Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Subparagraph 3.1.1.1  Legal basis

105. When the data is collected through a publicly available electronic communication service (for example via the SIM card contained in the telematics device), consent will be needed in order to gain access to information that is already stored in the vehicle as provided by art. 5 (3) “ePrivacy” directive. Indeed, none of the exemptions provided by those provisions can apply in this context: the processing is not for the sole purpose of carrying out the transmission of a communication over an electronic communications network nor does it relate to an information society service explicitly requested by the subscriber or user. Consent could be collected at the time of the conclusion of the contract.

106. As regards the processing of personal data following the storage or access to the end-user’s terminal equipment, the insurance company can rely on art. 6 (1) (b) GDPR in this specific context provided it can establish both that the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed. Insofar as the processing is objectively necessary for the performance of the contract with the data subject, the EDPB considers that reliance upon art. 6 (1) (b) GDPR would not have the effect of lowering the additional protection provided by art. 5 (3) of the “ePrivacy” Directive in this specific instance. That legal basis is materialised by the data subject signing a contract with the insurance company.