Connected Car Data and GDPR
Managing connected car data from EU consumers
The European Union (EU) General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of the personal information of individuals within the EU. Since some of the data that’s generated from connected cars may be personal data, companies that collect and use this data must build processes and technology for GDPR compliance.
Clear Consent Management
The GDPR requires that consent for collecting information must be freely given and unambiguous, and not inferred from inaction. In addition, data collectors cannot condition providing goods or services based on a data subject’s (consumer’s) consent. The Otonomo Consent Management Hub provides our partners with one way to implement these requirements. However, data collection occurs under the terms of agreements between data subjects and their automotive OEMs and service providers.
Robust Data Anonymization
GDPR addresses “pseudonymous data,” which is information that no longer allows for the identification of an individual without additional information that is kept separate from it. Otonomo can support pseudonymous identifiers for certain use cases. The Otonomo Dynamic Anonymization Engine also applies multiple types of anonymization techniques to a range of data to protect driver privacy.
Frequently Asked Questions
Otonomo may collect two types of personal data from EU data subjects:
- Personal data, which may include a vehicle identification number (VIN) or a data provider identifier that represents it, or location data.
- Pseudonymous data: The Otonomo Platform uses hashed pseudonymous identifiers to recognize automotive data that’s ingested as coming from a single vehicle, regardless of consent status. Otonomo has further deployed an anonymization framework to securely process data for use cases that do not require personal automotive data. Doing so makes it practical to aggregate data points for use cases such as traffic, mapping, or smart city hot spot identification. We pseudonymize or anonymize data promptly upon collection, aggregate data for anonymous use case analytics, and promptly honor all opt-out requests.
Otonomo does not process special categories of data (“sensitive data”).
Otonomo gets user consent (Grant/Revoke) directly from the OEMs or data providers and offers a centralized Consent Management Hub to support the consent process with data subjects.
No, Otonomo does not knowingly collect data about data subjects under the age of 16.
As part of the Otonomo terms of service, service providers that require personal data must comply with applicable requirements under GDPR. Otonomo will not provide any service provider with identifiable personal data unless we have received sufficient assurances of consent.
Each service provider needs to confirm that it is protecting such data under GDPR and that it will delete any personal data based on a revoke request by Otonomo or directly from the data subject.
The Otonomo Consent Management Hub gives data subjects transparency into what data is shared with specific services. Because Otonomo only holds data that is automatically generated and collected from vehicles, the Right to Rectification is not relevant.
Data subjects may contact their OEMs, individual data providers, or Otonomo directly to make a request relating to their Right to Be Forgotten. Otonomo shall remove all data records related to that data subject from its storage and will request all data consumers who have received such data, all or in part, to delete it.
Otonomo is a data controller.
No such certification exists as of the writing of this document. When formally approved GDPR data protection certification mechanisms are introduced, pursuant to Articles 42 and 43 of GDPR, Otonomo will review and evaluate them.