Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Paragraph 1.5.3  Further processing of personal data

50. When data are collected on the basis of consent as required by art. 5(3) of the “ePrivacy” directive or on one of the exemptions of art. 5 (3), it can only be further processed either if the controller seeks additional consent for this other purpose or if the data controller can demonstrate that it is based on a Union or Member Statelaw to safeguard the objectives referred to in art. 23 (1) GDPR. The EDPB considers that further processing on the basis of a compatibility test according to art. 6 (4) GDPR is not possible in these cases, since it would undermine the data protection standard of the “ePrivacy” directive.

51. The EDPB recalls that the initial consent will never legitimise further processing as consent need to be informed and specific to be valid.

52. For instance, telemetry data, which is collected during use of the vehicle for maintenance purposes may not be disclosed to motor insurance companies without the users consent for the purpose of creating driver profiles to offer driving behaviour based insurance policies.

53. Furthermore, data collected by connected vehicles may be processed by law enforcement authorities to detect speeding or other infractions if and when the specific conditions in the law enforcement directive are fulfilled. In this case, such data will be considered as relating to criminal convictions and offences under the conditions laid down by art. 10 GDPR and any applicable national legislation. Manufacturers may provide the law enforcement authorities with such data if the specific conditions for such processing are fulfilled. The EDPB points out that processing of personal data for the sole purpose of fulfilling requests made by law enforcement authorities does not constitute a specified, explicit and legitimate purpose within the meaning of art. 5 (1) (b) GDPR. When law enforcement authorities are authorized by law, they could be third parties within the meaning of art. 4 (10)GDPR, in this case manufacturers would been titled to provide them with any data at their disposal subject to compliance with the relevant legal framework in each Member State.