{"id":38137,"date":"2020-02-19T15:00:21","date_gmt":"2020-02-19T15:00:21","guid":{"rendered":"https:\/\/setterwalls.se\/article\/update-edpb-publishes-personal-data-guidelines-for-connected-vehicles-and-mobility-applications\/"},"modified":"2022-02-14T13:42:01","modified_gmt":"2022-02-14T13:42:01","slug":"update-edpb-publishes-personal-data-guidelines-for-connected-vehicles-and-mobility-applications","status":"publish","type":"articles","link":"https:\/\/setterwalls.se\/en\/article\/update-edpb-publishes-personal-data-guidelines-for-connected-vehicles-and-mobility-applications\/","title":{"rendered":"Update: EDPB publishes personal data guidelines for connected vehicles and mobility applications"},"content":{"rendered":"<p><strong>On the 7th of February, the European Data Protection Board (\u201cEDPB\u201d) published its Guidelines 1\/2020 on processing personal data with reference to connected vehicles and mobility related applications (the \u201cGuidelines\u201d) for public consultation. The Guidelines mainly concern non-professional use of connected vehicles and is directed towards several industry players, including for example vehicle manufacturers, equipment manufacturers suppliers and rental companies.<\/strong><\/p>\n<p>The Guidelines include:<\/p>\n<ul>\n<li><strong>Clarification that most data associated with connected vehicles will be considered personal data<\/strong>, including e.g. technical data regarding the vehicle\u2019s movement (speed, distance) as well as of the vehicle\u2019s condition (engine RPM, temperature etc.).<br \/>\u00a0<\/li>\n<li><strong>Guidance on the use of geolocation data<\/strong>, which according to the EDPB warrants special attention, since it may reveal private habits (with regard to e.g. religion, sexual orientation and a driver\u2019s personal interests). The use of geolocation data in connected vehicles should as a general rule be subject to several principles in order to mitigate privacy risks, such as:<br \/>&#8211;\u00a0the option to deactivate geolocation at any time,<br \/>&#8211;\u00a0defining limited storage periods,<br \/>&#8211;\u00a0activating geolocation only when the user launches a functionality that requires the vehicle\u2019s location to be known (i.e. no activation by default when the vehicle is started), and\u00a0adequate configuration of the frequency of access to and level of detail of geolocation data collected in relation to the purpose of the processing.<br \/>\u00a0<\/li>\n<li><strong>Guidance on the use of data revealing criminal offences <\/strong>or other infractions:<br \/>&#8211; Instantaneous speed data combined with precise geolocation data may be considered offence-related data which means that processing of such combined data may only be carried out under the control of an official authority or when authorised by Union or Member State law.<br \/>&#8211; EDPB does not consider that instantaneous speed data in itself constitutes offence-related data, but such data may however become offence-related depending on the context and the purpose of the processing.<br \/>\u00a0<\/li>\n<li><strong>Guidance on the use of biometric data<\/strong>, e.g. to enable access to a vehicle and a driver\u2019s profile.The processing of biometric data should comply with several principles, including for example:<br \/>&#8211; limited authentication attempts,<br \/>&#8211; storage of biometric template\/model in the vehicle in a state of the art encrypted form,<br \/>&#8211; adjustment of the biometric solution used shall be adapted to the security level of the required access control, and<br \/>&#8211; solely processing the raw data used to make up the biometric template for user authentication in real time, i.e. without being passively stored.<br \/>\u00a0<\/li>\n<li><strong>The EDPB\u2019s view with regards to when a data protection impact assessment (DPIA) should be performed.<\/strong> The EDBP\u2019s view is that such assessment will likely be necessary in situations where personal data is processed outside of the vehicle\u2019s systems (i.e. not only stored locally in the vehicle systems) and that best practice is to always, including when not required, perform a DPIA as early as possible in the design process.<br \/>\u00a0<\/li>\n<li><strong>Case studies<\/strong> on e.g. \u201cpay as you drive\u201d insurance, eCall and accidentology studies.<br \/>\u00a0<\/li>\n<li><strong>General recommendations<\/strong> with regard to anonymization, security measures and provision of information.<br \/>\u00a0<\/li>\n<li>\u200b<strong>Consent<\/strong> &#8211; The EDPB also stresses that the e-Privacy directive applies where relevant, and as a consequence consent must be obtained in many cases.<\/li>\n<\/ul>\n<p><strong>SETTERWALLS HAS ONE OF SWEDEN\u2019S LEADING TEAMS WITH EXPERTISE IN PRIVACY &amp; DATA PROTECTION RELATED MATTERS IN THE CONTEXT OF CONNECTED VEHICLES. PLEASE CONTACT US FOR ASSISTANCE AND WITH REGARDS TO EDPBS\u2019S RECOMMENDATIONS IN THE GUIDELINES.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>On the 7th of February, the European Data Protection Board (\u201cEDPB\u201d) published its Guidelines 1\/2020 on processing personal data with reference to connected vehicles and mobility related applications (the \u201cGuidelines\u201d) for public consultation. The Guidelines mainly concern non-professional use of connected vehicles and is directed towards several industry players, including for example vehicle manufacturers, equipment manufacturers suppliers and rental companies.<\/strong><\/p>\n<p>The Guidelines include:<\/p>\n<ul>\n<li><strong>Clarification that most data associated with connected vehicles will be considered personal data<\/strong>, including e.g. technical data regarding the vehicle\u2019s movement (speed, distance) as well as of the vehicle\u2019s condition (engine RPM, temperature etc.).<br \/>\u00a0<\/li>\n<li><strong>Guidance on the use of geolocation data<\/strong>, which according to the EDPB warrants special attention, since it may reveal private habits (with regard to e.g. religion, sexual orientation and a driver\u2019s personal interests). The use of geolocation data in connected vehicles should as a general rule be subject to several principles in order to mitigate privacy risks, such as:<br \/>&#8211;\u00a0the option to deactivate geolocation at any time,<br \/>&#8211;\u00a0defining limited storage periods,<br \/>&#8211;\u00a0activating geolocation only when the user launches a functionality that requires the vehicle\u2019s location to be known (i.e. no activation by default when the vehicle is started), and\u00a0adequate configuration of the frequency of access to and level of detail of geolocation data collected in relation to the purpose of the processing.<br \/>\u00a0<\/li>\n<li><strong>Guidance on the use of data revealing criminal offences <\/strong>or other infractions:<br \/>&#8211; Instantaneous speed data combined with precise geolocation data may be considered offence-related data which means that processing of such combined data may only be carried out under the control of an official authority or when authorised by Union or Member State law.<br \/>&#8211; EDPB does not consider that instantaneous speed data in itself constitutes offence-related data, but such data may however become offence-related depending on the context and the purpose of the processing.<br \/>\u00a0<\/li>\n<li><strong>Guidance on the use of biometric data<\/strong>, e.g. to enable access to a vehicle and a driver\u2019s profile.The processing of biometric data should comply with several principles, including for example:<br \/>&#8211; limited authentication attempts,<br \/>&#8211; storage of biometric template\/model in the vehicle in a state of the art encrypted form,<br \/>&#8211; adjustment of the biometric solution used shall be adapted to the security level of the required access control, and<br \/>&#8211; solely processing the raw data used to make up the biometric template for user authentication in real time, i.e. without being passively stored.<br \/>\u00a0<\/li>\n<li><strong>The EDPB\u2019s view with regards to when a data protection impact assessment (DPIA) should be performed.<\/strong> The EDBP\u2019s view is that such assessment will likely be necessary in situations where personal data is processed outside of the vehicle\u2019s systems (i.e. not only stored locally in the vehicle systems) and that best practice is to always, including when not required, perform a DPIA as early as possible in the design process.<br \/>\u00a0<\/li>\n<li><strong>Case studies<\/strong> on e.g. \u201cpay as you drive\u201d insurance, eCall and accidentology studies.<br \/>\u00a0<\/li>\n<li><strong>General recommendations<\/strong> with regard to anonymization, security measures and provision of information.<br \/>\u00a0<\/li>\n<li>\u200b<strong>Consent<\/strong> &#8211; The EDPB also stresses that the e-Privacy directive applies where relevant, and as a consequence consent must be obtained in many cases.<\/li>\n<\/ul>\n<p><strong>SETTERWALLS HAS ONE OF SWEDEN\u2019S LEADING TEAMS WITH EXPERTISE IN PRIVACY &amp; DATA PROTECTION RELATED MATTERS IN THE CONTEXT OF CONNECTED VEHICLES. PLEASE CONTACT US FOR ASSISTANCE AND WITH REGARDS TO EDPBS\u2019S RECOMMENDATIONS IN THE GUIDELINES.<\/strong><\/p>\n","protected":false},"author":1,"featured_media":34450,"template":"","meta":{"_acf_changed":false,"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":""},"article_category":[1039],"class_list":["post-38137","articles","type-articles","status-publish","has-post-thumbnail","hentry","article_category-it-law-and-data-protection"],"acf":[],"_links":{"self":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/articles\/38137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/articles"}],"about":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/types\/articles"}],"author":[{"embeddable":true,"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/users\/1"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/media\/34450"}],"wp:attachment":[{"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/media?parent=38137"}],"wp:term":[{"taxonomy":"article_category","embeddable":true,"href":"https:\/\/setterwalls.se\/en\/wp-json\/wp\/v2\/article_category?post=38137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}