Auto­no­mous vehic­les: more legal cer­tain­ty with regard to data protection

Auto­no­mous dri­ving is made pos­si­ble by pro­ces­sing lar­ge amounts of per­so­nal data. But in accordance with the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), data pro­ces­sing is only lawful if the­re is a legal basis for the pro­ces­sing. The ques­ti­on as to which legal basis could app­ly in the case of auto­no­mous dri­ving was dis­cus­sed in con­nec­tion with the legis­la­ti­ve pro­ce­du­re for the Auto­no­mous Dri­ving Act. The Fede­ral Minis­try of Trans­port and Digi­tal Infra­struc­tu­re has now issued an Ordi­nan­ce regu­la­ting the ope­ra­ti­on of motor vehic­les with auto­ma­ted and auto­no­mous dri­ving func­tions and amen­ding pro­vi­si­ons of road traf­fic law (the “Ordi­nan­ce”) (PDF only in Ger­man), in which it spe­ci­fies cer­tain key aspects of data pro­tec­tion law. This is of importance for both manu­fac­tu­r­ers and sup­pli­ers, who play a key role in the imple­men­ta­ti­on of data pro­tec­tion requirements.

Data pro­ces­sing by the vehic­le owner

In accordance with the GDPR, data pro­ces­sing is lawful e.g. if the pro­ces­sing takes place in order to com­ply with a legal obli­ga­ti­on. Such an obli­ga­ti­on can be found in § 1g(1) and (2) (only in Ger­man) of the Road Traf­fic Act and has now been spe­ci­fied by the Ordi­nan­ce. Under this sta­tu­te, owners of auto­no­mous vehic­les are requi­red to store cer­tain per­so­nal data, such as e.g. posi­tio­nal data and speeds, rela­ting to cer­tain inci­dents, and to trans­mit this data e.g. to the Fede­ral Motor Trans­port Aut­ho­ri­ty upon request. Such inci­dents include e.g. acci­dents, unin­ten­ded lane chan­ges and eva­si­ve maneu­vers. The owner is requi­red to store this data from the time that the event occurs (e.g. an acci­dent) until the time that the vehic­le is retur­ned to a con­di­ti­on of mini­mal risk.

Duties for manu­fac­tu­r­ers and suppliers

In accordance with § 1g(3) of the Road Traf­fic Act (only in Ger­man), manu­fac­tu­r­ers of auto­no­mous vehic­les are requi­red to crea­te the tech­ni­cal con­di­ti­ons neces­sa­ry for sto­rage of data by the owner. In par­ti­cu­lar, they are requi­red to adhe­re to the prin­ci­ples of privacy-friendly tech­ni­cal design, as well as taking appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res for the pro­tec­tion of per­so­nal data. In addi­ti­on, the safe­ty con­cept pro­vi­ded in § 12 of the Ordi­nan­ce includes per­for­mance of a data pro­tec­tion impact assess­ment. The new requi­re­ments do not app­ly to sup­pli­ers direct­ly, but they will have a strong indi­rect impact, sin­ce manu­fac­tu­r­ers will be requi­red to ensu­re that sup­pli­ed com­pon­ents meet the requi­re­ments of data pro­tec­tion law over their enti­re sup­p­ly chain. As a gene­ral rule, manu­fac­tu­r­ers will pass on the requi­re­ments app­ly­ing to them in their con­tracts with sup­pli­ers, sin­ce the tech­ni­cal equip­ment for the­se vehic­les is pro­vi­ded at least in part by modu­le and sys­tem sup­pli­ers. The­se com­pa­nies, typi­cal­ly Tier 1 sup­pli­ers, have the neces­sa­ry tech­ni­cal exper­ti­se due to their pro­xi­mi­ty to the pro­duct and may the­r­e­fo­re be con­trac­tual­ly requi­red to com­ply with the­se duties.


The Ordi­nan­ce spe­ci­fies the data pro­tec­tion requi­re­ments for auto­no­mous vehic­les and crea­tes more legal cer­tain­ty for manu­fac­tu­r­ers and sup­pli­ers. This should gene­ral­ly be regard­ed as a wel­co­me deve­lo­p­ment. But at the same time, it crea­tes many new data pro­tec­tion requi­re­ments for manu­fac­tu­r­ers and, indi­rect­ly, for sup­pli­ers as well. As is so often the case, balan­ced for­mu­la­ti­on of con­tracts and sophisti­ca­ted com­pli­ance manage­ment are indis­pensable in order to imple­ment the­se new requi­re­ments in a stra­te­gic and sus­tainable manner.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.