Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Paragraph 2.4.1  Local processing of personal data

70. In general, vehicle and equipment manufacturers, service providers and other data controllers should, wherever possible, use processes that do not involve personal data or transferring personal data outside of the vehicle (i.e., the data is processed internally). This scenario offers the advantage of guaranteeing to the user the sole and full control of his/her personal data and, as such, it presents, “by design”, less privacy risks especially by prohibiting any data processing by stakeholders without the data subject knowledge. It also enables the processing of sensitive data such as biometric data or data relating to criminal offenses or other infractions, as well as detailed location data which otherwise would be subject to stricter rules (see below). In the same vein, it presents fewer cybersecurity risks and involves little latency, which makes it particularly suited to automated driving-assistance functions. Some examples of this type of solution could include:

• − eco-driving applications that process data in the vehicle in order to display eco-driving advice in real time on the on-board screen;

• − applications that involve a transfer of personal data to a device such as a smartphone under the user’s full control (via, for example, Bluetooth or Wi-Fi), and where the vehicle’s data are not transmitted to the application providers or the vehicle manufacturers; this would include, for instance, coupling of smartphones to use the car’s display, multimedia systems, microphone (or other sensors) for phone calls, etc., to the extent that the data collected remain under the control of the data subject and is exclusively used to provide the service he or she has requested;

• − in-vehicle safety enhancing applications such as those that provide audible signals or vibrations of the steering wheel when a driver overtakes a car without indicating or straying over white lines or which provides alerts as to the state of the vehicle (e.g., an alert on the wear and tear affecting brake pads);

• − applications for unlocking, starting, and/or activating certain vehicle commands using the driver’s biometric data that is stored within the vehicle (such as a face or voice models or fingerprint minutiae).

71. Applications such as the above involve processing carried out for the performance of purely personal activities by a natural person (i.e., without the transfer of personal data to a data controller or data processor). Therefore, in accordance with art.2(2) GDPR, these applications fall outside the scope of the GDPR.

72. Local data processing should be considered by car manufacturers and service providers, whenever possible to mitigate the potential risks of cloud processing, as they are underlined in the opinion on Cloud Computing released by the Article 29 Working Party.

73. However, if the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, it does apply to controllers or processors, which provide the means for processing personal data for such personal or household activities (car manufacturers, service provider, etc.). Hence, when they are acting as data controller or data processor, they must develop secure in-car application and with due respect to the principle of privacy by design and by default. In any case, according to Recital 78 GDPR, “When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations”. One the one hand, it will enhance the development of user-centric services and, on the other hand, it will facilitate and secure any further uses in the future which could fall back within the scope of the GDPR. More specifically, the EDPB recommends developinga secure in-car application platform, physically divided from safety relevant car functions so that the access to car data does not depend on unnecessary external cloud capabilities.

74. In general users should be able to control how their data are collected and processed in the vehicle:

• − information regarding the processing must be provided in the driver’s language (manual, settings, etc.) ;

• − the EDPB recommends that only data strictly necessary for the vehicle functioning areprocessed by default. Data subjects should have the possibility to activate or deactivate the data processing for each other purpose and controller/processor and have the possibility to delete the data concerned.;

• − data should not be transmitted to any third parties (i.e., the user has sole access to the data);

• − data should be retained only for as long as is necessary for the provision of the service or otherwise required by Union or member statelaw ;

• − data subjects should beable to delete permanently any personal data before the vehicles are put up for sale;

• − data subjects should, where feasible, have a direct access to the data generated by these applications.

75. Finally, while it may not always be possible to resort to local data processing for every use-case, “hybrid processing” can often be put in place. For instance, in the context of usage-based insurance, personal data regarding driving behaviour (such as the force exerted on the brake pedal, mileage driven, etc.) could either be processed inside the vehicle or by the telematics service provider on behalf of the insurance company (the data controller) to generate numerical scores that are transferred to the insurance company on a defined basis (e.g. monthly basis). In this way, the insurance company does not gain access to the raw behavioural data but only to the aggregate score that is the result of the processing. This ensures that principles of data minimization are satisfied by design. This also means that users must have the ability to exercise their right when data are stored by other parties, for example a user should have the ability to delete data stored in the systems of a car maintenance shop or dealership.