The European Data Protection Board (EDPB) adopted and published the final version of Guidelines 01/2020 on the processing of personal data in the context of connected vehicles and mobility-related applications.
These Connected Car Guidelines are addressed to traditional stakeholders in the automotive industry and to the new players of the digital industry.
The guidelines include an additional section with case studies to provide practice-oriented recommendations, such as:
- defining contractual obligation as a legal basis for the data processing of “Pay-as-you-drive” and “Pay-how-you-drive” usage-based insurance services;
- for usage-based insurance services, insurance companies should only receive generated numerical scores, not the raw data of the car telematics;
- defining a contractual obligation as a legal basis for the data processing of rental-parking services;
- only transmitting data of in-vehicle systems to emergency services and service partners in case of a serious accident, which trigger an emergency eCall to 112 that has been mandatory since 2018;
- only retaining the data obtained in an eCall to 112 until it is needed for the processing of an emergency situation;
- using consent as the legal basis for studies or research for which the data subjects voluntarily provide data;
- using consent as the legal basis for the processing of vehicle location data in the event of a car theft where data subjects wish to find the vehicle.