Article written by Adi Shoval
The European Data Protection Board (the “EDPB”) published its draft guidelines on the processing of personal data in the context of connected vehicles and mobility-related applications. The guidelines explain that connected vehicles generate an increasing volume of personal data relating to drivers or passengers, and therefore are considered “terminal equipment” subject to the ePrivacy Directive.
Under the ePrivacy Directive, prior consent of the user is required to process information of the user of the terminal equipment, unless the processing is strictly necessary to provide a service explicitly requested by the user.
The guidelines emphasize the importance of the data minimization principle, particularly when processing location data. The EDPB explains that such data may reveal the habits of data subjects, and therefore service providers and controllers should be particularly vigilant not to collect location data unless doing so is absolutely necessary for processing.
In addition, the guidelines recommend that manufacturers, service providers, and other data controllers should implement the GDPR requirement for privacy by design by using processes that do not involve personal data or the transfer of personal data outside the vehicle. The guidelines also state that users should be able to understand how their data is collected and processed, among others, by receiving notice about the processing in their preferred language, by having direct access to the data, and by being given the option to permanently delete the data before the vehicle is put up for sale.
CLICK HERE to read the EDPB guidelines.