GDPR-Compliant Number Plate Recognition

Number plates are classified as personal data under the General Data Protection Regulation (GDPR). Any system that captures, processes, or stores number plate data must comply with GDPR requirements. Here's how to build a compliant solution.

Why Number Plates Are Personal Data

Under GDPR, personal data is any information that can identify a natural person, directly or indirectly. A number plate can be linked to a vehicle's registered keeper through national databases, making it indirect personal data. This means the full scope of GDPR applies to any number plate recognition system operating in the EU or processing data of EU residents.

Establishing a Lawful Basis

Before processing number plate data, you must establish one of the six lawful bases defined in Article 6 of GDPR. The most common bases for ANPR/ALPR systems are:

• Legitimate interest — For security, fraud prevention, or parking management. You must conduct a Legitimate Interest Assessment (LIA) to demonstrate your interest doesn't override individuals' rights.
• Contract performance — When plate recognition is necessary to fulfil a contract, such as automated parking billing.
• Legal obligation — When required by law, such as law enforcement or regulatory compliance.

Data Minimisation

GDPR's data minimisation principle requires you to process only the data that is strictly necessary for your purpose. For number plate recognition this means:

• Only store the plate text and metadata you actually need — discard raw images after processing unless there's a documented reason to retain them.
• Avoid collecting additional data (e.g. vehicle colour, make/model) unless your use case specifically requires it.
• Use an API provider that processes images in memory and doesn't retain them after returning results.

Retention Policies

Define clear retention periods for all number plate data. Common approaches include:

• Parking systems — Retain data for the duration of the parking session plus a reasonable dispute period (e.g. 30 days).
• Access control — Retain logs for the period defined in your security policy, typically 30–90 days.
• Traffic analysis — Anonymise or aggregate data as soon as individual identification is no longer needed.

Subject Access Requests

Individuals have the right to request access to their personal data, including any number plate records you hold. Your system should be able to:

• Search records by plate number to respond to Subject Access Requests (SARs) within the 30-day deadline.
• Export data in a portable format (e.g. CSV or JSON) to satisfy the right to data portability.
• Delete specific records to comply with the right to erasure, where no overriding legal basis exists.

Choosing a Compliant API Provider

When selecting a number plate recognition API, verify that the provider:

• Does not retain images or results after processing (zero-retention policy).
• Offers EU-based processing infrastructure to avoid cross-border data transfer issues.
• Provides a Data Processing Agreement (DPA) that meets GDPR Article 28 requirements.
• Is transparent about sub-processors and security measures.

NPR API processes all images in memory with zero retention and offers EU-region endpoints. A DPA is available on request for all paid plans.