I don't this will apply for cars outside the UK?
Will it? (small hope that it will). They might use software for this.
I'd suspect not, I'm afraid.
The Data Protection Act [the act] is a UK Parliament act of law, which is therefore only of use in the United Kingdom.
The act however is born from a European Union Directive, so all European Union member states should have enacted similar laws in their territories, however there will of course be subtle differences. So it's not possibly to say if or how citizens of other member states would be able to go about obtaining this information.
If you don't live in a European Union member state then such laws allowing access to personal data may not exist at all and citizens will have to explore what legal options are available within their country.
It may not be an issue in other countries anyway. The reason key codes were never issued with the car in the UK is because insurance companies prevented them from being issued with the car at the time, for security reasons. It could be that in other countries the code card was provided with the vehicle information pack at the point of purchase.
There is also the issue of who holds the codes for vehicles in other countries. The Retainer Group serves the UK, I don't know whether they hold vehicle data for other countries.
Hats off to Ross for getting his code out of Retainer Group for free but I actually think they had no legal obligation to provide him with the information. Without wishing to start a legal argument; the data protection act relates to personal and sensitive data, so they only have to give information held in relation to the person. I don't see how they can relate the data they hold back to any particular individual, so I don't think they needed to give it out on a DPA request. Lets face it the data they hold should simply be a chassis number and the codes relating to it, it should have no personal data (such as name, address) held against it at all.
They probably just did what most ill advised people do when faced with a legally based information request, lightly soiled themselves and provided the information asked for so as to avoid any further conflict or hassle.
Still, well done Ross for managing to get this information out of them for free anyway. If they thought they were acting under DPA (which I say they weren't) they could have charged a small admin fee for providing the data.