• Courses
      • Executive Management Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Data Protection Academy
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Executive Management Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Data Protection Academy
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date October 9, 2020

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

      Paragraph 2.4.1  Local processing of personal data

      70. In general, vehicle and equipment manufacturers, service providers and other data controllers should, wherever possible, use processes that do not involve personal data or transferring personal data outside of the vehicle (i.e., the data is processed internally). This scenario offers the advantage of guaranteeing to the user the sole and full control of his/her personal data and, as such, it presents, “by design”, less privacy risks especially by prohibiting any data processing by stakeholders without the data subject knowledge. It also enables the processing of sensitive data such as biometric data or data relating to criminal offenses or other infractions, as well as detailed location data which otherwise would be subject to stricter rules (see below). In the same vein, it presents fewer cybersecurity risks and involves little latency, which makes it particularly suited to automated driving-assistance functions. Some examples of this type of solution could include:

      • − eco-driving applications that process data in the vehicle in order to display eco-driving advice in real time on the on-board screen;

      • − applications that involve a transfer of personal data to a device such as a smartphone under the user’s full control (via, for example, Bluetooth or Wi-Fi), and where the vehicle’s data are not transmitted to the application providers or the vehicle manufacturers; this would include, for instance, coupling of smartphones to use the car’s display, multimedia systems, microphone (or other sensors) for phone calls, etc., to the extent that the data collected remain under the control of the data subject and is exclusively used to provide the service he or she has requested;

      • − in-vehicle safety enhancing applications such as those that provide audible signals or vibrations of the steering wheel when a driver overtakes a car without indicating or straying over white lines or which provides alerts as to the state of the vehicle (e.g., an alert on the wear and tear affecting brake pads);

      • − applications for unlocking, starting, and/or activating certain vehicle commands using the driver’s biometric data that is stored within the vehicle (such as a face or voice models or fingerprint minutiae).

      71. Applications such as the above involve processing carried out for the performance of purely personal activities by a natural person (i.e., without the transfer of personal data to a data controller or data processor). Therefore, in accordance with art.2(2) GDPR, these applications fall outside the scope of the GDPR.

      72. Local data processing should be considered by car manufacturers and service providers, whenever possible to mitigate the potential risks of cloud processing, as they are underlined in the opinion on Cloud Computing released by the Article 29 Working Party.

      73. However, if the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, it does apply to controllers or processors, which provide the means for processing personal data for such personal or household activities (car manufacturers, service provider, etc.). Hence, when they are acting as data controller or data processor, they must develop secure in-car application and with due respect to the principle of privacy by design and by default. In any case, according to Recital 78 GDPR, “When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations”. One the one hand, it will enhance the development of user-centric services and, on the other hand, it will facilitate and secure any further uses in the future which could fall back within the scope of the GDPR. More specifically, the EDPB recommends developinga secure in-car application platform, physically divided from safety relevant car functions so that the access to car data does not depend on unnecessary external cloud capabilities.

      74. In general users should be able to control how their data are collected and processed in the vehicle:

      • − information regarding the processing must be provided in the driver’s language (manual, settings, etc.) ;

      • − the EDPB recommends that only data strictly necessary for the vehicle functioning areprocessed by default. Data subjects should have the possibility to activate or deactivate the data processing for each other purpose and controller/processor and have the possibility to delete the data concerned.;

      • − data should not be transmitted to any third parties (i.e., the user has sole access to the data);

      • − data should be retained only for as long as is necessary for the provision of the service or otherwise required by Union or member statelaw ;

      • − data subjects should beable to delete permanently any personal data before the vehicles are put up for sale;

      • − data subjects should, where feasible, have a direct access to the data generated by these applications.

      75. Finally, while it may not always be possible to resort to local data processing for every use-case, “hybrid processing” can often be put in place. For instance, in the context of usage-based insurance, personal data regarding driving behaviour (such as the force exerted on the brake pedal, mileage driven, etc.) could either be processed inside the vehicle or by the telematics service provider on behalf of the insurance company (the data controller) to generate numerical scores that are transferred to the insurance company on a defined basis (e.g. monthly basis). In this way, the insurance company does not gain access to the raw behavioural data but only to the aggregate score that is the result of the processing. This ensures that principles of data minimization are satisfied by design. This also means that users must have the ability to exercise their right when data are stored by other parties, for example a user should have the ability to delete data stored in the systems of a car maintenance shop or dealership.

      • Share:
      User Avatar
      Richard V

      Previous post

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
      October 9, 2020

      Next post

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
      October 9, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2023

      GADPPRO Academy 2023

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now