Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
Section 2.5 Information
80. Prior to the processing of personal data, the data subject shall be informed of the identity of the data controller (e.g., the vehicle and equipment manufacturer or service provider), the purpose of processing, the data recipients, the period for which data will be stored, and the data subject’s rights under the GDPR.
81. In addition, the vehicle and equipment manufacturer, service provider or other data controller shall also provide the data subject with the following information, in clear, simple, and easily-accessible terms:
-
− the contact details of the data protection officer;
-
− the purposes of the processing for which the personal data are intended as well as the legal basis for the processing ;
-
− the explicit mention of the legitimate interests pursued by the data controlleror by a third party, when such legitimate interests constitute the legal basis for processing;
-
− the recipients or categories of recipients of the personal data, if any;
-
− the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
-
−the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
-
−the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal where the processing is based on consent;
-
−where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and safeguards used to transfer them ;
-
−whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
-
− the existence of automated decision-making, including profiling that produces legal effects concerning the data subject or similarly significantly affects the data subject, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This could particularly be the case in relation to the provision of usage-based insurance to individuals ;
-
− the right to lodge a complaint with a supervisory authority ;
-
− information about further processing ;
-
− In case of joint data controllership, clear and complete information about the responsibilities of each data controller.