While researching functionality for Carsu, we sat down with a workshop owner in Germany who had years of customer data — names, service histories, contact details, vehicle records. Everything needed to send seasonal reminders, follow up after repairs, and keep customers coming back. But they never sent a single message. The reason? They were afraid of violating GDPR.
That conversation stuck with us, because it captures a problem we see across the industry. Workshop owners know GDPR exists. They know fines are real. But without clear guidance on what they’re actually allowed to do, the default response is to do nothing — and lose the customer relationship benefits that come with structured, well-managed data.
This guide is for every workshop in that position. If you’re in the EU or UK, you’re a data controller under the General Data Protection Regulation (GDPR). You process personal data whenever a customer books a service, drops off a vehicle, or pays an invoice. That comes with specific legal obligations — but meeting them is more straightforward than most workshop owners expect. And as you’ll see below, getting it right doesn’t just avoid fines — it unlocks the ability to communicate with your customers properly.
As of March 2026, European data protection authorities have issued over 2,700 fines totaling more than €6 billion. The most common violation? Insufficient legal basis for data processing — exactly the kind of gap this checklist helps you close.
For a broader look at why GDPR matters for the automotive aftermarket, read The GDPR Opportunity No One in the Automotive Aftermarket Is Talking About.
What legal basis should a workshop use for processing customer data?
Under Article 6 of the GDPR, you need a valid reason — a “legal basis” — to process someone’s personal data. For independent workshops, three of the six available bases cover almost everything:
Contract. When a customer brings their car in for service, you have a contract — even if it’s informal. You need their name, contact details, and vehicle information to perform the work. That’s your legal basis for core service data. No consent form needed.
Legitimate interest. Sending a reminder that winter tyres are due or that a service interval is approaching? That’s arguably in both your interest and the customer’s. Legitimate interest can cover this, provided the benefit to your business doesn’t override the customer’s privacy. A seasonal tyre reminder to an existing customer is a reasonable use. Sharing customer data with unrelated third parties is not — that fails on multiple GDPR grounds, not just the balancing test.
Consent. Marketing emails, promotional messages, newsletters — anything beyond the direct service relationship typically needs explicit, freely given consent. A clear opt-in. Not a pre-ticked box. Not a clause buried in small print. For extra assurance, consider double opt-in — the customer confirms their subscription via a follow-up message before they receive any marketing. It’s not required by GDPR in most jurisdictions, but it produces cleaner consent records and virtually eliminates complaints.
The most common mistake: treating everything as consent-based, which creates unnecessary paperwork and risk. If you have a contractual basis, use it. Reserve consent for situations that genuinely require it.
What happens when a customer makes a subject access request?
A customer sends a message asking: “What data do you have on me?” Under GDPR, this is a Subject Access Request (SAR). You have one calendar month to respond with:
- What personal data you hold
- Why you’re processing it
- Who you’ve shared it with
- How long you plan to keep it
- Where the data came from
- Whether any automated decision-making is involved
Now think about where your workshop stores data. Is it all in one system? Or scattered across your DMS, WhatsApp, email, a spreadsheet, and paper invoices in a drawer?
If you can’t pull a complete picture within a month, you have a structural problem. The same applies to deletion requests — you need to erase a customer’s data across every system where it lives.
The workshops that handle this well are the ones with a single system of record — one platform where all customer data lives, searchable and exportable.
The GDPR checklist: seven steps every workshop should take
1. Create a data inventory. Map what personal data you hold, where it’s stored, and why. A simple spreadsheet listing data types, storage locations, legal basis, and retention periods is enough. But it needs to exist in writing.
2. Publish a privacy notice. Tell customers what you do with their data. A printed notice in your reception area, a page on your website, or both. Plain language: what you collect, why, who you share it with, how long you keep it, and how they can exercise their rights.
3. Keep consent records. For any processing based on consent (marketing, newsletters), keep records of when and how consent was given. “They gave me their email” is not a consent record. A timestamped opt-in is.
4. Set a data retention policy. Don’t keep data forever. Define how long you keep records after the last service visit — three years is common for vehicle service data, but retention periods depend on national civil liability limitation periods, which vary by country. Check your local requirements. After the retention period, delete or anonymise.
5. Establish processor agreements. Every cloud service or third-party platform handling your customer data is a data processor. You need a Data Processing Agreement (DPA) with each one. Most reputable SaaS providers include this in their terms — but verify the DPA covers the specific processing activities you use the tool for, not just the standard terms.
6. Prepare a breach response plan. If customer data is compromised, you have 72 hours to report it to your supervisory authority. Have a plan before you need one: who to contact, what to document, and how to notify affected customers.
7. Build staff awareness.Everyone who touches customer data needs to understand the basics. Service advisors should know not to share customer details over open channels. When it comes to communicating with customers, staff should follow your guidelines. Admin staff should know how to recognise and handle a data request. A 30-minute walkthrough once a year goes a long way.
Is UK GDPR the same as EU GDPR?
The UK retained GDPR as “UK GDPR” and supplements it with the Data Protection Act 2018. The core principles are the same, but the Data Use and Access Act 2025 introduces changes to legitimate interest assessments and cookie consent. If you operate across both jurisdictions, one compliance framework no longer covers both.
Within the EU, enforcement varies by country. The French CNIL is aggressive on cookies. The Italian Garante has specific employee data requirements. The Spanish AEPD has issued over 1,000 fines — more than any other EU authority. Same regulation, different enforcement cultures. Factor this in if you’re expanding across markets.
How Carsu handles GDPR for workshops
At Carsu, GDPR management is built into the workshop platform — not as a compliance add-on, but as the data governance layer that makes everything else work properly.
What that looks like in practice: built-in retention policies, automated consent tracking, data processing agreements as standard, and the ability to respond to a subject access request with a single export rather than hunting through five systems. When a customer asks “what data do you have on me?” — it’s one click, not a week of digging through WhatsApp threads, spreadsheets, and paper files.
The compliance benefit is a side effect of having clean, structured, well-governed customer data — one booking flow instead of three channels, one retention policy instead of scattered rules across tools, one searchable customer record instead of fragments in five places.
If you’d like to see how that works, get in touch.
