Pro­tec­tion of mobi­li­ty data: he who hesi­ta­tes is lost!

Auto­mo­ti­ve manu­fac­tu­rers and sup­pliers are not the only ones which rely on the pro­ces­sing of per­so­nal data: fleet ope­ra­tors, logistics com­pa­nies and shared mobi­li­ty ope­ra­tors do as well. But it is evi­dent from mul­ti­ple ongo­ing pro­cee­dings that com­ply­ing with the asso­cia­ted obli­ga­ti­ons poses a chal­len­ge for com­pa­nies. In a time when data pro­tec­tion aut­ho­ri­ties are focu­sing more and more on the pro­ces­sing of mobi­li­ty data, com­pli­an­ce with the GDPR is more important than ever for com­pa­nies in the industry.

Over­view of cur­rent data pro­tec­tion proceedings

  • Lower Saxony’s data pro­tec­tion aut­ho­ri­ty has impo­sed a fine in the amount of EUR 1.1 mil­li­on against Volks­wa­gen based on a few rather tri­vi­al vio­la­ti­ons of the GDPR in con­nec­tion with test dri­ves. For examp­le, one ser­vice pro­vi­der for­got to place a magne­tic board with data pro­tec­tion infor­ma­ti­on in the vehi­cle pri­or to a test drive.
  • Ano­t­her fine was impo­sed in Fran­ce, whe­re the French data pro­tec­tion aut­ho­ri­ty, CNIL, impo­sed a fine in in the amount of EUR 175,000 against a car sharing pro­vi­der. The aut­ho­ri­ty found that the com­pa­ny had collec­ted data from cus­to­mers which was not necessa­ry to accom­plish the pur­po­se of the pro­ces­sing. The com­pa­ny had recor­ded not only the vehi­cles’ loca­ti­on but also each time the engi­ne was tur­ned on and off, and each time the doors were ope­ned. CNIL also char­ged that the com­pa­ny had fai­led to dele­te the data.
  • In a Judgment of 17 Janu­a­ry 2022 (Case No. 6 K 1164/21.WI), the Admi­nis­tra­ti­ve Court of Wies­ba­den impo­sed strict requi­re­ments in data pro­tec­tion law for the pro­ces­sing of vehi­cle loca­ti­on data  and appro­ved the exten­si­ve mea­su­res being taken by the Hes­si­an data pro­tec­tion authority.
  • The Fede­ra­ti­on of Ger­man Con­su­mer Orga­niz­a­ti­ons [Ver­brau­cher­zen­tra­le Bun­des­ver­band] has filed suit against Tes­la befo­re the District Court of Ber­lin, asser­ting in its com­p­laint e.g. that the vehicle’s sen­try mode can­not be used in con­for­mance in data pro­tec­tion law in public spaces.
  • The data pro­tec­tion aut­ho­ri­ties in the Bal­tic Sta­tes have announ­ced a coör­di­na­ted inspec­tion of com­pli­an­ce with data pro­tec­tion law in con­nec­tion with short-term vehi­cle ren­tals, par­ti­cu­lar­ly e‑scooters.

Out­look and recom­men­ded actions

Given the­se deve­lo­p­ments, as well as the fact that, in its Coali­ti­on Agree­ment, the Ger­man government pro­po­ses to enact a mobi­li­ty data law which ensu­res com­pe­ti­tively neu­tral use of vehi­cle data as well as data sov­er­eig­n­ty for data sub­jects, it is to be expec­ted that data pro­tec­tion in con­nec­tion with mobi­li­ty data will con­ti­nue to be an area of focus for super­vi­so­ry aut­ho­ri­ties. Com­pa­nies which would like to avoid fines, pro­hi­bi­ti­on orders or other mea­su­res by the data pro­tec­tion aut­ho­ri­ties should the­re­fo­re exami­ne whe­ther and to what extent they are pro­ces­sing mobi­li­ty data and whe­ther the data they are pro­ces­sing inclu­des per­so­nal data. Doing so will allow them to take the necessa­ry data pro­tec­tion mea­su­res and docu­ment them.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.