Telematik und Datenschutz in der EU

The market for telematics devices and applications is booming. Networked vehicle technologies and telematics services merge and shape the future of the automotive industry – and our lives. While these innovations will undoubtedly bring incredible opportunities and benefits, we are also breaking new ground in terms of data security and data protection.

As a symbol of the economy of the 20th century, the automobile is one of the mass consumer goods that has influenced society as a whole. With the concept of freedom, cars are often seen as more than just a means of transportation.

Indeed, they represent a private area where people can enjoy a form of decision-making autonomy without encountering outside interference. Today, as the connected vehicles move into the mainstream, such a vision no longer corresponds to reality.

Fleet connectivity is increasing

Connectivity in the vehicle is growing rapidly, from luxury and premium brands to high-volume mid-market models, and vehicles are becoming massive data hubs. Not only vehicles, but also drivers and passengers are becoming more and more connected.

In fact, many models that have been launched in the past few years have integrated sensors and connected on-board devices, which include engine performance, driving habits, places visited and possibly even the driver’s eye movements, pulse or other biometric Can collect and record data for authentication or identification.

This data processing takes place in a complex ecosystem that is not limited to the traditional players in the automotive industry, but is also shaped by the emergence of new players in the digital economy. These new players can offer infotainment services such as online music, road conditions and traffic information, or offer driver assistance systems and services such as the autopilot.

Software, vehicle condition updates and usage-based insurance

Since the vehicles are connected to one another via electronic communication networks, the road infrastructure companies and telecommunications operators involved in this process also play an important role in the possible processing of the personal data of drivers and passengers.

In addition, the connected vehicles are generating ever larger amounts of data, most of which can be considered personal data because they will relate to drivers or passengers. Even if the data collected from a connected vehicle is not directly related to a name but to technical aspects and features of the vehicle, it affects the driver or the occupants of the vehicle.

The spread of IoT technology brings unprecedented opportunities. Indeed, it is quite easy to understand why telematics has become essential in fleet management. The telematics devices of the automotive industry offer many advantages for commercial fleets.

What is the general data protection regulation in Europe?

The General Data Protection Regulation (GDPR) defines data as personal data of people in the EU and affects their use in terms of „processing“ that includes the collection, storage, transmission or use.

Personal data

The key in the GDPR is the concept of personal data. Essentially, this is all data that can or could be associated with an identifiable human being. This includes data that could be abstracted using unique identifiers such as number plates and / or other device identifiers.

If someone can identify a person based on the data, the data must be considered personal data, even if the actual identification is not carried out at all. It is important to note that the presence of personal data does not mean that it cannot be used, but that only the GDPR applies and certain conditions must be met.

Business Insights vs. personal matters

There are two categories of data that need to be treated separately: vehicle data and personal data. In short, this data provides unique business insights for efficient fleet management. Both are crucial, but for different reasons.

The monitoring of a moving system by GPS tracking devices and the on-board diagnosis can be viewed as vehicle data. Vehicle data can provide a global overview of the entire organization. This data is used to improve security for personnel, vehicles and freight and can be a significant lever against the competition.

On-board services are also an excellent source of security metrics. By analyzing driver behavior, the overall safety of the fleet can be significantly improved. But – there always seems to be a „but“ – this involves a large amount of personal data.

However, dealing with information relating to drivers, ie private individuals, is a sensitive issue for several reasons. It also raises a number of questions – questions that have never been addressed before regarding storage, processing and protection.

Whoever owns the data can decide how and for what purposes they use it – and monetize the information. At first glance, the whole controversy about who can sell the data and get the big money would go away if we could answer a basic question: Whose data is it?

Car makers argue that the data belongs to the company that owns the device that produces the data. Telecommunications and IT companies, as well as players in the telematics services industry, could argue that data belongs to the entity that provides the technology for extracting and processing data.

Fleet managers understandably claim that the data belongs to the company that produces it. At this point, however, drivers may have to add one or two things.

Key elements in the general data protection regulation

Like previous privacy laws and regulations, the GDPR aims to protect the interests and rights of individuals while their data is used for various purposes to serve and serve the interests of others, for economic benefit or for the public good . The GDPR is therefore of great importance for consideration in the work environment.

Here we present some of the important new elements of the GDPR that require special attention from customers. The main changes in the new regulation that will come into force:

After all, data about or about a person reflects their identity, behavior and preferences: that’s what we are. The GDPR stipulates that individuals must be fully informed in advance of what is happening to their data: what data is used, why it is used, how long it is used and by whom it is used.

They must also be able to influence this, for example, either by granting a permit, by a contract and, with some restrictions, by being able to prevent the use of their data on request.

Accountability and risk based approach

If you as a company decide what happens to the data of individuals, you must assume this responsibility and be able to demonstrate that you are doing it properly, respecting the rights of the individual and the GDPR.

In everything you do with data, you need to consider the risks to the data subject. This requires the need to have documentation documenting your activities regarding data and the reasons for processing this data.

The GDPR stipulates that a (part-time) data protection officer is appointed to monitor this if you reach the threshold provided for in the GDPR (e.g. if your core activity involves the surveillance of people on a large scale).

Central contact point for regulators

The GDPR was written to standardize the existing and different data protection laws in the EU. This could be seen as a plus for multinational companies, especially those whose vehicles cross borders.

It could also mean that if you run a multinational company across the EU, you are dealing with only one regulatory authority: that of the country where your head office is located. Individuals can also contact the regulator in their own country.

Stricter security requirements

The GDPR stipulates that the data is protected against any kind of unauthorized use, based on an assessment of the sensitivity of the data. Location data is considered sensitive because it can reveal a lot about the person. All of this requires technical and organizational security measures to reduce the risks.

If these measures fail and cause a security incident, the GDPR stipulates that the authorities will be notified within 72 hours, depending on the severity. At this point, all „data subjects“, ie persons with whom this data is related, should be informed if it is assumed that the incident will have a significant impact on them.

Fines

The GDPR grants the data protection authorities various enforcement powers. One of these powers is the ability to impose fines for non-compliance. The GDPR stipulates that such penalties can amount to up to 4% of the global annual revenue per incident, depending on the seriousness of the actual violation of the GDPR.

More general elements of the general data protection regulation that remain from the previous law. The GDPR stipulates that personal data can be used for one or more predefined purposes.

These must be clearly and specifically described. The individual must be able to understand what a purpose means. A person should be able to answer the question: „Does this use case really fit the purpose?“

Suitable for purpose & type, volume and time restrictions

The GDPR stipulates that personal data are „provided with rights“ in terms of the type, scope and duration of storage based on the defined purpose. Therefore, the processing of personal data requires a well-written, user-friendly explanation.

Like a manual, not like a contract. Of course, the declaration must be available to the people before you start using their data and must remain available to them.

In order to be able to process personal data lawfully, the GDPR requires a valid legal basis. Six legal bases are available for processing.

According to point 6, the GDPR also provides that personal data can be processed without a declaration of consent if you have a legitimate interest in it.

Typically, this refers to the detection of fraud, abuse, security issues and business analysis. This can also apply to the work environment and relate to situations that are not covered by the employment contract, such as the various purposes for which vehicle telematics is used.

However, in these cases, only the minimum data necessary for the purpose should be collected (to minimize the impact on the right to privacy of the individual) and it should be ensured that this data collection complies with the GDPR.

The GDPR grants individuals rights when their data is processed. The GDPR provides access to the data and enables data subjects to view the data and to receive a copy of it. If the data is incorrect, you can request a correction.

These persons also have the right to receive a machine-readable copy of the data and to delete their data if they have received it and have been used based on their consent or in connection with the execution of a contract.

Protect confidentiality, integrity and availability with good security measures

Personal data must be kept securely in accordance with the GDPR. That is, well protected against unauthorized and unlawful access, use and loss.

According to the GDPR, this must be done on the basis of a risk assessment that continuously leads to suitable technical and organizational measures. These are the technical and organizational measures that must be carried out and maintained for this purpose.

Personal data: careful handling

Despite gaps, there is considerable legislative effort to keep up with technological developments. When it comes to the legal aspects of data processing, it is not ownership but access that is most important.

As for property, the line between intellectual property rights and copyright is blurred. To make things even more frustrating, the whole thing becomes even more complicated when it comes to personal data: the rights of individuals are subject to strict data protection regulations.

Any organization that processes data from EU residents must comply with the provisions of the EU General Data Protection Regulation (GDPR), regardless of where their headquarters, headquarters, offices or servers are located.

And the GDPR is not interested in the slightest in property issues: property rights are not even defined in the preamble. The sole aim of the regulation is to define and manage the rights associated with the data of individuals.

Monitoring the activities and behavior of the drivers to predict and prevent accidents – and thus improve the efficiency of the fleet and the safety of the personnel – sounds like a sufficiently innocent and rational interest from both parties, ie the driver and the fleet managers. It’s also obvious why the topic is so delicate.

However, the pros and cons of tracking drivers‘ activities are beyond the scope of this article. We want to say that this information is subject to data protection and has legal consequences.