The European Data Protection Board has issued final guidelines on connected vehicles, making few changes from the draft it issued for public comment, and with a big to do list for OEMs and other stakeholders.

  • Data collected by a connected car is personal data even if it is not directly linked to a name, but to technical aspects and features of the vehicle because it still concerns the driver or the passengers of the car.
  • A car is terminal equipment and you need consent for collecting data under the ePrivacy directive unless an exception applies.
  •  You need a separate legal basis under GDPR for further processing, but in many cases that would be consent too.
  • You need to operationalize transparency but it won’t be easy.
  • You need to operationalize consent: that won’t be easy either.
  • You must implement data protection by design and by default.
  • A connected vehicle is a type of Internet of Things (IoT) device. As such, it is prone to the same information security concerns as IoT devices, but with potentially greater stakes.

Full details in this OneTrust Data Guidance article.