Auto­no­mous vehi­cles: more legal cer­tain­ty with regard to data protection

Auto­no­mous dri­ving is made pos­si­ble by pro­ces­sing lar­ge amounts of per­so­nal data. But in accordance with the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), data pro­ces­sing is only law­ful if the­re is a legal basis for the pro­ces­sing. The ques­ti­on as to which legal basis could app­ly in the case of auto­no­mous dri­ving was dis­cus­sed in con­nec­tion with the legis­la­ti­ve pro­ce­du­re for the Auto­no­mous Dri­ving Act. The Federal Minis­try of Trans­port and Digi­tal Infra­st­ruc­tu­re has now issued an Ordi­nan­ce regu­la­ting the ope­ra­ti­on of motor vehi­cles with auto­ma­ted and auto­no­mous dri­ving func­tions and amen­ding pro­vi­si­ons of road traf­fic law (the “Ordi­nan­ce”) (PDF only in Ger­man), in which it spe­ci­fies cer­tain key aspects of data pro­tec­tion law. This is of impor­t­ance for both manu­fac­tu­rers and sup­pliers, who play a key role in the imple­men­ta­ti­on of data pro­tec­tion requirements.

Data pro­ces­sing by the vehi­cle owner

In accordance with the GDPR, data pro­ces­sing is law­ful e.g. if the pro­ces­sing takes place in order to com­ply with a legal obli­ga­ti­on. Such an obli­ga­ti­on can be found in § 1g(1) and (2) (only in Ger­man) of the Road Traf­fic Act and has now been spe­ci­fied by the Ordi­nan­ce. Under this sta­tu­te, owners of auto­no­mous vehi­cles are requi­red to store cer­tain per­so­nal data, such as e.g. posi­tio­nal data and speeds, rela­ting to cer­tain inci­dents, and to trans­mit this data e.g. to the Federal Motor Trans­port Aut­ho­ri­ty upon request. Such inci­dents inclu­de e.g. acci­dents, unin­ten­ded lane chan­ges and evas­i­ve maneu­vers. The owner is requi­red to store this data from the time that the event occurs (e.g. an acci­dent) until the time that the vehi­cle is retur­ned to a con­di­ti­on of mini­mal risk.

Duties for manu­fac­tu­rers and suppliers

In accordance with § 1g(3) of the Road Traf­fic Act (only in Ger­man), manu­fac­tu­rers of auto­no­mous vehi­cles are requi­red to crea­te the tech­ni­cal con­di­ti­ons necessa­ry for sto­rage of data by the owner. In par­ti­cu­lar, they are requi­red to adhe­re to the princi­ples of privacy-friendly tech­ni­cal design, as well as taking appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res for the pro­tec­tion of per­so­nal data. In addi­ti­on, the safe­ty con­cept pro­vi­ded in § 12 of the Ordi­nan­ce inclu­des per­for­mance of a data pro­tec­tion impact assess­ment. The new requi­re­ments do not app­ly to sup­pliers direct­ly, but they will have a strong indi­rect impact, sin­ce manu­fac­tu­rers will be requi­red to ensu­re that sup­plied com­pon­ents meet the requi­re­ments of data pro­tec­tion law over their ent­i­re sup­ply chain. As a gene­ral rule, manu­fac­tu­rers will pass on the requi­re­ments app­ly­ing to them in their con­tracts with sup­pliers, sin­ce the tech­ni­cal equip­ment for the­se vehi­cles is pro­vi­ded at least in part by modu­le and sys­tem sup­pliers. The­se com­pa­nies, typi­cal­ly Tier 1 sup­pliers, have the necessa­ry tech­ni­cal exper­ti­se due to their pro­xi­mi­ty to the pro­duct and may the­re­fo­re be con­trac­tual­ly requi­red to com­ply with the­se duties.


The Ordi­nan­ce spe­ci­fies the data pro­tec­tion requi­re­ments for auto­no­mous vehi­cles and crea­tes more legal cer­tain­ty for manu­fac­tu­rers and sup­pliers. This should gene­ral­ly be regar­ded as a wel­co­me deve­lo­p­ment. But at the same time, it crea­tes many new data pro­tec­tion requi­re­ments for manu­fac­tu­rers and, indi­rect­ly, for sup­pliers as well. As is so often the case, balan­ced for­mu­la­ti­on of con­tracts and sophisti­ca­ted com­pli­an­ce manage­ment are indis­pensable in order to imple­ment the­se new requi­re­ments in a stra­te­gic and sus­tainab­le manner.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.