Fleets reminded of GDPR obligations for personal data in vehicles

Privacy4Cars is reminding fleets, leasing companies and dealerships about their General Data Protection Regulation (GDPR) responsibilities.

It has published a new white paper and legal analysis that clarifies GDPR obligations to delete personal data in vehicles, particularly navigation and smartphone data.

It outlines the roles and responsibilities of certain processors when it comes to data deletion. It also clarifies the need for a documented procedure, robust process and relevant software to be used, relying on the knowledge and judgement of individuals is unlikely to meet requirements to demonstrate GDPR compliance.

Andrea Amico, founder and CEO of Privacy4Cars, said: “This white paper is incredibly important to the readership of Fleet News. 

“For fleets, it outlines a simple imperative to align policies and practices with what is required under GDPR: you must delete the personal data.

“For fleet management companies, it outlines their need to offer a robust data deletion service ‘without further delay’, or they will become liable themselves.

“For other service providers, it explains that sometimes ‘doing something – e.g. ask inspectors to delete data on a best effort basis, without tools - is actually worse than ‘doing nothing’, because it adds costs, conveys a false sense of security, and does not mitigate regulatory, civil, and brand risks.”

The white paper includes the legal opinion of Aidan Eardley KC, which emphasises the importance of understanding data protection responsibilities for vehicles, particularly focusing on personal data left on vehicle systems when a business is involved in a vehicle’s change of ownership or even just possession.

He said: “Upon return of the vehicle, it seems to me, the hiring company will become the controller of any personal data stored on the vehicle’s systems, and the only thing that it can lawfully do with those data is delete them.

“If it re-lets the vehicle without doing so, such that the next hirer can see the previous hirer’s personal data, then there will be a strongly arguable case that the hirer has processed the data in contravention of the Art 5(1) principles.”

To download the white paper, click here.