European auto resellers are violating the continent’s tough data privacy laws, according to a new study that found four out of five cars resold in Germany, the U.K. and Italy are hitting the market with prior drivers’ personal data stored and easily accessible.

One-third of customers can find stored location data and home addresses in resold vehicles and about half can access prior owners’ call logs and text messages, according to a white paper published Tuesday by the industry watchdog Privacy4Cars. The study is largely based on an audit of hundreds of vehicles resold by dozens of dealers.

Out of 46 dealers the watchdog sent an undercover shopper to, 35 said they always delete personal data. However, the shopper found prior owners’ stored data in 40 out of 70 test drives at those dealerships. 

Privacy4Cars provided the data to a senior judge in the U.K. earlier this year, which resulted in an opinion that could put the automotive industry across the region on high alert. Aidan Eardley, a King’s Counsel, said dealerships, rental car companies and manufacturers have a legal responsibility to delete data before reselling or renting vehicles.

If U.K. dealerships and other entities resell or rent cars without deleting data then there will be a “strongly arguable case that the hirer has processed the data in contravention” of the law, Eardley wrote in a May opinion.

Failing to delete the data is potentially a “reportable” data breach, meaning notification requirements would take effect under the U.K.’s General Data Protection Regulation (UK GDPR), Eardley said.

The European Union’s GDPR closely aligns with the U.K. law.

The cost of such breaches is significant in the U.K., where the data privacy regulator known as the Information Commissioner’s Office can levy fines as large as 4% of a business’s global income over the course of a year. 

Dealerships and other vendors cannot rely on individual employees to delete the personal data they find and must have structured programs in place to ensure data is erased, Eardley said. 

A dealership or other “controller” using a “documented procedure for cleansing an on-board computer system and/or a software product designed to remove problematic data will be much better placed” under the law, Eardley wrote.