GDPR compliance for garages & MOT centres
If you run a garage, MOT centre, or bodyshop in the UK, your website needs to comply with at least six different regulations. Vehicle registration numbers are personal data. MOT test records are shared with DVSA. And a generic privacy policy template won’t cover any of it. Here’s what you actually need to know.
Why garages need to take GDPR seriously
Many garage owners assume GDPR is something that only applies to big tech companies or online retailers. In reality, if you store a single customer’s name, phone number, or vehicle registration in a computer system, a spreadsheet, or even a cloud-based garage management tool like Autowork or MAM, you are processing personal data and UK GDPR applies to you.
This isn’t theoretical. The ICO (Information Commissioner’s Office) has the power to investigate any business that handles personal data, and complaints from individual customers can trigger those investigations. A customer who feels their data has been mishandled — perhaps they’re receiving marketing emails they didn’t sign up for, or their details were shared with a third party without consent — can report your business to the ICO in minutes.
The penalties for non-compliance range from enforcement notices (requiring you to change your practices) up to fines of £17.5 million or 4% of annual turnover. For a small garage, the realistic risk is a smaller fine in the thousands, plus the reputational damage that comes with an ICO investigation.
What personal data does a garage handle?
Garages process more personal data than most owners realise. Here’s what a typical garage collects and stores:
| Data type | Example | Why it matters |
|---|---|---|
| Customer contact details | Name, address, phone, email | Basic personal data — requires lawful basis for processing |
| Vehicle registration numbers | AB12 CDE | Confirmed by ICO as personal data — links to an identifiable individual via DVLA |
| MOT test data | Test results, advisories, mileage | Shared with DVSA — you need to disclose this data sharing in your privacy policy |
| Vehicle service history | Work done, parts fitted, dates | Retained long-term — needs a stated retention period |
| Payment information | Card details processed via terminal | Usually handled by your payment provider, but you still need to mention it |
| CCTV footage | Workshop and forecourt cameras | Requires signage, stated purpose, and retention period (typically 30 days) |
| Employee records | Payroll, contracts, training certificates | Staff data has its own GDPR requirements |
| Insurance claim data | Claim numbers, assessor details | Shared with third-party insurers — needs disclosure |
Key point: Vehicle registration numbers are personal data. The ICO has confirmed this because a registration number can be linked to a named individual through DVLA records. This means every garage handling reg numbers must treat them with the same care as names and addresses.
What regulations apply to garage websites?
It’s not just GDPR. A UK garage website sits at the intersection of multiple regulations:
1. UK GDPR and Data Protection Act 2018
Requires you to tell customers what data you collect, why you collect it, who you share it with, how long you keep it, and what their rights are. This information must be in a privacy policy on your website. Under Articles 13 and 14, your privacy policy needs to cover 14 specific areas, including your identity as the data controller, the purposes of processing, the legal basis for each purpose, and the right to complain to the ICO.
2. PECR (Privacy and Electronic Communications Regulations)
Governs cookies on your website and electronic marketing. If your website uses Google Analytics, Facebook Pixel, or any other tracking tool, you need a cookie consent banner with an equally prominent reject button. If you send marketing emails or texts to customers, you need explicit consent (for individuals) or a soft opt-in (for existing customers about similar services).
3. Data Use and Access Act 2025
Received Royal Assent in June 2025 and updates how cookie consent works in the UK. If your cookie setup hasn’t been reviewed since then, it likely needs updating. The Act introduces changes to analytics cookie exemptions and consent mechanisms that affect every business website.
4. Companies Act 2006 (section 82)
If your garage is a limited company, you must display your company registration number, registered office address, and place of registration on your website. This applies to every page where your company name appears, not just the footer.
5. E-Commerce Regulations 2002
Requires your website to show your business name, geographic address, email address, and VAT number (if registered). This applies even if you don’t sell anything online — having a website that promotes your services is enough.
6. Consumer Rights Act 2015
If you provide services or sell goods (parts, accessories, MOTs), your terms and conditions need to comply with consumer rights legislation, including cancellation rights and a complaints procedure.
7. Equality Act 2010
Your website should have an accessibility statement confirming your commitment to making the site accessible to people with disabilities, in line with WCAG 2.1 Level AA standards.
What your garage privacy policy must include
A garage privacy policy is different from a generic one because of the specific data you handle and the organisations you share it with. Here are the sections that are specific to the automotive sector:
DVSA data sharing
If you’re an MOT testing station, you share test data with DVSA (Driver and Vehicle Standards Agency) through the MOT testing service. Your privacy policy must disclose this. Customers have a right to know that their vehicle’s test results, mileage readings, and advisories are transmitted to a government agency.
DVLA authorised access
If you access DVLA systems to check vehicle details (for example, to verify keeper information for warranty claims or insurance work), this needs to be mentioned. You’re accessing third-party personal data and must have a lawful basis for doing so.
Vehicle registration as personal data
Your policy should explicitly acknowledge that vehicle registration numbers are personal data and explain how you handle them, including how long you retain them and who has access.
Garage management software
If you use Autowork, MAM, TechMan, or any cloud-based garage management system, you are sharing customer data with a third-party processor. Your privacy policy needs to name the categories of processors you use (you don’t need to name the specific software, but you should describe what they do).
Retention periods
You need to state how long you keep different types of data. Typical retention periods for garages include:
- Customer contact details: duration of the customer relationship plus 6 years (for potential legal claims under the Limitation Act 1980)
- MOT records: retained by DVSA indefinitely, but your copies should be retained for 6 years
- Vehicle service history: 6 years from last service
- CCTV footage: 30 days unless required for an incident investigation
- Employee records: 6 years after employment ends
- Financial records: 6 years (HMRC requirement)
What your garage website needs beyond a privacy policy
Cookie consent
If your website uses any cookies beyond strictly necessary ones (and almost every website does — Google Analytics alone sets multiple cookies), you need a cookie consent banner. The banner must offer a genuine choice: an “Accept” button and an equally prominent “Reject” button. Burying the reject option in settings or making it a different colour violates PECR.
You also need a separate cookie policy explaining what each cookie does, who sets it, and how long it lasts.
Terms and conditions
Your T&Cs should be specific to the automotive sector. Generic T&Cs won’t cover things like MOT testing procedures, warranty terms for parts and labour, vehicle storage liability, or what happens if a customer doesn’t collect their vehicle. Garage-specific T&Cs should also reference the Motor Ombudsman as the relevant complaints escalation route.
Company information
If you’re a limited company, your website must display your company registration number, registered address, and place of registration (e.g. “Registered in England & Wales”). If you’re VAT registered, your VAT number must also be visible.
Accessibility statement
Under the Equality Act 2010, your website should be accessible to people with disabilities. An accessibility statement explains what standards you’re meeting (WCAG 2.1 Level AA is the benchmark), what limitations exist, and how to report accessibility issues.
Common compliance gaps we find on garage websites
Having scanned hundreds of garage websites, these are the issues we find most often:
- No privacy policy at all — surprisingly common, especially for smaller independent garages
- Generic privacy policy — copied from another website or downloaded from a free template site, with no mention of DVSA, vehicle data, or sector-specific processing
- No cookie consent banner — or a banner with no reject option
- Missing retention periods — the privacy policy says “we keep your data for as long as necessary” without specifying actual timeframes
- No right to complain to the ICO — required under UK GDPR Article 13(2)(d) but often missing
- Company number not displayed — a Companies Act 2006 requirement for limited companies
- BookMyGarage or platform privacy policy used instead of their own — if you list on BookMyGarage, their privacy policy covers their platform, not your business. You still need your own.
Find out what your garage website is missing
We’ll check your website against all the regulations that apply to garages and MOT centres, then deliver a tailored compliance pack built specifically for your business.
Get your compliance fix — £49Do garages need to register with the ICO?
Almost certainly yes. Under the Data Protection Act 2018, any business that processes personal data must pay the ICO data protection fee unless an exemption applies. Since garages store customer records, MOT data, and payment information electronically, the exemptions almost never apply.
The fee is tiered by organisation size: £40 per year for micro-organisations (fewer than 10 staff, turnover under £632,000) and £60 per year for small and medium-sized businesses. It takes about 15 minutes to register at ico.org.uk.
Failure to register when required is a criminal offence and can result in a fine of up to £4,350.
Frequently asked questions
Do garages need a privacy policy?
Yes. If your garage collects any personal data — customer names, contact details, vehicle registration numbers, MOT records, or payment information — you are legally required to have a privacy policy under UK GDPR. This applies to sole traders, partnerships, and limited companies alike.
Is a vehicle registration number personal data?
Yes. The ICO has confirmed that vehicle registration numbers are personal data because they can be linked to an identifiable individual through DVLA records. This means garages must handle registration numbers with the same care as names and addresses.
What data does a garage typically process?
Customer names and contact details, vehicle registration numbers, MOT test data shared with DVSA, vehicle mileage and service history, payment card details, CCTV footage of premises, employee records, and sometimes insurance claim data.
Do garages need to register with the ICO?
Almost certainly yes. Any business that processes personal data electronically must pay the ICO data protection fee unless exempt. Since garages store customer records, MOT data, and payment information digitally, registration is required. The fee is £40–60 per year for most garages.
What happens if my garage website is not GDPR compliant?
Non-compliance can result in ICO enforcement action, fines of up to £17.5 million or 4% of annual turnover, and reputational damage. For small garages, the more immediate risk is an ICO complaint from a customer leading to an investigation and a smaller fine or enforcement notice.
Can I just use a free privacy policy template?
A generic template won’t include DVSA data sharing, vehicle registration handling, DVLA authorised access, or sector-specific retention periods. It also won’t reference the Motor Ombudsman or cover your specific third-party tools. For garages, a tailored policy is significantly more appropriate than a generic one.
Get compliant in 24 hours
We check your garage website against GDPR, PECR, Consumer Rights Act, Equality Act, Companies Act, and DVSA requirements — then deliver a complete compliance pack tailored to your business. Privacy policy, T&Cs, cookie policy, and accessibility statement. From £49.
Get started — £49Last updated: 1 February 2026 · This article is for informational purposes and does not constitute legal advice. For complex situations, consult a solicitor.