Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Paragraph 2.4.3  Data protection impact assessments

79. Given the scale and sensitivity of the personal data that can be generated via connected vehicles; it is likely that processing – particularly in situations where personal data are processed outside of the vehicle  – will often result in a high risk to the rights and freedoms of individuals. Where this is the case, industry participants will be required to perform a data protection impact assessment (DPIA) to identify and mitigate the risks as detailed in the art. 35 and 36 GDPR. Even in the cases where a DPIA is not required, it is a best practice to conduct one as early as possible in the design process. This will allow industry participants to factor the results of this analysis into their design choices prior to the roll-out of new technologies.