Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Section 2.5  Information

80. Prior to the processing of personal data, the data subject shall be informed of the identity of the data controller (e.g., the vehicle and equipment manufacturer or service provider), the purpose of processing, the data recipients, the period for which data will be stored, and the data subject’s rights under the GDPR.

81. In addition, the vehicle and equipment manufacturer, service provider or other data controller shall also provide the data subject with the following information, in clear, simple, and easily-accessible terms:

• − the contact details of the data protection officer;

• − the purposes of the processing for which the personal data are intended as well as the legal basis for the processing ;

• − the explicit mention of the legitimate interests pursued by the data controlleror by a third party, when such legitimate interests constitute the legal basis for processing;

• − the recipients or categories of recipients of the personal data, if any;

• − the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

• −the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

• −the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal where the processing is based on consent;

• −where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and safeguards used to transfer them ;

• −whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

• − the existence of automated decision-making, including profiling that produces legal effects concerning the data subject or similarly significantly affects the data subject, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This could particularly be the case in relation to the provision of usage-based insurance to individuals ;

• − the right to lodge a complaint with a supervisory authority ;

• − information about further processing ;

• − In case of joint data controllership, clear and complete information about the responsibilities of each data controller. 

82. In some cases, personal data is not collected directly from the individual concerned. For instance, a vehicle and equipment manufacturer may rely on a dealer to collect information about the owner of the vehicle in order to offer an emergency road side assistance service. When data have not been collected directly, the vehicle and equipment manufacturer, service provider or other data controller shall, in addition to the information mentioned above, also indicate the categories of personal data concerned, the source from which the personal data originate, and, if applicable, whether those data came from publicly accessible sources. That information must be provided by the controller within a reasonable period after obtaining the data, and no later than the first of the following dates in accordance with Art.14 (3) GDPR: (i) one month after the data are obtained, having regard to the specific circumstances in which the personal data are processed, (ii) upon first communication with the data subject, or (iii) if those data are transmitted to a third party, before the transmission of the data.

83. New information may also need to be provided to data subjects when they are taken care of by new data controller, for instance if they cross borders. Roadside assistance that interacts with connected vehicles can be provided by different data controllers depending on which country or region the assistance is required in. New data controllers shall provide data subjects with the required information when data subjects cross borders and services that interact with connected vehicles are provided by new data controllers.

84. The information directed to the data subjects may be provided in layers, i.e., by separating two levels of information: on the one hand, first-level information, which is the most important for the data subjects, and, on the other hand, information that presumably is of interest at a later stage. The essential first-level information includes, in addition to the identity of the data controller, the purpose of the processing and a description of the data subject’s rights, as well as any additional information on the processing which has the most impact on the data subject and processing which could surprise them. The EDPB recommends that, in the context of connected vehicles, the data subject to be made aware of all the recipients in the first layer of information. As stated in the WP29 guidelines on transparency, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers cannot provide the names of the recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.

85. The data subjects may be informed by concise and easily understandable clauses in the contract of sale of the vehicle, in the contract for the provision of services, and/or in any written medium, by using distinct documents (e.g., the vehicle’s maintenance record book or manual) or the onboard computer.

86. Standardised icons could be used in addition to the information necessary, as required under art. 13 and 14 GDPR, to enhance transparency by potentially reducing the need for vast amounts of written information to be presented to a data subject. It should be visible in vehicles in order to provide, in relation to the planned processing, a good overview that is understandable, and clearly legible. The EDPB emphasises the importance of standardising those icons, so that the user finds the same symbols regardless of the make or model of the vehicle. For example, when certain types of data are being collected, such as geolocation, the vehicles could have a clear signal on-board (such as a light inside the vehicle) to inform passengers about data collection.