Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Section 1.4  Definitions

36. The processing  of personal data encompasses any operation that involves personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, etc.

37. The data subject is the natural person to whom the data covered by the processing relate. In the context of connected vehicles, it can, in particular, be the driver (main or occasional), the passenger, or the owner of the vehicle.

38. The data controller is the person who determines the purposes and means of processing that take place in connected vehicles. Data controllers can include service providers that process vehicle data to send the driver traffic-information, eco-driving messages or alerts regarding the functioning of the vehicle, insurance companies offering “Pay As You Drive” contracts, or vehicle manufacturers gathering data on the wear and tear affecting the vehicle’s parts to improve its quality. Pursuant to art.26 GDPR, two or more controllers can jointly determine the purposes and means of the processing and thus be considered as joint controllers. In this case, they have to clearly define their respective obligations, especially as regards the exercising of the rights of data subjects and the provision of information as referred to in art.13 and 14 GDPR.

39. The data processor is any person who processes personal data for and on behalf of the data controller. The data processor collects and processes data on instruction from the data controller, without using those data for its own account. As an example, in a number of cases, equipment manufacturers and automotive suppliers may process data on behalf of vehicle manufacturers (which does not imply they cannot be a data controller for other purposes). In addition to requiring data processors to implement appropriate technical and organisational measures in order to guarantee a security level that is adapted to risk, e.g. art.28 GDPR sets out data processors’ obligations.

40. The recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. As an example, a commercial partner of the service provider that receives from the service provider personal data generated from the vehicle is a recipient of personal data. Whether they act as a new data controller or as a data processor, they shall comply with all the obligations imposed by the GDPR.

41. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. As an example, law enforcement authorities are authorised third parties when they request personal data as part of an investigation in accordance with European Union or Member State law.