Data Strategy Briefing — EDPB issues connected vehicles data protection guidelines
The European Data Protection Board adopted Guidelines 1/2020 on data processing in connected vehicles and mobility applications, clarifying GDPR expectations for in-vehicle data minimization, consent, and security controls for OEMs and mobility providers.
Executive briefing: The EDPB Guidelines 1/2020 clarify how GDPR applies to connected vehicles and mobility apps. OEMs, insurers, fleet operators, and app developers must minimize personal data, define controller and processor roles, and use privacy-preserving architectures such as on-board processing and pseudonymization.
What changed
- Guidance emphasizes default local processing and data separation to avoid unnecessary transmission of location and driver behavior data.
- Explicit consent is required for most telematics and infotainment features beyond safety-critical processing; legitimate interest must be carefully balanced.
- Recommendations call for strong authentication, vehicle reset controls for secondary owners, and encryption for over-the-air updates and telemetry.
Why it matters
- Clarifies data retention, profiling, and sharing practices that often trip GDPR compliance for connected vehicles and mobility services.
- Highlights controller/processor allocation in complex supply chains that include OEMs, app developers, and third-party service providers.
- Sets expectations for informed consent and dashboard-level user controls that product and UX teams must implement early.
Action items for operators
- Map data flows for vehicle telemetry, infotainment, and mobile applications to confirm necessity, legal basis, and retention.
- Implement on-board processing where feasible, with clear user controls for data sharing, reset features for secondary users, and strong key management for OTA updates.
- Update contracts and privacy notices to reflect controller/processor roles and obtain explicit consent where required.