The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Connected vehicles

On March 9, 2021, the European Data Protection Board (EDPB), following the public consultation phase, adopted the final version (v.2.0) of Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications.

Considering the wide context of reference, the topic addresses and clarifies aspects of general interest – i.e. also applicable in different areas – summarized below.


Plurality of actors

The connected vehicle ecosystem covers a wide spectrum of stakeholders that includes actors from the automotive industry as well as emerging player from the digital industry. Along with the vehicle manufacturers, equipment manufacturers and automotive suppliers, car repairers, automobile dealerships there are vehicle service providers, fleet managers, motor insurance companies as well as entertainment providers, telecommunication operators, road infrastructure managers and public authorities.

Each of these subjects generally plays the subjective role of autonomous controller or joint controller, but there may also be situations in which some of these types of actors carry out processing operations on behalf of other controllers, in the position of controllers.


Plurality of data subjects

Personal data collected and used in the connected vehicle ecosystem can be referred to different categories of data subjects such as drivers, owners, passengers and even strangers in the proximity, e.g. captured from images of cameras installed in the vehicle, as parts of the equipment of so-called black boxes for recording accident data (event data recorder).


Plurality of data types collected

The data collected and used are of the most varied type, they may concern information on engine performance, driving habits, places visited, driving habits or distance covered, data on the wear and tear of vehicle parts, location data or data collected by video cameras and potentially even the driver’s eye movements, heart rate or biometric data in order to uniquely identify a specific individual.


Categories of data collected

Even if they are not directly related to a name but refer to technical aspects and characteristics of the vehicle, the data collected by a connected vehicle will still concern individuals (driver, passengers, third parties) and often allow their direct identification (such as the identity of the owner) or indirect identification, thus representing “personal datas”; in fact, even non-identifying data, because put in relation with other data and especially with the identification number of the vehicle (VIN), can allow to trace a individual.


Sensitive Data

Among the information of the ecosystem of connected vehicles there are those of a sensitive nature, falling within the so-called special categories of data (art. 9 GDPR) and among the data relating to criminal convictions and offences (art. 10), for which GDPR and the Privacy Code prescribe a more rigorous discipline. The former include biometric data and other highly personal data such as location data; in the latter category, there are data indicative of potential traffic violations – assimilated to GDPR Article 10 information – which may be processed by law enforcement authorities to detect speed limit violations or other offenses, in compliance with Directive 2016/680 and local implementing regulations. Specifically, with respect to information from which sanctionable violations may be inferred (such as a vehicle’s instantaneous speed data combined with exact location data), the EDPB recommends using local data processing over which the data subject has full control.

The level of sensitivity of the data, however, is a parameter for assessing the adequacy and effectiveness of the security measures, in order to provide protection against illegitimate access, modification and deletion of those data.