it, whether he has carried out periodic maintenance on time, the service shops used, how much maintenance the vehicle has required for his driving style, and so on. Consequently, the controller has stated that most of this information directly or indirectly describes the owner of the vehicle and his activities and that the information can be legally linked to him, at least by means of vehicle registration data (see for example the judgment of the European Court of Justice in Case C-582/14 Breyer). ).

Notwithstanding the above, the controller has stated that it is entirely possible that a certain part of the maintenance history would not be personal data. However, according to the controller 's interpretation, the matter does not fall within the competence of the EDPS. In the view of the controller, the Data Protection Officer does not seem to have the power to order the controller to disclose information other than personal data.

As the maintenance history data basically and mainly describe the activities of the current owner (or holder) of the vehicle, the data is, in the controller's view, the personal data of the current owner (or holder) of the vehicle. The maintenance history of a vehicle thus consists of a chain of personal data of different owners (or holders).

In the controller's view, the applicant has requested the disclosure of such maintenance history data generated during the previous owner. In the controller's view, the disclosure of such information is not required by the general data protection regulation or any other regulation under the supervision of the EDPS.

Article 15 of the General Data Protection Regulation and the data subject's right of access

On the one hand, it has been suggested that Article 15 of the General Data Protection Regulation does not apply at all to such a situation with regard to another person's personal data. Under this article, the data subject may request a copy of the information about himself. However, in the controller's view, the information in question does not concern the applicant himself, but the previous owners of the vehicles, that is to say, third parties in relation to the claims in question.

Notwithstanding the above, it has also been found possible to argue that the information in question also (very) indirectly reflects the current value of the applicant's vehicle and thus his financial situation. However, in the view of the controller, such an interpretation would go a long way and could lead to difficult problems of principle. If it were considered that a mere indirect effect on the valuation of a person's assets would always make him or her personal data falling within the scope of Article 15 of the General Data Protection Regulation, this would mean a very wide right of access to other people's affairs. The registrar has cited as an example the disruptive behavior of a certain resident of a housing association, the problem of dependency and the difficulties in fulfilling his share of the corporate loan. The registrar has argued that these factors would also affect the value of the dwellings of such a person’s neighbors. The controller is struck by an interpretation in which Article 15 of the General Data Protection Regulation would even be considered to give other shareholders access to information from various registers on the life of such a troubled resident on the grounds that this information would also affect the valuation of their assets. The controller has stated that it is probably clear that this would in fact be contrary to the basic purpose of the General Data Protection Regulation.

On the other hand, the report states that consenting to the applicant's request would, within the meaning of Article 15 (4) of the General Data Protection Regulation, "adversely affect the rights and freedoms of others [ie the previous owners of the vehicle]". It has further been argued that the disclosure of information would constitute an interference with the rights and freedoms guaranteed by Article 10 of the Constitution of the previous owners and the General Data Protection Decree. In any case, the above exception has been suggested to be appropriate. In the controller's view, the applicant's interest cannot be considered more important than the protection of the privacy of previous owners.

The registrar has drawn attention to the fact that vehicles are often sold over several generations. It is possible that the service history includes information about persons who are not in any contractual or other relationship with the current owner of the vehicle. Attention has also been drawn to the fact that the obligation to hand over a vehicle's service manual is, in principle, a matter of contractual freedom. It is therefore explicitly possible to agree that the service book will not be handed over. In this context, it has also been argued that the data protection rules are not intended to restrict the freedom of contract between the parties in this respect.

The registrar has further submitted that the legislature would have created the wording of Chapter 17, Section 40 of the Code of Judicial Procedure precisely for the purposes of obtaining information related to disputes. If the court finds that the conditions for an edition are met, it may also order a party to the dispute to produce documents. However, it has been continued with regard to the legislature's edition requiring the main dispute to be pending before a court. The legislature may have intended to set a certain level of severity for the award of the edition - unless the case is pending before a court, it is not (at least not yet) so serious as to interfere with the rights of third parties. According to the controller, even when applying the general data protection regulation, the value choices made by the legislator in connection with the editorial regulation must be taken into account. In the view of the controller, the general data protection regulation should not be interpreted in such a way as to override these choices made by the legislator.

Legitimate interest and disclosure

The report states that the controller will not comment definitively on whether it would nevertheless be entitled to voluntarily disclose the information requested by the applicant, for example on the basis of an interest within the meaning of Article 6 (1) (f) of the General Data Protection Regulation. In any case, the controller has stated that such a right does not imply an obligation to disclose this information.

The applicant has relied on the guidance of the Data Protection Supervisor in case 870/452/17 (issued on 21 March 2017). The solution predates the application of the General Data Protection Regulation. In any case, according to the controller, the outcome of the solution corresponds to the above:

See See, for example, the judgment of the European Court of Justice in Case C-13/16, Rīgas satiksme, paragraph 34: ”.

“If you have purchased a car elsewhere, the car dealer can provide information on car maintenance and mileage to the extent that this information is normally provided to prospective buyers with a service book. However, the release of the information in these respects is at the discretion of the service provider. "

As such, the study has shown that it is possible to discuss the extent to which the recommendations behind the solution are otherwise otherwise in line with the current legal situation. However, in the quoted part, the general data protection regulation has hardly changed the interpretation in the controller's view. The controller therefore considered that it had a discretion as to whether or not to disclose the data.

The controller has stated that it has considered it appropriate to disclose the information now required if the previous owners have given their consent or if there is a legal obligation to do so. The data controller has stated that he will disclose the data if the court so orders in the light of the editorial regulations. By judgment 20/25156 of 4 April 2020, the District Court of Eastern Uusimaa dismissed the applicant's action to that effect on the ground that the applicant had not brought an action in the main proceedings.

Finally, in his preliminary study, the controller referred to the findings of the German Federal Data Protection Act (bundesdatenschutzgesetz, “BDSG”) and its interpretation of § 34 [explained below under “Cross-border assessment”].

On the nature of maintenance history information

The controller has stated that he considers personal data to be any data which, in accordance with the definition in Article 4 of the General Data Protection Regulation, can be directly or indirectly linked to a natural person, interpreted in the light of the European Court of Justice's Breyer and Nowak and other decisions. In principle, this has been shown to mean that most of the information related to the maintenance of a given vehicle (“vehicle unit”) is personal data, as this information can be relatively easily combined with information about who has owned the vehicle at any given time. In this context, the controller has emphasized that it does not even in itself necessarily aim for the data to be widely identifiable within the meaning of the General Data Protection Regulation, but given the vehicle-specific nature of the data, it may be very difficult for the controller to prevent this. It is further emphasized that the controller does not in itself rule out the possibility that the “historical data” also includes non-identifiable data (especially when removed from its vehicle-specific context). In the controller's view, this must be resolved on a case-by-case or case-by-case basis. However, according to the controller, the matter does not fall within the competence of the EDPS, as a result of which the report provided has focused on data considered to be personal data.

Retaining service history information

The controller has stated that he will keep the data only for as long as is necessary for the purpose. In the case of service book data, this often means that the data will be kept for the life of the vehicle (and possibly some time after that), as would be the case for paper service books. This information may be required for vehicle maintenance and related liability issues throughout the life of the vehicle.

Applicant 's reply

The applicant is given the opportunity to respond. The applicant submitted his defense on 22.10.2020.

The defense states that the place of purchase of the vehicle does not affect the obligation of the controller to provide the applicant with the complete maintenance history of the vehicle. The applicant has emphasized from the outset that he has requested that the controller delete personal data from the data requested.

The applicant has stated that the maintenance history data means the maintenance and repair history data of the vehicle for the entire life cycle of the vehicle. The applicant has specified that he means the following information: date, mileage, reason for repair and description of work performed.

The defense stated that the applicant's request related to a gearbox and air spring defect found in the vehicle. The Applicant suspects the Car Dealer was aware of the repairs to the vehicle prior to the transaction. The defense states that the car dealer had free access to the vehicle's service history information.

In the applicant's view, the maintenance history of the vehicle does not contain personal data, but only the maintenance, repairs and other operations performed on the vehicle at the date level. According to the applicant, the controller 's claim about the nature of the data as personal data is in no way valid. The applicant has explicitly requested the controller to delete personal data from the data. The applicant has submitted that the district court stated in its judgment that the maintenance history is not personal information. [For the sake of clarity, the District Court has not so stated.] Attached to the defense is the District Court Judgment cited by the applicant.

The defense also states that the General Data Protection Regulation obliges the owner to provide all information about the vehicle. In the applicant's view, this cannot be limited to the most recent owner, and in the applicant's view it does not matter in which shop the transaction took place. According to the applicant, it would be unreasonable for the dealership notified by the importer of the vehicle to be the only party obliged to provide the vehicle's service history as a seller. Vehicle sales have often been found in various stores. If only the buyer had access to service history information when buying a vehicle from a dealership, it would put dealers and buyers in an unequal position. The applicant further submitted that the EDPS stated that "there is an obligation to provide information to the authority on the basis of the obligation imposed on it (police, taxpayer, etc.)". The applicant has stated that he requested information precisely because of a case pending before the Consumer Disputes Board. In the applicant's view, the controller must be required to comply with the applicant's request.

On cross - border assessment

The General Data Protection Regulation specifically provides for the treatment of matters which are cross-border as defined in Article 4 (23) of the General Data Protection Regulation. Such cases shall be dealt with by the competent supervisory authority in accordance with Article 56 and Chapter VII of the General Data Protection Regulation.

In its preliminary investigation issued on 25 August 2020, Oy BMW Suomi Ab has announced that it will act as data controller with regard to the processing of personal data in question. Oy BMW Suomi Ab is one of the independent companies in the BMW Group and operates only in Finland. Notwithstanding the above, Oy BMW Suomi Ab complies with the BMW Group's internal guidelines.

Oy BMW Suomi Ab's head office is located in Finland. The location of this central government location has been reported to make decisions about the current processing of personal data. In addition, this location of the central administration has been reported as having the power to enforce decisions relating to the processing of personal data currently under way.

The preliminary investigation also states that Oy BMW Suomi Ab complies with Article 6 (1) (f) of the General Data Protection Regulation and the Bavarian supervisory authority's interpretation of § 34 of the German Federal Data Protection Act (bundesdatenschutzgesetz, “BDSG”). According to that interpretation, it is necessary first to determine which information describes the actions of the current owner and which information the actions of the previous owners. According to the above interpretation, the data of previous drivers and / or owners may not be disclosed without the express consent of those former drivers and / or owners or without a legal obligation to disclose the data.

Since then, the Office of the Data Protection Supervisor has been in contact with the Bavarian Supervisory Authority (Bayerisches Landesamt für Datenschutzaufsicht) and asked for its views on the cross-border nature of the case. The Bavarian supervisory authority, on the other hand, has been in contact with BMW AG, which in its reply to the Bavarian supervisory authority has, among other things, confirmed the information provided to the office by the Data Protection Officer of Oy BMW Suomi Ab. In addition, this reply states that the BMW Group companies have agreed to comply with certain minimum data protection standards, which are, however, adaptable to local requirements. According to the reply, compliance with these minimum standards does not affect the independent status of the BMW Group companies as controllers.

It has also been stated that BMW AG in Munich maintains a database in which, inter alia, service history data is stored. Oy BMW Suomi Ab has access to the said database. According to the reply given to the Bavarian supervisory authority, this also does not affect Oy BMW Suomi Ab's independent position as a registrar in the exercise of its registered rights, such as when processing registrants' requests for access to vehicle repair and maintenance history information. As regards the exercise of the registered rights, BMW AG cannot, in its view, be considered to be the principal place of business within the meaning of Article 4 (16) of the General Data Protection Regulation.

Finally, in its reply to the Bavarian supervisory authority, BMW AG has stated that, for reasons of data protection, information on the vehicle's repair history is in principle limited to the maintenance period of the holder. Therefore, the data on the corresponding holder will be provided to the data subjects. In addition, the service history (but not the repair history) can be stored electronically in the BMW vehicle itself. This can be shown to the data subject.

In its reply to the Office of the Data Protection Supervisor, the Bavarian supervisory authority has stated that it considers that Oy BMW Suomi Ab could be considered as the controller. Therefore, the matter does not appear to be cross-border.

Since then, Oy BMW Suomi ab has taken a position on cross-border issues. In this statement dated 13 May 2022, it has been stated that Oy BMW Suomi Ab and BMW AG are legally independent legal entities. It has been further stated that the principle of company law separation applies in principle to these companies, even though they are part of the same BMW group.

Under data protection law, companies have been shown to be independent data controllers, or processors where applicable. As such, the companies in the BMW Group have been found to have agreed on certain minimum data protection requirements and guidelines, which are generally followed throughout the Group. However, the implementation of these requirements and the guidelines related to the requirements in a given country is decided by the national company, not BMW AG. The country company independently assesses the extent to which it is necessary to deviate from the guidelines due to, for example, local regulations or local market conditions or practices.

According to the statement, the above also applies to issues related to the maintenance history of vehicles. Technically, the data is stored on servers operated by BMW AG, but personal data and related decision-making are the responsibility of the national company. The country company is also responsible for customer service and the exercise of registered rights, as well as related decision-making. Correspondingly, the country company itself outlines what information may be disclosed as part of the information requests and under what conditions the information may be disclosed.

Finally, it has been argued that BMW AG should not be considered as the principal place of business within the meaning of Article 4 (16) of the General Data Protection Regulation in this case. It is further stated that the competence lies with the Office of the Data Protection Supervisor.

Applicable law

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The provision is a directly applicable law in the Member States. The General Data Protection Regulation contains national leeway, which allows national law to supplement and clarify matters specifically defined in the Regulation.

Legal question

The EDPS will assess and decide on the applicant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679. The following legal issues are involved:

1) whether the vehicle's maintenance history and repair data are personal data within the meaning of Article 4 (1) of the General Data Protection Regulation;

2) whether the maintenance history and repair data used are personal data referred to in Article 4 (1) of the General Data Protection Regulation of the new owner (or holder) of the purchased vehicle; and

3) if the maintenance history and repair information used is the personal data of the new owner (or holder) of the purchased vehicle referred to in Article 4 (1) of the General Data Protection Regulation, whether the new owner of the vehicle has the right of access provided for in Article 15 of the General Data Protection Regulation.

Decision of the EDPS

Decision

Vehicle maintenance history and repair data are personal data within the meaning of Article 4 (1) of the General Data Protection Regulation.

When used, the maintenance history and repair data are not personal data within the meaning of Article 4 (1) of the General Data Protection Regulation of the new owner (or holder) of the purchased vehicle.

As the maintenance history and repair data, when used, are not the personal data of the new owner (or holder) of the purchased vehicle within the meaning of Article 4 (1) of the General Data Protection Regulation, the applicant is not entitled to access this data under Article 15 of the General Data Protection Regulation.

Reasoning

The concept of personal data

According to Article 4 (1) of the General Data Protection Regulation, personal data means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to identification information such as name, identity number, location, online identification or one or more specific physical, physiological, genetic, mental, economic, cultural or social factors.

The definition of personal data thus consists of four main components. These elements are (i) all information, (ii) related, (iii) identified or identifiable, and (iv) a natural person. The fact that personal data is by definition “all” data “related” to an identified or identifiable natural person indicates that the legislator intended the concept of personal data to be broad. Thus, personal data is also information that describes a person's activities and behavior.

Thus, personal data are data relating to either 1) an identified or 2) an identifiable natural person. According to recital 26 of the General Data Protection Regulation, in determining the identity of a natural person, account should be taken of all the means which either the controller or another person is reasonably likely to use to identify that natural person directly or indirectly. That reasonableness should, in turn, take into account all objective factors, such as the costs and time required for identification and the technology and technical developments available at the time of processing.

Therefore, in assessing whether or not a natural person is identifiable, it should be 1) first to identify the means that either the controller or another person could use directly or indirectly to identify the data subject and 2) second to assess whether the above means are reasonably likely to be available to the controller or other person. taking into account all objective factors such as the cost and time required for identification and the technology and technical developments available at the time of processing.

It should be noted that the Article 29 Working Party, which preceded the European Data Protection Board (EDPS), has provided practical guidance on the concept of personal data [Article 29 Working Party, Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007 (01248/07 / EN WP 136), also published in English: Opinion 4/2007 of 20 June 2007 on the concept of personal data (01248/07 / EN WP 136)].

According to these guidelines, a natural person can be considered identifiable when the person has not yet been identified, but the person can still be identified. It has further been established that indirect identification refers to situations in which a natural person can be identified by combining different data. The guidelines emphasize the case-by-case nature of the assessment.

The above guidelines also state that in some cases the information relates primarily to the object and not to the person. However, the items basically belong to someone. It is also common for a person to be able to affect an object or object in one way or another. Further, the above-mentioned instructions provide an example of vehicle maintenance information. The vehicle maintenance information maintained by the car mechanic or repair shop contains information about the vehicle (odometer reading, dates of maintenance inspections, technical problems and condition). The information is linked to a specific registration number, which in turn can be linked to the owner of the vehicle. When a workshop combines vehicle and owner information for billing, it “applies” to the owner or driver.

It should also be noted that maintenance history and repair information may describe, for example, how the vehicle owner or occupant has used his vehicle, how much he has driven, performed scheduled maintenance on time, how much maintenance the vehicle has required for his driving style, and so on. Thus, the information to be considered as maintenance history data may directly or indirectly describe the owner or holder of the vehicle or the activities of the owner or keeper of the vehicle. In addition, service history information may be reasonably combined with a person who has owned or controlled the vehicle at a particular time.

It should also be noted that the European Commission, in its explanatory memorandum to the Personal Data Directive (COM (92) 422 final - STN 287 (15.10.1992), p. 9), considered the vehicle registration number to be an indirect identifier and thus therefore be personal data within the meaning of the Personal Data Directive. Reference should also be made in this connection to Decision 1/2010 of the Data Protection Board (adopted on 1 February 2010). The case before the Data Protection Board concerned maintenance history data entered in the vehicle register. In this case, the information collected in the register was never intended to be linked to the owner of the car or to any other person. The vehicle's service history data was to be stored and retained in the register regardless of who owned the car at any given time. In its ruling, the Data Protection Board has stated that, although certain identifiers would not, in principle, enable a person to be identified, the person could be identifiable because the information, when combined with other information, makes it possible to distinguish the person from others. Such "other information" would not necessarily be in the possession of the controller. It is further stated in the judgment that the fact that the controller does not have information about the owner of the vehicle, nor the purpose of obtaining such information, would not be decisive in assessing the nature of the vehicle registration number as personal data. On the other hand, it would be important for that information to distinguish a person from other persons

In order to determine whether a person is identifiable, all reasonably practicable means shall be considered. Based on the vehicle registration number, the information of the current owner of the vehicle can be obtained via SMS, for example through the services of Fonecta and Elisa. In these services, the cost of a single registration number search is between 2.90 and 6.50 euros. Vehicle owner and occupier data as well as Historical data are also available from the Finnish Transport and Communications Agency's Traficom Traffic Register. Information about the owner of a vehicle based on the registration number of the vehicle is thus easily and at a fairly reasonable cost available to anyone.

For the reasons set out above, the EDPS considers that the vehicle maintenance history and repair data are in principle personal data within the meaning of Article 4 (1) of the General Data Protection Regulation.

Notwithstanding the foregoing, some of the vehicle's maintenance history and repair information may be personal information other than that described above. Article 58 (2) (c) of the General Data Protection Regulation does not apply to situations involving requests for such information.

Vehicle maintenance history and repair information and the new owner of the used vehicle purchased

It should be noted at the outset that the same information may relate to several different persons. It is therefore possible that the same information relates to several different natural persons at the same time.

According to the above-mentioned guidance of the European Data Protection Board, the so-called content or purpose or outcome factor mapping can be used to assess whether the information “concerns” a particular person. A content factor is at hand when the information tells about a particular person. An example is patient data. Patient data applies to a specific patient. The purpose factor, on the other hand, is at hand when the information is used or is likely to be used to assess or treat a particular person in a particular way. The outcome factor is again at hand when the use of the data is likely to affect the rights and interests of a particular person. (Opinion 4/2007 of 20 June 2007 on the concept of personal data (01248/07 / EN WP 136), pp. 10-11.)

It is clear that when evaluating the maintenance history and / or repair data of the previous owners or holders of the vehicle, it is not a question of information about the new owner or holder of the vehicle. The data tells the time before the owner or occupier of the new owner or occupier of the vehicle. It is further noted that maintenance history and / or repair information from previous owners or holders of the vehicle is not used or is likely to be used to evaluate or treat the new owner or holder of the vehicle in any particular way. Nor is it intended to affect his position or behavior. Even if there is no content or purpose, the information may be considered to “concern” a particular person on the grounds that, taking into account all the circumstances of the case, the use of the information is likely to affect that person's rights and interests. According to this guideline, the potential impact does not have to be large. It is sufficient that the person concerned may be treated differently from others because this information has been processed. An example is the monitoring of the location of taxis to improve the service and its impact on drivers. Although the location information in the example applies to vehicles and not to their drivers, the system makes it possible to monitor the work of taxi drivers. Such information could therefore have a significant impact on taxi drivers, which is why the information can be considered to apply to these taxi drivers as well.

In the present case, the question remains whether the maintenance history and repair information can be regarded as having been used as personal data of the new owner of the vehicle purchased. This can still be assessed in the light of the outcome factor described above. This assessment must take into account whether this information is likely to affect the rights and interests of the new owner of the second-hand vehicle as described above. The effect of previous vehicle maintenance history and repair information on the new owner of the vehicle is likely to be limited to the current valuation of the vehicle at each time.

It should be noted that the determination of the values of vehicles is not regulated by law. The tax administration has described on its website the typical valuation of a vehicle. According to this guidance, vehicle values are determined using a multi-explanatory regression model for each make and model series. The values determined using a statistical model are based on an assessment of the effects of different properties. The variable to be explained is the price of the car and is explained by the car model, age, driving performance (km), power (kw), transmission (manual / automatic), propulsion (petrol / diesel) and model generation, if model generation information is available. From the evaluated parameters, the values according to the different driving performance of the car models are calculated. The estimated impact factors for age, driving performance and car characteristics vary by car model. It should be noted that the maintenance of the vehicle is not taken into account as parameters in the valuation of the Tax Administration. The importance of maintenance and repairs to the valuation of the vehicle can be considered marginal. The service history information is likely to be more relevant to the value in use of the vehicle. Proper maintenance and repairs can be expected to extend the life of the vehicle. It should be noted that, due to its content, purpose and / or effects, vehicle maintenance history data do not relate to the new owner or holder of the purchased vehicle in a way that is in line with, for example, the judgment of the European Court of Justice in Case C-434/16 Peter Nowak v Commission , C-343/16).

For the reasons set out above, the EDPS considers that the vehicle maintenance history and repair data, when used, do not constitute personal data within the meaning of Article 4 (1) of the General Data Protection Regulation of the new owner of the purchased vehicle.

As the maintenance history and repair data, when used, are not the personal data of the new owner (or holder) of the purchased vehicle within the meaning of Article 4 (1) of the General Data Protection Regulation, the applicant is not entitled to access this data under Article 15 of the General Data Protection Regulation.

Finally

The EDPS emphasizes that this Decision only addresses whether the vehicle maintenance history and repair data are personal data within the meaning of Article 4 (1) of the General Data Protection Regulation to which the new owner (or holder) of the purchased vehicle has an explicit right to access the data. under this Article.

The EDPS emphasizes that this decision does not separately assess whether Oy BMW Suomi Ab could disclose the information in question to the applicant. The EDPS notes that this could be possible, for example, under Article 6 (1) (f) of the General Data Protection Regulation.

Applicable law

Mentioned in the explanatory memorandum.

Appeal

According to section 25 of the Data Protection Act (1050/2018), an appeal against this decision may be lodged with an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The appeal is made to the administrative court.

Service

The decision will be served by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt.

Further information on this decision will be provided by the rapporteur

Laura Varjokari, tel. 029 566 6771.

The decision is not final.