Earlier this year, following its public consultation, the European Data Protection Board (EDPB) approved its guidelines on the processing of personal data in the context of connected vehicles and mobility related applications (here).

Why are these guidelines needed?

In the guidelines, the EDPB notes that “vehicles are becoming massive data hubs” and “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers”. Interestingly, the EDPB is also of the opinion that “[e]ven if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car.” To illustrate this latter point, the EDPB lists the following types of data that would fall within this category: speed, distance travelled, engine coolant temperature, engine RPM and tyre pressure. This is a broad interpretation of what constitutes ‘personal data’ under the General Data Protection Regulation (GDPR).

Some of the risks of processing personal data in the context of connected vehicles include:

  1. Not adequately informing all data subjects that their personal data is being processed. More often, it is only the driver or owner who is provided with the required transparency information;
  2. Ensuring that a data subject’s consent qualifies as valid consent under the GDPR – consent needs to be considered in the context of personal data processing under the GDPR and in relation to the ePrivacy Regulations as it is likely that information will be stored or accessed in terminal equipment;
  3. Legitimately handling any additional processing of personal data not contemplated by the initial collection e.g. for the purposes of law enforcement;
  4. Collecting excessive amounts of personal data due to the vehicle manufacturer’s desire to use such data to develop new functionality; and
  5. The increased security risks due to the number of different types of technology used in connected vehicles (e.g. wi-fi, USB, RFID).

Continue Reading Processing personal data in the context of connected vehicles

The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”).

The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the need for a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees, because of risks posed by advancements in modern technologies since the other documents were published.

The Opinion is primarily concerned with the Data Protection Directive 95/46/EC (“DPD”), so employers should continue to take account of the fundamental principles of the DPD when processing personal data in an employment context. Technological developments and new methods of processing have not changed this position.

The Opinion also looks towards the “new” obligations placed on all controllers, including employers, under the General Data Protection Regulation 2016/679 (“GDPR”) – including data protection by design, the need to carry out Data Protection Impact Assessments for high-risk processing, and any specific national rules that are introduced pursuant to Article 88 relating to processing employees’ personal data.

WP29 has considered various scenarios in the Opinion which describe how certain technologies might be used to process personal data in the workplace, and the points that employers should consider. Some of these include:
Continue Reading Article 29 Working Party releases detailed opinion on data processing in the workplace

This post was written by Cynthia O’Donoghue.

In the midst of a rapid increase in the availability and accuracy of facial recognition technology in recent years, the Article 29 Working Party adopted in March this year Opinion 02/2012, highlighting the data protection considerations on the use of facial recognition technology in services such as

The UK Information Commissioner’s Office (“ICO”) released recommendations advising organisations to ensure that the data held regarding individuals is thoroughly and securely searchable so they can meet their obligations under the Data Protection Act 1998 (“DPA”). The ICO also clarified when companies can be classified as data controllers. The recommendations came through three sets of