Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Subparagraph 3.1.1.2  Data collected

107. There is two types of personal data to be considered:

• − commercial and transactional data: data subject’s identifying information, transaction-related data, data relating to means of payment, etc. ;

• − usage data: personal data generated by the vehicle, driving habits, location, etc. 

108. The EDPB recommends that, as far as possible, and given that there is a risk that the data collected via the telematics-box could be misused to create a precise profile of the driver’s movements, raw data regarding driving behaviour must be either processed:

• − inside the vehicle in telematics boxes or in the user’s smartphone so that the insurer only accesses the results data (e.g., a score relating to driving habits), not detailed raw data (see section 2.1) ;

• − or by the telematics service provider on behalf of the controller (the insurance company) to generate numerical scores that are transferred to the insurance company on a defined basis. In this case, raw data and data directly relating to the identity of the driver must be separated. This means that the telematics service provider receives the real-time data, but does not know the names, licence plates, etc. of the policy holders. On the other hand, the insurer knows the names of policyholders, but only receives the scores and the total kilometres and not the raw data used to produce such scores.

109. Moreover, it has to be noted that if only the mileage is necessary for the performance of the contract, location data shall not be collected.