GDPR/Data Protection and Car Number Plates

Yes, car registration plates, also known as vehicle registration marks (VRMs), are considered personal data under the GDPR if they can be used to identify an individual. The GDPR defines personal data as any information that can be used to identify a living person, either directly or indirectly. 

Here are some examples of when a car registration plate can be considered personal data:

• Combined with other information

If a VRM is combined with other information, such as the model, colour, manufacturer, or geographical location, it can be used to identify an individual. 

• Used to monitor a car park

If a business uses VRMs to monitor a car park, such as to enforce parking restrictions or ensure only staff use the space, the VRMs are considered personal data. 

However, commercial vehicle registration plates are not considered personal data because the vehicle is owned by an organisation. 

Does GDPR apply to vehicles?

Looking at the question of whether data about a vehicle could be used to identify an individual, the relevant test can be found in Recital 26 of GDPR. This says that identifiability depends on “all the means reasonably likely to be used, either by the controller or by another person to identify [a] natural person”.

Is a number plate personal data?

For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data. Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible.

According to ICO in the UK:

How do we identify someone indirectly?

It’s important to be aware that information you hold may indirectly identify an individual and therefore can still be personal data. If so, this means that the information is subject to the UK GDPR.

If you cannot identify an individual directly from the information that you are processing (for example where all identifiers have been removed) an individual may still be identifiable by other means. This may be from information you already hold, or information that you need to obtain from another source. Similarly, a third party could use information you process and combine it with other information available to them.

You must carefully consider all of the means that any party is reasonably likely to use to identify that individual. This is important because you could inadvertently release or disclose information that could be linked with other information and (inappropriately) identify an individual.

What kind of information could allow an individual to be indirectly identified?

The following is a non-exhaustive list of information that could constitute personal data on the basis that it allows for an individual to be singled out from others:

• car registration number and/or VIN;

• national insurance number;

• passport number; or

• a combination of significant criteria (e.g. age, occupation, place of residence).

The key point of indirect identifiability is when information is combined with other information that then distinguishes and allows for the identification of an individual.

Example

A vehicle’s registration number can be linked to other information held about the registration (e.g., by the DVLA) to indirectly identify the owner of that vehicle.

Example

If an individual is not known to the operators of an out-of-town shopping centre CCTV system, but they are able to distinguish that individual on the basis of physical characteristics, that individual is identified. Therefore, if the operators are tracking a particular individual that they have singled out in some way (perhaps using such physical characteristics) they will be processing ‘personal data’.

DATA PROTECTION OFFICE (IRELAND)

Kerry County Council Case (March 2020)

Personal Data

Section 69 of the 2018 Act defines ‘personal data’ as: ‘“personal data” means information relating to -

(a) an identified living individual, or 

(b) a living individual who can be identified from the data, directly or indirectly, in particular by reference to -

(i) an identifier such as a name, an identification number, location data or an online identifier, or

(ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;

This Decision concerns CCTV systems located in public places. The CCTV systems routinely process images of members of the public. It is possible to identify individuals from such images, even where an individual’s face is not visible. Thus, the data processed by the CCTV systems constitutes ‘personal data’.

Take it as read that the DPO will categorically state that car number plates can/will constitute “personal data” and therefore be covered by GDPR/Data Protection legislation.

There are a few exclusions/exceptions etc., that could be claimed, but…

Therefore, it might be safer to redact all car registration plates in video surveillance.