• Courses
      • Executive Management Courses
      • Global Series of National Privacy Laws
      • Netherlands Privacy Academy (in Dutch)
      • Caribbean Data Protection Academy
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Executive Management Courses
        • Global Series of National Privacy Laws
        • Netherlands Privacy Academy (in Dutch)
        • Caribbean Data Protection Academy
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date October 9, 2020

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

      Section 2.5  Information

      80. Prior to the processing of personal data, the data subject shall be informed of the identity of the data controller (e.g., the vehicle and equipment manufacturer or service provider), the purpose of processing, the data recipients, the period for which data will be stored, and the data subject’s rights under the GDPR.

      81. In addition, the vehicle and equipment manufacturer, service provider or other data controller shall also provide the data subject with the following information, in clear, simple, and easily-accessible terms:

      • − the contact details of the data protection officer;

      • − the purposes of the processing for which the personal data are intended as well as the legal basis for the processing ;

      • − the explicit mention of the legitimate interests pursued by the data controlleror by a third party, when such legitimate interests constitute the legal basis for processing;

      • − the recipients or categories of recipients of the personal data, if any;

      • − the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

      • −the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

      • −the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal where the processing is based on consent;

      • −where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and safeguards used to transfer them ;

      • −whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

      • − the existence of automated decision-making, including profiling that produces legal effects concerning the data subject or similarly significantly affects the data subject, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This could particularly be the case in relation to the provision of usage-based insurance to individuals ;

      • − the right to lodge a complaint with a supervisory authority ;

      • − information about further processing ;

      • − In case of joint data controllership, clear and complete information about the responsibilities of each data controller. 

      82. In some cases, personal data is not collected directly from the individual concerned. For instance, a vehicle and equipment manufacturer may rely on a dealer to collect information about the owner of the vehicle in order to offer an emergency road side assistance service. When data have not been collected directly, the vehicle and equipment manufacturer, service provider or other data controller shall, in addition to the information mentioned above, also indicate the categories of personal data concerned, the source from which the personal data originate, and, if applicable, whether those data came from publicly accessible sources. That information must be provided by the controller within a reasonable period after obtaining the data, and no later than the first of the following dates in accordance with Art.14 (3) GDPR: (i) one month after the data are obtained, having regard to the specific circumstances in which the personal data are processed, (ii) upon first communication with the data subject, or (iii) if those data are transmitted to a third party, before the transmission of the data.

      83. New information may also need to be provided to data subjects when they are taken care of by new data controller, for instance if they cross borders. Roadside assistance that interacts with connected vehicles can be provided by different data controllers depending on which country or region the assistance is required in. New data controllers shall provide data subjects with the required information when data subjects cross borders and services that interact with connected vehicles are provided by new data controllers.

      84. The information directed to the data subjects may be provided in layers, i.e., by separating two levels of information: on the one hand, first-level information, which is the most important for the data subjects, and, on the other hand, information that presumably is of interest at a later stage. The essential first-level information includes, in addition to the identity of the data controller, the purpose of the processing and a description of the data subject’s rights, as well as any additional information on the processing which has the most impact on the data subject and processing which could surprise them. The EDPB recommends that, in the context of connected vehicles, the data subject to be made aware of all the recipients in the first layer of information. As stated in the WP29 guidelines on transparency, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data. If controllers cannot provide the names of the recipients, the information should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.

      85. The data subjects may be informed by concise and easily understandable clauses in the contract of sale of the vehicle, in the contract for the provision of services, and/or in any written medium, by using distinct documents (e.g., the vehicle’s maintenance record book or manual) or the onboard computer.

      86. Standardised icons could be used in addition to the information necessary, as required under art. 13 and 14 GDPR, to enhance transparency by potentially reducing the need for vast amounts of written information to be presented to a data subject. It should be visible in vehicles in order to provide, in relation to the planned processing, a good overview that is understandable, and clearly legible. The EDPB emphasises the importance of standardising those icons, so that the user finds the same symbols regardless of the make or model of the vehicle. For example, when certain types of data are being collected, such as geolocation, the vehicles could have a clear signal on-board (such as a light inside the vehicle) to inform passengers about data collection.

      • Share:
      User Avatar
      Richard V

      Previous post

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
      October 9, 2020

      Next post

      Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
      October 9, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2023

      GADPPRO Academy 2023

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now