Pro­tec­tion of mobi­li­ty data: he who hesi­ta­tes is lost!

Auto­mo­ti­ve manu­fac­tu­r­ers and sup­pli­ers are not the only ones which rely on the pro­ces­sing of per­so­nal data: fleet ope­ra­tors, logi­stics com­pa­nies and shared mobi­li­ty ope­ra­tors do as well. But it is evi­dent from mul­ti­ple ongo­ing pro­cee­dings that com­ply­ing with the asso­cia­ted obli­ga­ti­ons poses a chall­enge for com­pa­nies. In a time when data pro­tec­tion aut­ho­ri­ties are focu­sing more and more on the pro­ces­sing of mobi­li­ty data, com­pli­ance with the GDPR is more important than ever for com­pa­nies in the industry.

Over­view of cur­rent data pro­tec­tion proceedings

  • Lower Saxony’s data pro­tec­tion aut­ho­ri­ty has impo­sed a fine in the amount of EUR 1.1 mil­li­on against Volks­wa­gen based on a few rather tri­vi­al vio­la­ti­ons of the GDPR in con­nec­tion with test dri­ves. For exam­p­le, one ser­vice pro­vi­der for­got to place a magne­tic board with data pro­tec­tion infor­ma­ti­on in the vehic­le pri­or to a test drive.
  • Ano­ther fine was impo­sed in France, whe­re the French data pro­tec­tion aut­ho­ri­ty, CNIL, impo­sed a fine in in the amount of EUR 175,000 against a car sha­ring pro­vi­der. The aut­ho­ri­ty found that the com­pa­ny had coll­ec­ted data from cus­to­mers which was not neces­sa­ry to accom­plish the pur­po­se of the pro­ces­sing. The com­pa­ny had recor­ded not only the vehic­les’ loca­ti­on but also each time the engi­ne was tur­ned on and off, and each time the doors were ope­ned. CNIL also char­ged that the com­pa­ny had fai­led to dele­te the data.
  • In a Judgment of 17 Janu­ary 2022 (Case No. 6 K 1164/21.WI), the Admi­nis­tra­ti­ve Court of Wies­ba­den impo­sed strict requi­re­ments in data pro­tec­tion law for the pro­ces­sing of vehic­le loca­ti­on data  and appro­ved the exten­si­ve mea­su­res being taken by the Hes­si­an data pro­tec­tion authority.
  • The Fede­ra­ti­on of Ger­man Con­su­mer Orga­niza­ti­ons [Ver­brau­cher­zen­tra­le Bun­des­ver­band] has filed suit against Tes­la befo­re the Dis­trict Court of Ber­lin, asser­ting in its com­plaint e.g. that the vehicle’s sen­try mode can­not be used in con­for­mance in data pro­tec­tion law in public spaces.
  • The data pro­tec­tion aut­ho­ri­ties in the Bal­tic Sta­tes have announ­ced a coor­di­na­ted inspec­tion of com­pli­ance with data pro­tec­tion law in con­nec­tion with short-term vehic­le ren­tals, par­ti­cu­lar­ly e‑scooters.

Out­look and recom­men­ded actions

Given the­se deve­lo­p­ments, as well as the fact that, in its Coali­ti­on Agree­ment, the Ger­man govern­ment pro­po­ses to enact a mobi­li­ty data law which ensu­res com­pe­ti­tively neu­tral use of vehic­le data as well as data sove­reig­n­ty for data sub­jects, it is to be expec­ted that data pro­tec­tion in con­nec­tion with mobi­li­ty data will con­ti­nue to be an area of focus for super­vi­so­ry aut­ho­ri­ties. Com­pa­nies which would like to avo­id fines, pro­hi­bi­ti­on orders or other mea­su­res by the data pro­tec­tion aut­ho­ri­ties should the­r­e­fo­re exami­ne whe­ther and to what ext­ent they are pro­ces­sing mobi­li­ty data and whe­ther the data they are pro­ces­sing includes per­so­nal data. Doing so will allow them to take the neces­sa­ry data pro­tec­tion mea­su­res and docu­ment them.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.