Processing of personal data in the context of connected car technology

Data controllers

In terms of connected car technology, a data controller is a person who determines the purposes and means of processing that take place in connected vehicles. Included are service providers that process car data to send to the driver traffic information, eco-driving messages or changes in car functionality; insurance companies (offering ‘pay as you drive’ contracts); or car manufacturers gathering vehicle data.

Art. 26 GDPR (General Data Protection Regulation) describes that two or more controllers can determine the purposes and means of the processing as joint controllers. In such cases, the respective obligations have to be clearly defined. Joint controllers are not per se required to have a contract but should have a transparent arrangement that sets out the agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be made available to data subjects. It is recommended to include this in a company’s privacy information.

The necessity of a data protection officer (DPO)

Generally speaking, a company needs to appoint a DPO, whether it’s a controller or a processor if its core activities involve the processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of the data subjects. Thus, all forms of tracking, including geo-tracking, and sensitive personal data, like religious affiliations, fall within this scope.

For that reason, companies are strongly required to appoint an internal or external DPO if their business activities fall within the scope of connected vehicle technologies.

Processing of personal data in the context of connected vehicles

The guidelines cover personal data that is

1. processed in a connected car,
2. exchanged between the vehicle and personal devices connected to it, such as smartphones, or
3. collected in the car and shared with third parties, such as with insurers for usage-based insurance products.

The guidelines explain in detail the data associated with connected vehicles that fall within the scope of personal data. Accordingly, most data will be considered personal data to the extent that it is directly (such as a name) or indirectly (such as speed or distance travelled) identifiable—three distinctive categories of data are at stake in connected car technology.

• Firstly, geolocation data, similar to life habits and hobbies, can also reveal sensitive information. For instance, frequent trips to places of worship can disclose sensitive personal information about religious affiliations.
• Biometric data can be relevant in connected car technology to unlock a vehicle, to authenticate the driver, or to access a driver’s profile settings or preferences.
• Lastly, connected cars may reveal offence-related data. As an example, the speed of the vehicle combined with geolocation data could reveal a speeding offence. Thus, the processing of such data can only be carried out under the control of an official authority or when the processing is authorised by EU or Member State law.

Data controllers must, therefore, be careful about the data that is processed, as indirectly identifiable data also falls within the scope of personal data and triggers obligations under the GDPR. For controllers who are uncertain about whether or not personal data is at stake in their specific situation, an internal or external DPO can provide clarity. Furthermore, data controllers could consider alternatives, such as non-biometric access to a car or allowing drivers to turn location tracking off.

Such measures may also become relevant to comply with the principle of data minimisation. Accordingly, data controllers should not collect data unless it is necessary for processing, which could include purposes of driver safety, insurance, efficient transportation, and entertainment or information services. In that context, data controllers are advised to be particularly careful about geolocation data to comply with a ‘specified, explicit and legitimate’ purpose and make sure to avoid excessive data processing. To evaluate whether or not a processing activity is ‘specified, explicit and legitimate’, data controllers are advised to consult with their DPO.

Privacy by design in the context of connected vehicles

To ensure compliance with the GDPR, car technologies should be designed to keep personal data collection to a minimum, provide high privacy protective settings by default and ensure that drivers are well informed and can modify their privacy settings at all times. Information is given according to Art. 13 and 14 GDPR and should be clear, simple and accessible to users. Moreover, to fulfil transparency requirements, drivers should be informed of the identity of the data controller, the purposes of the data collection, the recipients of the data, the retention period and the driver’s rights under the GDPR.

Generally speaking, the privacy setup should ensure that drivers have control over and are informed about the data that is collected and processed in the vehicle. The privacy setup should allow a choice of language, ensure that data is only processed if strictly necessary, allow no transfers of data to third parties, and ensure that the data retention period is only for the duration strictly necessary. Also, drivers should have access to their data and be able to delete their data permanently.

Security of processing in the context of connected vehicles

For GDPR compliant data processing of connected vehicles, the technical and organisational security measures must be appropriate to the risk posed by potential security lacks. Thus, a data controller is required to ensure that the measures protect against illegitimate access to and modification and deletion of connected vehicle data. In practice, such measures could include, for instance, encryption, data hashing, and reliable user authentication techniques.

Data protection impact assessment

The technical and organisational measures put in place by a data controller to sufficiently ensure security and compliance with the GDPR standards can be tested in the form of a data protection impact assessment (DPIA) by your DPO.

A DPIA is required if processing activities pose a high risk to the individual’s rights and freedoms and if new technologies are used. Given the “scale and sensitivity” of personal data collected via connected cars, the risk for individuals is likely to be high according to the EDPB, especially when data is transferred outside the vehicle. Therefore, even in cases where a DPIA is not mandated and not legally required, it should still be carried out as “early as possible in the design process” to avoid any risks.

Use our data protection comparison to compare the GDPR obligations on the DPIA with the laws of the member states.

Individual rights in the context of connected vehicles

The guidelines also evaluate how controllers of connected car data can best ensure effective mechanisms for data subjects to exercise their rights under the GDPR. The EDPB refers to a profile management system inside the vehicle, enabling drivers to modify their privacy settings anytime.

Such a system should facilitate accessing, deleting and removing personal data from the vehicle system if requested by the driver. As data processing in connected cars is often based on consent, drivers need to be provided with the ability to stop (permanently or temporarily) the processing of certain types of data, if specific legislation provides otherwise or if the data is essential to the critical functions of the vehicle.

Example: ‘Pay-as-you-drive’ insurances:

If the processing is based on consent and is given in the context of a written declaration, such as a contract that also concerns other matters, the request for consent must be distinguishable from the other matters. Thus, a data subject has the right to withdraw consent for location tracking, while other matters agreed upon remaining untouched, as based on the notion that valid consent should be unbundled from other terms and conditions. However, in case the processing is based on consent, ‘pay-as-you-drive’ insurances are challenged from a privacy point of view, as data processing is usually essential to provide the service. In this context, the EDPB does not provide a clear answer as to whether the processing of personal data for ‘pay-as-you-drive’ insurances can have its legal basis in Art. 6 (b) GDPR – the performance of a contract. Also, concerning the deletion of data, the guidelines disregard the possibility that data provided for the performance of the insurance contract may be subjected to a different retention period and that insurers may be subject to legal obligations that impede the deletion of data. Furthermore, a data subject’s right to disable data collection may be incompatible with an insurance policy.

Employee car use

It is further necessary to note that these guidelines do not cover employee use of connected vehicles. Other rules and laws, including labour laws at the national level, may raise specific considerations in the data protection and employment context, such as a prohibition to monitor employees.

Support as your DPO

Connected car technology creates challenges for data controllers in using such innovative technology in a GDPR compliant way. The considerable amount of personal data collected in this context requires high privacy standards and, due to the high risk posed to individual’s rights and freedoms, the execution of a DPIA, as well as the appointment of a DPO.

ActiveMind, as your external DPO, can support you with a variety of GDPR obligations, such as  setting up a joint controllership arrangement, conducting a DPIA, or advising you on any other data protection and data security-related concerns that may arise when using connected car technology.