Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Paragraph 1.3.1  Out of scope of this document

31. Employers providing company cars to members of their staff might want to monitor their employee’s actions (e.g., in order to ensure the safety of the employee, goods or vehicles, to allocate resources, to track and bill a service or to check working time). Data processing carried out by employers in this context raises specific considerations to the employment context, which might be regulated by labour laws at the national level that cannot be detailed in these guidelines.

32. Connected vehicles being radio-enabled systems, they are subject to passive tracking such as WiFi or Bluetooth tracking. In that sense they do not differ from other connected devices and fall in the scope of the ePrivacy directive which is currently being revised. This therefore excludes also large-scale tracking of WiFi equipped vehicles by a dense network of bystanders who use common smartphone location services. These routinely report all visible WiFi networks to central servers. Since built-in WiFi can be considered a secondary vehicle identifier, this risks a systematic ongoing collection of complete vehicle movement profiles in a third country.

33. Increasingly vehicles are equipped with image recording devices (e.g., car parking camera systems or dashcams). Since this deals with the issue of filming public places, which requires an assessment of the relevant legislative framework which is specific to each Member State, this data processing is out of scope.

34. The processing of data enabling Cooperative Intelligent Transport Systems (C-ITS) –as defined in the directive of the European Union 2010/40/EU has been dealt with in a specific opinion by the Article 29 Working Party. Through this opinion, the WP29 focused on specific use cases built for initial deployment and committed to assess at a later stage the new issues that will be undoubtedly raised when higher level of automation will be implemented. Since the data protection implications in the context of C-ITS are very specific (unprecedented amounts of location data, continuous broadcasting of personal data, exchange of data between vehicles and other road infrastructural facilities, etc.) and that it is still being discussed at the European level the processing of personal data in that context is out of scope.

35. Finally, this document does not aim to address all possible issues and questions raised by connected vehicles and can therefore not be considered as exhaustive.