In our first article on connected vehicles we explained about the personal data categories under the GDPR, and we went in more detail on the types of data that deserve your special attention in connected vehicles. In this second article we dive deeper into another aspect of the GDPR: the rights of individuals, also known as ‘data subject rights’.[1]

Under the GDPR, individuals are granted several rights that organizations should facilitate appropriately within the processing activities that involve the individual’s data. This article explains what data subject rights you should know about, but also how to manage these rights in connected vehicles. But before we explain how to manage these rights, we first focus on what these rights exactly are.

What are the data subject rights under the GDPR?

In connected vehicles, data subject rights should be respected at all times. Chapter 3 of the GDPR describes eight data subject rights:

1. The right to be informed: Individuals should be properly informed on the data processing activities in which their personal data is being processed.[2]
2. The right of access: Individuals may access and receive a copy of their personal data.[3]
3. The right to rectification: Individuals have the right to rectify or complete inaccurate personal data.[4]
4. The right to be forgotten (probably the most well-known right): Individuals have a right to have their personal data erased.[5]
5. The right to restrict processing: Individuals may request the restriction of processing of their personal data.[6]
6. The right to data portability: Individuals may obtain and reuse their personal data for their own purposes across different services and may therefore request a copy of their personal data.[7]
7. Right to object: Individuals have the right to object to data processing of their personal data in particular circumstances.[8]
8. Rights related to automated decision-making including profiling: Individuals have a right not to be subjected to solely automated based data processing.[9]

Additionally, it is good to understand that these data subject rights also include specific exceptions in the provided articles. For example, when an individual requests erasure of his/her data, but the organization should comply with a legal obligation that requires them to keep this data for a certain period.[10]

Regarding the management of data subject rights in connected vehicles, the European Data Protection Board found concerns that they address in their guidelines[11]. In our white paper ‘Connected Vehicles: How to create value and reduce costs while complying with the GDPR?’ this is explained in more detail.

Now that it is clear what the data subject rights are, we can focus on how to manage these rights in connected vehicles.

How can data subject rights be managed in connected vehicles?

Nowadays, many individuals are still clueless on what personal data are collected in connected vehicles. While this should be very clear to the individuals whose personal data is involved in the connected vehicle. The data subject rights, provided under the GDPR, should provide the individual the possibility to have more control over their data being processed. An important principle to note when it comes to data subject rights, is that individuals should have control over their data during the entire processing period. Meaning that they should have control from the moment the data is entered in the connected vehicle (the input), until the deliverance of a service (the output), such as using a music stream provider like Spotify in your car.

How can you then properly manage data subject rights in connected vehicles? A solution to this situation is to implemented a profile management system. Such a system can store the preferences of known drivers and allows them to change privacy settings at any time. Such a profile management system would be an efficient and effective way for individuals to inform them which data is processed, the location of the data storage, and how to restrict certain processing activities. It is also an effective way for individuals to choose to stop certain processing activities temporarily or permanently at any given time.

Another example of an efficient measure that can be implemented in connected vehicles is to introduce a delete button in the drivers’ dashboard. The European Data Protection Board emphasized, in its recent guidelines on connected vehicles, the importance of providing a quick and easy way to remove data. Think of deleting a phone book or deleting the GPS navigation history in the car before you return the car to the lease agency.[12]

How can you make sure that you comply with all the involved laws and regulations, including the GDPR? It is recommended to have a project approach to designing and implementing such measures together with all the colleagues that have the right knowledge and expertise for this specific project, including knowledge and expertise about how to implement privacy by design. The earlier privacy by design is applied within the project, the more costs it may save you in the long run. Properly applying privacy by design means that all the required components under the GDPR are assessed in an early stage. This is a great advantage compared to the situation in which you apply privacy by design in a later stage, which may result in expensive adjustments in the design and/or implementation process.

Summary

Data subject rights are still an underestimated topic in connected vehicles, but they are a highlighted topic under the GDPR and for supervisory authorities, like the European Data Protection Board. It is therefore important that automotive companies realize that it is necessary to have a proper understanding of what the data subject rights are, and how you can manage these rights in connected vehicles.

For a complete overview on how to manage GDPR activities in connected vehicles, download our white paper ‘Connected vehicles: How to create value and reduce costs while complying with the GDPR’.

[1] Article 13- 23 GDPR.

[2] Article 13-14 GDPR.

[3] Article 15 GDPR.

[4] Article 16 GDPR.

[5] Article 17 GDPR.

[6] Article 18 GDPR.

[7] Article 20 GDPR.

[8] Article 21 GDPR.

[9] Article 22 GDPR.

[10] Article 17(3)(b) GDPR.

[11] Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related

applications, Version 2.0, 9 March 2021.

[12] Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related

applications, Version 2.0, 9 March 2021, p. 23.