15-12-2023

On 9 November 2023, the European Court of Justice ruled in case no. C-319/22 on the interpretation of article 61 of Regulation 2018/858. This article imposes an obligation on vehicle manufacturers to provide information from the on-board diagnostic system as well as vehicle repair and maintenance information to independent operators.

One of the preliminary questions referred to the Court is whether article 61(1) of Regulation 2018/858 should be interpreted as imposing a “legal obligation” on vehicle manufacturers as “controllers” to make available to independent operators the VINs of the vehicles they manufacture.

The VIN is the alphanumeric code assigned to a vehicle by the manufacturer to enable the adequate identification of each vehicle.

To answer this question, the Court notes that it must first determine whether a VIN is personal data within the meaning of the GDPR. The GDPR defines personal data as any information relating to an identified or identifiable natural person.

In this regard, the Court refers to previous case-law and states that in order to determine whether a natural person is directly or indirectly identifiable, consideration must be given to all the means likely reasonably to be used either by the controller or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity.

In line with the foregoing and following the Advocate General, the Court holds that where independent operators may reasonably have at their disposal the means by which a VIN can be linked to an identified or identifiable natural person, the VIN constitutes, for those operators, personal data within the meaning of the GDPR. Consequently, the VIN cannot constitute personal data when there are no such means to link the VIN to a natural person or where the vehicle to which that VIN is assigned does not belong to a natural person. This is to be assessed case-by-case. The Court further states that the VIN is also indirectly personal data for vehicle manufacturers who make it available, even though the VIN is not in itself personal data for them. It is not entirely clear what the Court means by this statement which seems a bit contradictory, but we assume that the Court wishes to stress the relative nature of the notion “personal data”: whether something is personal data or not, depends on who you ask and whether or not that person can link a VIN to a natural person.

The Court ultimately answers the preliminary question in the affirmative way by stating that article 61(1) of Regulation 2018/858 effectively imposes a “legal obligation” on vehicle manufacturers as “controllers” to make the VINs of the vehicles they manufacture available to independent operators.

Based on this judgment, we can conclude that the VIN as such cannot be considered personal data. The VIN will only be considered as personal data to the extent that it can be linked to an identified or identifiable natural person, taking into account all means reasonably available to the controller/recipient to make this link.