Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Section 1.3  Scope

19. The scope of this document focuses in particular on the personal data processing in relation to the non-professional use of connected vehicles by data subjects: e.g., drivers, passengers, vehicle owners, renters, etc. More specifically, it deals with the personal data (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (e.g., the user’s smartphone) or (iii) collected within the vehicle and exported to external entities (e.g., vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing.

20. The connected vehicle definition has to be understood as a broad concept in this document. It can be defined as a vehicle equipped with many electronic control units (ECU) that are linked together via an in-vehicle network as well as connectivity facilities allowing it to share information with other devices both inside and outside the vehicle. As such, data can be exchanged between the vehicle and personal devices connected to it, for instance allowing the mirroring of mobile applications to the car’s in-dash information and entertainment unit. Also, the development of standalone mobile applications, meaning independent of the vehicle (for example, relying on the sole use of the smart phone) to assist drivers is included in the scope of this documentsince they contribute to the vehicle’s connectivity capacities even though they may not effectively rely on the transmission of data with the vehicle per se. Applications for connected vehicles are multiple and diverse and can include.

21. Mobility management: functions that allow drivers to reach a destination quickly, and in a cost-efficient manner, by providing timely information about GPS navigation, potentially dangerous environmental conditions (e.g., icy roads), traffic congestion or road construction work, parking lot or garage assistance, optimised fuel consumption or road pricing.

22. Vehicle management: functions that are supposed to aid drivers in reducing operating costs and improving ease of use, such as notification of vehicle condition and service reminders, transfer of usage data (e.g., for vehicle repair services), customised “Pay As/How You Drive” insurances, remote operations (e.g., heatingsystem) or profile configurations (e.g., seat position).

23. Road safety: functions that warn the driver of external hazards and internal responses, such as collision protection, hazard warnings, lane departure warnings, driver drowsiness detection, emergency call (eCall) or crash investigation “black-boxes” (event data recorder).

24. Entertainment:  functions providing information to and involving the entertainment of the driver and passengers, such as smart phone interfaces (hands free phone calls, voice generated text messages), WLAN hot spots, music, video, Internet, social media, mobile office or “smart home” services.

25. Driver assistance: functions involving partially or fully automated driving, such as operational assistance or autopilot in heavy traffic, in parking, or on highways,

26. Well-being: functions monitoring the driver’s comfort, ability and fitness to drive such as fatigue detection or medical assistance.

27. Hence, vehicles can be natively connected or not and personal data can be collected through several means, including: (i) vehicle sensors, (ii) telematics boxes or (ii) mobile applications (e.g. accessed from a device belonging to a driver). In order to fall within the scope of this document, mobile applications need to be related to the environment of driving. For example, GPS navigation applications are indeed within the scope, while applications that suggest places of interest (restaurants, historic monument, etc.) to the user will not be covered by this document.

28. Much of the data that is generated by a connected vehicle relate to a natural person that is identified or identifiable and thus constitute personal data. For instance, data include directly identifiable data (e.g., the driver’s complete identity), as wellas indirectly identifiable data such as the details of journeys made, the vehicle usage data (e.g., data relating to driving style or the distance covered), or the vehicle’s technical data (e.g., data relating to the wear and tear on vehicle parts), which, by cross-referencing with other files and especially the vehicle identification number (VIN), can be related to a natural person. Personal data in connected vehicles can also include metadata, such as vehicle maintenance status. In other words, any data that can be associated with a natural person therefore fall into the scope of this document.

29. The connected vehicle ecosystem covers a wide spectrum of stakeholders. More precisely, it includes traditional actors of the automotive industry as well as emerging players from the digital industry.

30. Hence, these guidelines are directed towards vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships, vehicle service providers, rental and car sharing companies, fleet managers, motor insurance companies, entertainment providers, telecommunication operators, road infrastructure managers and public authorities as well as drivers, owners, renters and passengers. This is a non-exhaustive list.