← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 91/100

EDPB issues connected vehicles data protection guidelines

Your car knows more about you than you think. The EDPB just spelled out how GDPR applies to connected vehicles—and the bar is high. OEMs, insurers, and app developers need to minimize data collection, process locally when possible, and get explicit consent for most telematics features. Default settings should protect privacy, not exploit it.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Data strategy pillar illustration for Zeph Tech briefings
Data strategy, stewardship, and privacy briefings

Your car is watching you. It knows where you go, how you drive, when you brake hard, and now, who is in the driver's seat. The European Data Protection Board noticed this trend and on January 28, 2020, published guidelines that spell out how GDPR applies to connected vehicles. If you are an OEM, insurer, fleet operator, or anyone building apps that tap into vehicle data, the bar for compliance is higher than you might think.

The privacy problem with modern vehicles

Connected vehicles generate data continuously—location history that reveals where you work, live, and visit; driving behavior that indicates risk profiles and personal habits; biometric data from driver monitoring systems; even communication data from hands-free calling. Individually, each data point might seem innocuous. Combined, they create detailed profiles of individuals' lives.

The EDPB recognized that even seemingly technical data—tire pressure, fuel consumption, maintenance alerts—can become personal data when combined with identifiers or patterns that link back to specific individuals. Your car does not need to store your name to reveal information about you.

The guidelines apply broadly: vehicle manufacturers (OEMs), equipment suppliers, insurance companies offering telematics-based policies, fleet management operators, mobility service providers, and third-party app developers. If you are touching vehicle data, you need to understand your obligations under GDPR—and the EDPB has now clarified what those obligations look like in practice.

Here's where connected vehicle providers often stumble: the EDPB emphasizes that explicit consent is required for most telematics and infotainment features beyond safety-critical processing. "Legitimate interest" as a legal basis faces high scrutiny—you need documented assessments demonstrating necessity and proportionality, and the EDPB cautions against over-reliance on this basis for data-intensive processing.

Consent must be freely given, specific, informed, and unambiguous. That means vehicle interfaces need to provide clear mechanisms for users to understand what data is collected, how it will be used, and with whom it will be shared. Buried consent language in 40-page owner's manuals does not cut it. And withdrawing consent must be as easy as giving it—no technical or procedural barriers designed to discourage users from exercising their rights.

Safety-critical functions like emergency call systems (eCall) can rely on legal obligations as their basis. But you cannot stretch safety justifications to cover general telematics collection that primarily serves commercial purposes. The line between "safety data" and "marketing data" must be clear and defensible.

Privacy by design is not optional

The guidelines emphasize default local processing and data separation to avoid unnecessary transmission of location and driver behavior data. Privacy by design means thinking about data protection from the earliest stages of vehicle and service development—not retrofitting privacy controls after systems are built.

Technical measures should implement data minimization by processing data locally on the vehicle wherever possible. If external processing is necessary, transmit aggregated or anonymized information rather than raw data. Apply pseudonymization to transmitted data and encrypt everything in transit and at rest.

Default settings should favor privacy protection. New vehicles should not automatically enable extensive data sharing; users should actively choose to enable data transmission beyond safety-critical functions. This represents a significant shift from the current industry norm of opt-out data collection.

Secondary users matter too. When vehicles change hands, new owners need to be able to reset vehicle data and establish their own privacy preferences without inheriting previous users' configurations. The car's memory of where the previous owner parked overnight is not the new owner's business.

Who is responsible for what in complex supply chains?

Connected vehicle data flows through complex ecosystems involving multiple parties. The guidelines clarify controller and processor allocation: vehicle manufacturers typically act as controllers for data processed through their connected vehicle systems, even when processing is performed by suppliers. You cannot outsource compliance responsibility through vendor contracts.

Third-party app developers connecting to vehicle systems may be independent controllers, joint controllers with OEMs, or processors depending on the nature of their data access and processing purposes. Clear agreements must establish these roles before apps integrate into vehicle ecosystems. Ambiguity about who is responsible creates compliance gaps that regulators will eventually find.

Fleet operators and insurance companies receiving vehicle data must have appropriate legal bases for their processing and transparent relationships with data subjects. If you are an insurer collecting telematics data for risk pricing, the driver needs to understand what you are collecting, why, and how it affects their premiums.

Security requirements go beyond standard IT practices

The guidelines call for strong authentication mechanisms for vehicle access and data retrieval, vehicle reset controls for secondary owners, and encryption for over-the-air updates and telemetry transmission. Security measures must address unique challenges of connected vehicle environments, including extended device lifecycles and limited update capabilities.

Vehicles remain in service for 10-15 years—far longer than typical IT asset lifecycles. Security architectures must account for threats that emerge years after vehicles ship. Over-the-air update mechanisms need cryptographic integrity verification to prevent unauthorized modifications, but they also need to work reliably across vehicle lifetimes.

Access controls should implement least privilege principles. Audit logging should record access to personal data for security monitoring. These are not novel requirements, but applying them to vehicle environments requires adapting familiar IT security concepts to automotive realities.

What this means for your connected vehicle strategy

  • Map data flows for vehicle telemetry, infotainment, and mobile applications. Document necessity, legal basis, and retention for each data category.
  • Implement on-board processing where feasible. Process locally, transmit summaries, anonymize before sharing.
  • Design user interfaces that make consent genuinely informed. Clear explanations, granular controls, easy withdrawal.
  • Update contracts and privacy notices to reflect controller and processor roles accurately across your supply chain.
  • Build privacy controls into vehicle development from the start—retrofitting is expensive and often ineffective.
  • Plan for secondary users. Vehicle reset capabilities and privacy preference inheritance matter for compliance and customer trust.
  • Conduct Data Protection Impact Assessments for high-risk processing, especially location tracking and behavior profiling.

Connected vehicles represent one of the most data-intensive consumer products in existence. The EDPB guidelines make clear that GDPR applies fully to this data, with high expectations for consent, data minimization, transparency, and security. Organizations that take these requirements seriously will build customer trust while avoiding the regulatory scrutiny that is now focused on vehicle data privacy.

More on this topic

Further reading from our research library.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Data Strategy Operating Model Guide

    Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

  • Data Interoperability Engineering Guide

    Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

  • Data Stewardship Operating Model Guide

    Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published
Coverage pillar
Data Strategy
Source credibility
91/100 — high confidence
Topics
GDPR · Connected vehicles · Data minimization · Privacy by design · Automotive data
Sources cited
3 sources (edpb.europa.eu, gdpr-info.eu)
Reading time
5 min

Source material

  1. Guidelines 1/2020 on processing personal data in the context of connected vehicles — European Data Protection Board
  2. EDPB Guidelines and Recommendations — EDPB
  3. GDPR - General Data Protection Regulation — European Union
  • GDPR
  • Connected vehicles
  • Data minimization
  • Privacy by design
  • Automotive data
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.