Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Section 2.7  Security and confidentiality

90. Vehicle and equipment manufacturers, service providers and other data controllers shall put in place measures that guarantee the security and confidentiality of processed data and take all useful precautions to prevent control being taken by an unauthorised person. In particular, industry participants should consider adopting the following measures:

• − encrypting the communication channels by means of a state-of-the-art algorithm;

• − putting in place an encryption-key management system that is unique to each vehicle, not to each model;

• − when stored remotely, encrypting data by means of state-of-the-art algorithms;

• − regularly renewing encryption keys;

• − protecting encryptions keys from any disclosure;

• − authenticating data-receiving devices;

• − ensuringdata integrity (e.g., by hashing);

• − make access to personal data subject to reliable user authentication techniques (password, electronic certificate, etc.);

91. Concerning more specifically vehicle manufacturers, the EDPB recommends the implementation of the following security measures:

• − partitioning the vehicle’s vital functions from those always relying on telecommunication capacities (e.g., “infotainment”);

• − implementing technical measures that enable vehicle manufacturers to rapidly patch security vulnerabilities during the entire lifespan of the vehicle;

• − for the vehicle’s vital functions, give priority as much as possible to using secure frequencies that are specifically dedicated to transportation;

• − setting up an alarm system in case of attack on the vehicle’s systems, with the possibility of operating in downgraded mode;

• − storing a log history of any access to the vehicle’s information system, e.g. going back six months as a maximum period, in order to enable the origin of any potential attack to be understood and periodically carry out a review of the logged information to detect possible anomalies.

92. These general recommendations shall be completed by specific requirements taking into account the characteristics and purpose of each data processing.