CJEU - C‑319/22 - Gesamtverband Autoteile-Handel (Access to vehicle information)

From GDPRhub
Revision as of 10:17, 16 November 2023 by (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑319/22 Gesamtverband Autoteile-Handel (Access to vehicle information)
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 6(1)(c) GDPR
Decided: 09.11.2023
Case Number/Name: C‑319/22 Gesamtverband Autoteile-Handel (Access to vehicle information)
European Case Law Identifier: ECLI:EU:C:2023:385
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: sh

The CJEU held that Vehicle Identification Numbers taken as such, are not personal in nature. However, they become personal data when someone (a natural person) who has access to it has the means to identify the owner of the vehicle.

English Summary


Scania, a manufacturers of heavy goods vehicles in Europe, grants car repairers access to repair and maintenance information via a website. That website enables searches to be carried out either on the basis of general vehicle information, such as the model, engine or the year of manufacture, or on a given vehicle, by entering the last seven figures of the Vehicle Identification Number (VIN) of that vehicle. VINs in this context are serial numbers and should not be confused for license plates.

Gesamtverband, a competitor of Scania, argued that the information granted by Scania to repairers is anti-competitive. It requested the court to order Scania to grant also independent operators (rather than just repairers) access to the above information. Allowing indepenant operators this information would ensure effective competition in the market for vehicle repair and maintenance information services, as it ensures that the independent vehicle repair and maintenance market as a whole can compete with authorised dealers.

Alongside other questions, the referring court (while taking the view that, as a general rule, the VIN does not constitute personal data) asked whether Article 61 of Regulation 2018/858 must be interpreted as imposing on vehicle manufacturers a legal obligation to process data, within the meaning of Article 6(1)(c) GDPR.


The CJEU informally split the question into two topics. Firstly, whether a VIN can be considered personal data. Secondly, if a VIN is personal data, is an obligation to provide a VIN compatible with the GDPR?

On the first point, the CJEU held that VINs constitute personal data within the meaning of Article 4(1) GDPR, in so far as the natural person who has access to a VIN may have means which reasonably allow them to use the VIN to identify the owner of the vehicle to which it relates. It is for the referring court to examine whether that occurs in each case. To come to this decision, the court referenced Article 4(1) GDPR which states that personal data is ‘any information relating to an identified or identifiable natural person’ and paragraphs 42 and 43 of Breyer (C 582/14, EU:C:2016:779). They also agreed with AG Bobek who stated in paragraphs 34 and 41 of his opinion that VINs are personal data to independant operators 'where [they] may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person.'

On the second point, the court decided that even when a VIN is classified as personal data, the GDPR does not preclude car manufacturers from being obliged to make them available to independent operators. Thus, Regulation 2018/858[1] does not exclude the application of the legislation on data protection. Article 61(1) of Regulation 2018/858,[2] must be interpreted as meaning that it establishes a ‘legal obligation’, within the meaning of Article 6(1)(c) GDPR, on car manufacturers, to make the VINs of the vehicles which they manufacture available to independent operators, as ‘controllers’, within the meaning of Article 4(7) GDPR.


Despite its phrasing, the court assumes in its judgement that VINs are personal data as it then goes onto determine that they impose processing obligations. This follows cases such as Valsts ieņēmumu dienests (Processing of personal data for tax purposes). In that judgment, access to certain VINs were classified as the disclosure of ‘personal data’.

Further Resources

Share blogs or news articles here!

  1. Regulation 2018/858 imposes an obligation on manufacturers to provide vehicle OBD information and vehicle repair and maintenance information.
  2. Article 61(1) of Regulation 2018/858 states: 'Manufacturers shall provide to independent operators unrestricted, standardised and non-discriminatory access to vehicle OBD information, diagnostic and other equipment, tools including the complete references, and available downloads, of the applicable software and vehicle repair and maintenance information. Information shall be presented in an easily accessible manner in the form of machine-readable and electronically processable datasets. …'