An Indian auto dealership collects more personal and financial data per customer than almost any other SMB category. PAN cards, Aadhaar, income certificates, bank statements, loan applications, insurance details, vehicle registration — all in a single transaction. The DPDP Act places significant obligations on any business handling this level of sensitive data.
What Data Auto Dealers Typically Collect
- Full name, date of birth, address — from identity documents
- Aadhaar number — for KYC and government registration
- PAN card number — for finance and Form 60/61
- Income certificates and salary slips — for loan eligibility
- Bank account details — for EMI mandates
- Vehicle registration details — transferred to new owner
- Insurance policy information
- Contact details — phone, email, WhatsApp
- Test drive records — date, vehicle, salesperson
This is high-sensitivity personal and financial data. A breach affecting even one customer's Aadhaar + PAN + bank details could enable identity theft and financial fraud.
Which Section of the DPDP Act Applies
For digitally collected data (online inquiry forms, digital KYC on tablets, DMS system): Section 3(a)(i). For paper-based documents that are then scanned, photographed, or entered into your Dealer Management System: Section 3(a)(ii).
Most dealerships operate under both provisions — a customer fills paper forms at the showroom, which are then entered into the DMS. Both modes of collection are covered.
Your Obligations as a Data Fiduciary
Consent Before Data Collection
Obtaining consent at the dealership can happen via a tablet or touchscreen at the point of customer engagement. Before collecting any information:
- Show a consent notice explaining all the data you'll collect and why
- Get an explicit confirmation (tap/sign) from the customer
- Log this consent with a timestamp
The test-drive consent form is a natural point to add this — most dealerships already have customers sign something here.
Data Processor Agreements
Dealerships work with multiple Data Processors:
- NBFCs and banks for vehicle finance — they receive customer's PAN, Aadhaar, income details
- Insurance companies — receive customer details for policy issuance
- OEM (manufacturer) — receive buyer data for warranty registration
- DMS providers — your dealer management software provider stores all customer records
- Government portals (VAHAN) — for RC transfer
You need Data Processing Agreements with each of these parties. Some (banks, insurance companies) are themselves regulated entities — confirm they comply with DPDP independently. Others (DMS providers) may need to be asked directly for their DPA.
Security for High-Value Data
Given the sensitivity of data held, "reasonable security safeguards" for a dealership means significantly more than for a typical SMB:
- Role-based access to the DMS — salespeople see only what they need
- Physical security of files containing Aadhaar/PAN copies
- Encrypted storage of digital copies of identity documents
- Regular access logs — who pulled which customer record and when
- A clear policy on ex-employee access revocation
- Secure disposal of physical documents when no longer needed
Retention and Disposal
Vehicle purchase records are required by law for 7 years (under various income tax and motor vehicle regulations). Finance records similarly. However, marketing data (test-drive leads who didn't buy, inquiry forms) can and should be deleted after the purpose — following up — is fulfilled or after a reasonable period (12-18 months).
Test Drive Data — Often Overlooked
Many dealerships collect test drive registration details — name, phone, DL number — and these go into a CRM or spreadsheet that may be accessed by multiple people. This is personal data with no ongoing purchase purpose. Set a clear deletion policy: test drive leads not converted within 12 months should be deleted from your CRM.
Multi-Location Dealerships
If you operate multiple showrooms, ensure your data practices are consistent across all locations. A customer who gave consent at your Chennai showroom has the same rights as one at your Bengaluru location. Your DSR process must work across all branches, and your audit log must cover all locations.
Why This Matters Most for Auto Dealers
The combination of Aadhaar + PAN + bank details that auto dealerships hold is exactly the data package that enables identity theft and financial fraud. The DPB is likely to view breaches involving this data combination with particular seriousness. The ₹250 Crore penalty for a security failure that exposes this type of data is very real.