In a time, where you sync your smartphone with your vehicle, track the last parking spot of your motorcycle, or command your car to adjust specific settings when you are inside, it is hard to imagine vehicles that do not process personal data. Connected vehicles are becoming the standard, and IoT-technology turns vehicles into massive data hubs that store and transmit large amounts of personal data. This means not only that the amount of data processed is increasing, but also that state-of-the-art technology allows us to collect more sensitive information, like biometric data.
So how are companies in the automotive industry able to introduce their connected vehicle to the market, and at the same time make sure that the personal data involved is handled with the utmost care in compliance with the General Data Protection Regulation (GDPR)? It is no surprise that many companies in the automotive industry struggle to determine what they can and cannot do within the boundaries of the GDPR. To answer that question, you first have to understand which personal data you should give special attention, and therefore it is crucial to understand the different personal data categories under the GDPR.
The GDPR makes a distinction between several categories of personal data. It is important to become acquainted with these categories, since they might result in different security measures or another applicable legal basis when processed in connected vehicles. That is why we shall have a look at the different categories first.
Special categories of personal data
This category contains:
As you can see, the GDPR makes an important distinction between ‘the processing of data revealing’ and the ‘processing of’ data. This ‘special data’ category is considered to be very sensitive in nature, and therefore requires a higher level of protection. The GDPR states that it is prohibited to process data that falls under this category unless you can rely on one of the exceptions in the GDPR.[2]
Criminal convictions and offenses
The GDPR states that personal data relating to criminal convictions and offenses should only be processed by either official authorities, or by Union or Member State Law that allows the processing of this data category. Needless to say, data in this category is also considered to be more sensitive, that is why it is important to have appropriate safeguards in place to protect it.[3]
National identification numbers
When it comes to national identification numbers, the GDPR leaves room for EU Member States to determine what conditions apply. This is done in legislation at a national level, which means this may differ per country in the European Union. Therefore, you should always be cautious when national identification numbers are processed.
Regular personal data
This category of personal data consists of all the data that does not strictly fall under one of the above-described categories. However, it is recommendable to think logically and assess the sensitivity of all regular personal data that is processed to make sure the right measures are implemented to protect it. Look for example at an individual’s name compared to an individual’s financial data. Logically a person’s financial data is more sensitive, and should be adequately protected when processed.[4]
Relating to the more sensitive categories described above, there are three types of data that deserve your special attention when it comes to processing data in connected vehicles: biometric data, location data, and data that could reveal criminal offenses or traffic violations.
Biometric data
Biometric data refers to unique physical or behavioral characteristics that can be used to identify a person. The GDPR prohibits, in principle, the processing of biometric data “for the purpose of uniquely identifying a natural person”[5], unless you can rely on one of the exceptions provided in the GDPR[6]. Furthermore, the GDPR provides the possibility for EU Member States to introduce further conditions for biometric data.[7]
This type of data deserves your special attention since biometric data is obviously used in connected vehicles for the purpose of uniquely identifying an
individual. Currently, people can access their vehicle with their fingerprint, their saved driver’s profile settings, etc. The use of biometric data is becoming more and more common.
However, if you want to process that data in a GDPR compliant manner, it is crucial to comprehend that you should respect certain principles and security measures. One key measure is to store and compare the biometric template locally and in encrypted form, instead of through an external reading or comparison terminal. Another preferred measure is to limit authentication attempts to increase security of the biometric data.[8]
Location data
Another type of data that is most often used in connected vehicles is location data. This data is particularly sensitive because it can reveal life habits of individuals. With location data you can easily see an individual’s journey to their home, work, family and/or friends. Location data might even reveal
individual’s religious believes when they travel for example to a church or mosque, which means you are processing a special category of data for which specific obligations apply under the GDPR.
For this reason, it is recommended to not collect location data at all, and instead to use gyroscope technology to fulfill the same function without collecting location data. However, if you really need to collect location data, there are certain principles to follow, such as the possibility to deactivate your location at any given time, or the possibility to define a limited storage period for the location data.[9]
Data revealing criminal offenses or traffic violations
When driving or riding, a connected vehicle sensor might indicate that the vehicle crossed a white line or exceeded the speed limit. In this way criminal offenses or traffic violations might be revealed. However, as we have read in the previous paragraphs, criminal convictions and offenses may only be processed by either official authorities, or by Union or Member State Law allows the processing.[10]
To prevent that this data is revealed to unauthorized parties, it is recommended to take strict security measures to adequately protect it. For example, by giving the individual involved full control over the processing of this type of data.[11] But you can also think of ensuring data integrity, by using a state-of-the-art encryption algorithm for the communication channels, and by having an encryption-key management system that is unique for every vehicle.[12]
The amount of sensitive personal data that is collected and processed by connected vehicles is ever increasing. It is important that companies have tailored security levels in place for the different categories of personal data. In this article we explained how you can determine which categories of data are important to you and need special measures. In our next article we will discuss the individual’s rights, also known as data subject rights under the GDPR, and the individual’s control of personal data in connected vehicles.
For a complete overview of what principles and measures you should implement when processing personal data in connected vehicles, download our white paper ‘Connected vehicles: How to create value and reduce costs while complying with the GDPR’.
[1] Article 9(1) GDPR.
[2] Article 9(2) GDPR.
[3] Article 10 GDPR.
[4] Article 87 GDPR.
[5] Article 9(1) GDPR.
[6] Article 9(2) GDPR.
[7] Article 9(4) GDPR.
[8] Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications, Version 2.0, 9 March 2021, p. 16-17.
[9] Idem, p. 15-16.
[10] Article 10 GDPR.
[11] Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications, Version 2.0, 9 March 2021, p. 17.
[12] Idem, p. 23-24.