Skip to content
LegalVision UK

Does GDPR Prevent My Business From Capturing Personal Data About Vehicles Visiting My Site?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Most business owners already know the need to carry out data processing in line with the General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) draws significant headlines for fining UK organisations up to £17.5m for GDPR violations. However, some companies have not realised the breadth of the information affected by GDPR rules. This article will help you understand what personal data your business can and cannot process concerning vehicles and car parks.

What is the General Data Protection Regulation?

The GDPR contains the primary data protection rules for UK organisations. Whilst the GDPR is a complex piece of legislation, it primarily seeks to encourage UK businesses to:

  • only collect information when truly necessary and for a legitimate purpose;
  • store personal data safely and securely;
  • protect personal information from unauthorised access and cyber-attacks; 
  • avoid exposing individuals to unreasonable monitoring methods; 
  • only use personal data in line with the purpose or content upon its collection; and
  • safely delete personal information when of no further use or purpose.

Naturally, most business owners are wary of the ICO’s ability to fine them up to £17.5m for GDPR violations, so they do their utmost to ensure full GDPR compliance.

What is the Information Commissioner’s Office?

The UK Government launched the ICO for two primary purposes. The first was to assist UK organisations with data protection compliance (mainly through the helpful online guides on their website). The second reason was for the ICO to act as a referee and hand out financial penalties to UK businesses that ignored or committed significant breaches of the GDPR. 

Notably, the ICO’s remit includes personal information relating to vehicles because you can use this information to identify an individual. After all, the identification of potential drivers is one of the reasons behind vehicle registration numbers.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Information You Can Collect Regarding Vehicles

The two most common legal purposes for collecting vehicle information are to enforce parking restrictions and assist with site security.

Some companies operate car parks with parking restrictions. Sometimes the restrictions are simply that all vehicles should have a parking or staff permit, whilst businesses with vast car parks may permit public parking upon purchasing a ticket.

Most supermarkets will offer free public parking if the vehicle owners are supermarket customers and leave within a certain period. Naturally, all companies wish to avoid suspicious vehicles staying on-site without apparent purpose.

The GDPR and ICO accept that these goals and objectives are reasonable, so they allow the appropriate collection of the following forms of personal data:

  • vehicle registration numbers;
  • details of vehicle manufacturers and model names;
  • arrival time; and
  • exit time.

Your business may collect this data manually (through a parking warden) or electronically (through an automatic number plate recognition system (ANPR). However, to do so, your company should place large warning signs around the car park warning of your data collection methods and parking rules.

Vehicle Information You Should Not Collect

Whilst your company has a degree of flexibility regarding the information it can collect, you must ensure your monitoring system is not overly intrusive.

So, for example, unless there is a high degree of security risk at your premises, a facial recognition system identifying the drivers of each vehicle is unlikely to comply with GDPR rules. This is because collecting sensitive data, such as biometric data or facial identification, is disproportionate to enforcing car park rules.

Another example would be noting the number and ages of passengers per vehicle in a spreadsheet.  Again, there is no legal need for your business to record this information. If the car contains visitors, you can collect this information at the entrance of your premises instead.

Overall, our data protection laws allow you to collect relevant personal vehicle information and restrict you from collecting irrelevant data relating to passengers.

Key Takeaways

Overall, the GDPR does not prevent your business from capturing personal data about visiting vehicles but only permits you to collect relevant information. In this way, the ICO will not impose a hefty financial penalty for vehicle information that reasonably helps your company keep your premises secure and enforce car park rules. So naturally, many business owners obtain legal assistance with the wording of car parking signage and the safe collection of vehicle information.

If you need help with the safe collection of vehicle data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why is vehicle information protected in this way?

The ICO believes that information about vehicle movements, such as geolocation data and arrival and exit times, can constitute sensitive information. This is because you could use it to track individuals (data subjects) without their express consent.

Why does the ICO have the power to issue such hefty fines?

The UK Government recognised that the best way of ensuring UK business compliance with data protection rules was to impose sizeable financial penalties. To date, this approach has been quite successful.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

Could Brexit Lead to the Scrapping of the GDPR and it No Longer Applying to My UK Business?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times