Data protection in the car dealership is no longer a peripheral topic – it is at the center of every customer relationship. Car dealerships process a wide variety of sensitive data every day: from ID copies for test drives to financing documents to video recordings on the business premises. Since the General Data Protection Regulation (GDPR) came into force in May 2018, strict rules apply to the handling of personal data – and fines for violations can be existentially threatening.

In this comprehensive guide, you will learn how to implement data protection in the car dealership in a GDPR-compliant manner, what obligations you have as a car dealer, and how modern software solutions like AutoPult CRM help you remain compliant.

Why is the GDPR particularly relevant for car dealers?

Hardly any industry processes as many different categories of personal data as the automotive trade. This makes data protection in the car dealership a particularly demanding task.

What data does a car dealership process?

Data category Examples Particular risk
Customer data Name, address, phone, email, date of birth Foundation of nearly all business processes
Vehicle data VIN, license plate, mileage, previous owners Can be traced back to the owner
Financial data Bank details, credit reports, lease agreements Particularly sensitive category
Test drive data Driver’s license copy, ID card, drive log Identity documents = high protection level
Video surveillance Recordings of customers, employees, visitors Continuous surveillance particularly critical
Communication data Emails, WhatsApp messages, call logs Messenger use often not GDPR-compliant
Employee data Personnel files, employment contracts, sick notes Special protection obligations under labor law

Good to know: Even the Vehicle Identification Number (VIN) qualifies as personal data when it can be linked to a registered keeper. The European Court of Justice has confirmed this in several rulings.

Key GDPR principles for the car trade

The GDPR defines core principles for processing personal data in Article 5. Three principles are particularly relevant for data protection in the car dealership:

1. Purpose limitation

Personal data may only be collected for specified, explicit, and legitimate purposes. In practical terms, this means: the driver’s license copy you make for a test drive must not subsequently be used for marketing purposes. Every processing purpose must be defined and documented in advance.

2. Data minimization

Only data that is actually necessary for the respective purpose may be collected. Ask yourself with every form: do we really need the date of birth? Is the phone number strictly necessary? Less data means less risk – and less effort in management.

3. Storage limitation

Data must be deleted once the processing purpose no longer applies – unless statutory retention obligations prevent this. In the car dealership, GDPR and GoBD archiving obligations often collide here. A clear deletion strategy is therefore essential.

Caution: The principle of “We have always done it this way” does not protect against fines. Every data processing activity must be actively reviewed for GDPR compliance – including processes that have been running unchanged for years.

The record of processing activities (Article 30 GDPR)

Every car dealership is obligated to maintain a record of processing activities (ROPA). This document is the heart of your data protection management and must be available for presentation to the supervisory authority upon request.

What must the record of processing activities contain?

  • Name and contact details of the data controller (dealership, managing director)
  • Purposes of data processing (e.g., vehicle sales, test drive management, marketing)
  • Categories of data subjects (customers, prospects, employees)
  • Categories of personal data (contact data, financial data, identity documents)
  • Recipients of data (leasing companies, manufacturers, cloud providers)
  • Planned deletion periods for each data category
  • Technical and organizational measures (TOM) for data protection

Practical tip: Create a separate entry in the ROPA for each business process. A typical car dealership quickly reaches 15–25 different processing activities – from vehicle purchasing through workshop processing to newsletter distribution.

Data protection officer in the car dealership: when is one mandatory?

Many car dealers wonder whether they must appoint a data protection officer (DPO). The answer depends on the company size:

The 20-employee rule

Since the 2019 legislative amendment, the rule in Germany is: a data protection officer must be appointed if at least 20 persons are regularly involved in the automated processing of personal data. This includes:

  • Salespeople working with the CRM system
  • Accounting staff
  • Service reception personnel with access to customer data
  • Part-time employees and apprentices (they count too!)
Important: Even if you are below the 20-employee threshold, you may be required to appoint a DPO – specifically, if your core activity involves extensive processing of special categories of data or you systematically monitor individuals (e.g., through extensive video surveillance).

Internal or external data protection officer?

Criterion Internal DPO External DPO
Costs Salary + training costs Monthly flat rate (from approx. 300 EUR/month)
Dismissal protection Special protection against dismissal (1 year post-appointment) Contract terminable under standard terms
Know-how Knows internal processes Brings cross-industry expertise
Recommendation Makes sense from approx. 100 employees The better choice for most car dealerships

Anyone who wants to contact customers by email, SMS, or WhatsApp needs legally compliant consent. The GDPR sets high standards here for data protection in the car dealership:

  • Voluntary: No coupling prohibition – consent must not be a precondition for the contract
  • Informed: The customer must know what they are consenting to (which channels, which content, which frequency)
  • Specific: Blanket consents (“for advertising purposes”) are invalid – the more specific, the better
  • Demonstrable: You must document the consent and be able to prove it at any time (double opt-in recommended)
  • Revocable: Withdrawal must be as easy as giving consent

Best practice: Use a CRM system like AutoPult that automatically documents consents, stores opt-in timestamps, and immediately implements revocations across all channels. This prevents errors from manual management.

Test drive data: what may be stored?

The test drive is a classic data protection hotspot in the car dealership. Particularly sensitive data is regularly collected here – often more than necessary.

Permissible data collection for test drives

Step 1: Identity verification

You may inspect the driver’s license and ID card and note the relevant data. A copy is only permissible if there is a legitimate interest – for example, for particularly high-value vehicles.

Step 2: Test drive agreement

Record only the actually necessary data: name, address, driver’s license number, license class, and validity date. Date and place of birth are generally not required.

Step 3: Drive documentation

Mileage at departure and return, test drive duration, and any damage. GPS tracking during the test drive is only permissible with explicit consent.

Step 4: Deletion after purpose ceases

After vehicle return without incident, test drive data must be deleted within a reasonable period. Recommendation: no later than 6 months, provided no purchase contract is concluded.

Common mistake: Many car dealerships retain driver’s license copies for years – without any legal basis. Review your files and destroy no-longer-needed ID copies promptly.

Video surveillance in the car dealership

Cameras on the business premises are widespread in the car trade – after all, valuable vehicles are parked on the lot. However, video surveillance is one of the most frequent reasons for GDPR complaints.

Prerequisites for lawful video surveillance

  • Legitimate interest: Protection against theft and vandalism is a recognized interest
  • Proportionality: Cameras only where truly necessary – not in break rooms or restrooms
  • Information signs: Clearly visible signs per Article 13 GDPR stating the data controller, purpose, and retention period
  • Retention period: Typically a maximum of 48–72 hours; longer retention only for specific cause
  • Entry in the record of processing activities: Video surveillance must be fully documented
  • Data protection impact assessment: Required for systematic surveillance of publicly accessible areas

Customer data in the CRM: implementing deletion periods correctly

A modern CRM system is the backbone of every car dealership. But this is precisely where the greatest data protection risks lurk, as customer data is often stored indefinitely.

Data category Retention period Legal basis
Purchase contracts / invoices 10 years (from end of calendar year) Section 147 AO, Section 257 HGB
Workshop orders 10 years (tax-relevant) / 3 years (warranty) Section 147 AO / Section 195 BGB
Test drive data 6 months after drive (without purchase contract) Legitimate interest (Art. 6 (1) lit. f)
Prospects without purchase 12–24 months after last contact Legitimate interest
Marketing consents Until revocation + 3 years proof obligation Art. 7 (1) GDPR
Job applications 6 months after conclusion of the process Section 15 AGG
Video recordings 48–72 hours (standard case) Legitimate interest

Tip: Set up automatic deletion routines in your CRM. AutoPult offers configurable retention periods that you can define per data category – so data is automatically flagged for deletion when the period expires.

GDPR and WhatsApp/Messenger in the car dealership

Customer communication via WhatsApp and Messenger is extremely popular in the car trade – but a data protection minefield. Anyone using their private WhatsApp account for business communication is almost certainly violating the GDPR.

Why private WhatsApp is problematic

  • WhatsApp accesses the entire phone book – an unauthorized data transfer to Meta
  • No control over data processing by Meta (third-country transfer to the USA)
  • No ability to reliably implement deletion obligations
  • Lack of documentation and archiving of communication
  • No data processing agreement with Meta possible

The solution: WhatsApp Business API

The WhatsApp Business API – as integrated in AutoPult – solves most data protection problems: communication runs through a certified Business Solution Provider, there is no phone book access, all messages are archived in a GDPR-compliant manner, and deletion periods can be implemented automatically.

Strongly recommended: Prohibit your employees from using private messenger accounts for customer communication. Instead, provide a GDPR-compliant solution such as the AutoPult WhatsApp integration.

Data processing agreements: cloud software and GDPR

If you use cloud-based software in the car dealership – whether a CRM, a DMS solution, or accounting software – you generally need a data processing agreement (DPA) per Article 28 GDPR.

What must a DPA contain?

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the data controller
  • Technical and organizational measures of the data processor
  • Provisions on sub-processors
  • Support obligations for data subject requests
  • Deletion or return of data upon contract termination

Important: Check with every software provider whether a DPA is in place. Without a DPA, the use of cloud software for processing personal data constitutes a GDPR violation – regardless of how well the software itself is secured.

Privacy policy on the car dealership website

Your privacy policy is not only a legal obligation but also a trust signal to potential customers. For a car dealership website, it must be particularly comprehensive.

Points your privacy policy must cover

  • Contact details of the data controller and, where applicable, the data protection officer
  • Legal bases for data processing
  • Information on cookies and tracking (including cookie consent management)
  • Contact forms and callback requests
  • Online appointment booking (workshop, test drive)
  • Vehicle valuation tools and configurators
  • Embedded third-party services (Google Maps, YouTube, social media plugins)
  • Newsletter registration and marketing automation
  • Data subject rights (access, deletion, objection, data portability)
  • Note on the right to lodge a complaint with the supervisory authority

Fines for GDPR violations: the risk for car dealerships

The GDPR provides for fines that can be severe even for mid-sized car dealerships.

GDPR fine framework

Violation category Maximum fine Example from the car trade
Formal violations (Art. 83 (4)) Up to 10 million EUR or 2% of annual turnover Missing record of processing activities, no DPO appointed
Material violations (Art. 83 (5)) Up to 20 million EUR or 4% of annual turnover Unauthorized data sharing, missing consents
Real risk: German data protection authorities have imposed numerous fines on car dealerships and automotive businesses in recent years – often for unlawful video surveillance, missing deletion concepts, or unauthorized sharing of customer data with manufacturers. Fines have ranged from 5,000 EUR to several hundred thousand euros.

Practical GDPR checklist for your car dealership

Use this checklist to systematically review and improve data protection in your car dealership:

1. Establish foundations

  • Create and maintain the record of processing activities
  • Appoint a data protection officer (if required)
  • Update the privacy policy on your website
  • Implement a cookie consent banner

2. Review processes

  • Review all data collections for purpose limitation and data minimization
  • Revise test drive forms
  • Create marketing consent declarations
  • Document and sign-post video surveillance

3. Secure technology

  • Review CRM and DMS for GDPR compliance
  • Conclude data processing agreements with all service providers
  • Ensure encryption for data transfers
  • Assign access rights on a need-to-know basis

4. Implement deletion concept

  • Define deletion periods per data category
  • Set up automatic deletion routines in the CRM
  • Regularly review and destroy paper files and ID copies
  • Identify and clean up legacy data in old systems

5. Train employees

  • Conduct regular data protection training sessions
  • Provide clear instructions for handling customer data
  • Establish a reporting process for data breaches
  • Prohibit private messenger use for customer contact

How AutoPult supports data protection in the car dealership

In developing AutoPult, data protection in the car dealership was a focus from the very beginning. As a complete digital solution for the car trade, AutoPult meets all GDPR requirements:

German servers and data centers

All data is stored exclusively on servers in German data centers. No data transfer to third countries takes place. The data centers are ISO 27001 certified and meet the highest security standards.

Data processing agreement (DPA)

Every AutoPult customer automatically receives a comprehensive DPA per Article 28 GDPR. The agreement is provided digitally at contract conclusion and covers all processing activities.

Encryption at all levels

  • Transport encryption: All data transfers use TLS 1.3
  • Storage encryption: Data at rest is encrypted with AES-256
  • End-to-end: Particularly sensitive data (financial data, ID copies) is additionally end-to-end encrypted

Integrated GDPR features

  • Automatic deletion routines with configurable periods
  • Consent management with opt-in documentation
  • Data subject rights module (access, deletion, export at the click of a button)
  • Role-based access control on a need-to-know basis
  • Complete audit log of all data processing operations
  • GDPR-compliant WhatsApp integration
  • GoBD-compliant archiving with automatic deadline management

Conclusion: With AutoPult, you do not merely implement data protection in the car dealership – you automate it. From consent management through deletion periods to audit-proof archiving: all GDPR-relevant processes are integrated in one platform.

Frequently Asked Questions about data protection in the car dealership

Does every car dealership need a data protection officer?

Not necessarily. In Germany, a data protection officer is mandatory only from 20 employees who regularly process personal data automatically. Smaller car dealerships should still consider an external DPO – if only because of the complexity of data processing in the car trade.

May I make driver’s license copies for test drives?

Inspecting the driver’s license is permissible; copying it only under certain conditions – for example, for particularly high-value vehicles. The copy must be promptly destroyed after the test drive if no purchase contract is concluded. Instead, note only the relevant data.

How long may I store customer data in the CRM?

This depends on the data category and legal basis. For tax-relevant documents, a 10-year retention obligation applies (AO/HGB). Pure marketing data from prospects without a business relationship should be deleted after 12–24 months of inactivity.

Can WhatsApp be used in a GDPR-compliant way in the car dealership?

The private WhatsApp app is not GDPR-compliant for business customer communication. The WhatsApp Business API – used through a certified provider like AutoPult – can, however, be used in a data protection-compliant manner, as no phone book access occurs and a DPA can be concluded.

What happens in the event of a GDPR data breach at the car dealership?

In the event of a personal data breach, you must notify the responsible supervisory authority within 72 hours (Article 33 GDPR). If there is a high risk to the affected individuals, they must also be notified directly. A documented emergency plan is therefore indispensable.

Do I need a data protection impact assessment for video surveillance?

Yes, if you systematically monitor publicly accessible areas. This typically covers the vehicle lot, showroom areas, and entrance areas. The DPIA must evaluate the necessity, proportionality, and risks of the surveillance.

Data protection in the car dealership is an ongoing task – not a one-time action. The GDPR requires you to continuously review and adapt your processes. With the right tools, clear processes, and trained employees, however, you can master this challenge with confidence. Discover how AutoPult can help you – with a solution that treats data protection not as an obstacle but as a hallmark of quality.