Data Strategy Briefing — EDPB issues connected vehicles data protection guidelines

Executive briefing: The EDPB Guidelines 1/2020 clarify how GDPR applies to connected vehicles and mobility apps. OEMs, insurers, fleet operators, and app developers must minimize personal data, define controller and processor roles, and use privacy-preserving architectures such as on-board processing and pseudonymization.

What changed

• Guidance emphasizes default local processing and data separation to avoid unnecessary transmission of location and driver behavior data.
• Explicit consent is required for most telematics and infotainment features beyond safety-critical processing; legitimate interest must be carefully balanced.
• Recommendations call for strong authentication, vehicle reset controls for secondary owners, and encryption for over-the-air updates and telemetry.

Why it matters

• Clarifies data retention, profiling, and sharing practices that often trip GDPR compliance for connected vehicles and mobility services.
• Highlights controller/processor allocation in complex supply chains that include OEMs, app developers, and third-party service providers.
• Sets expectations for informed consent and dashboard-level user controls that product and UX teams must implement early.

Action items for operators

• Map data flows for vehicle telemetry, infotainment, and mobile applications to confirm necessity, legal basis, and retention.
• Implement on-board processing where feasible, with clear user controls for data sharing, reset features for secondary users, and strong key management for OTA updates.
• Update contracts and privacy notices to reflect controller/processor roles and obtain explicit consent where required.