GDPR2019-12-05T08:02:20+02:00

Connected Car Data and GDPR

Managing connected car data from EU consumers

The European Union (EU) General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of the personal information of individuals within the EU. Since some of the data that’s generated from connected cars may be personal data, companies that collect and use this data must build processes and technology for GDPR compliance.

Clear Consent Management

The GDPR requires that consent for collecting information must be freely given and unambiguous, and not inferred from inaction. In addition, data collectors cannot condition providing goods or services based on a data subject’s (consumer’s) consent. The Otonomo Consent Management Hub provides our partners with one way to implement these requirements. However, data collection occurs under the terms of agreements between data subjects and their automotive OEMs and service providers.

Robust Data Anonymization

GDPR addresses “pseudonymous data,” which is information that no longer allows for the identification of an individual without additional information that is kept separate from it. Otonomo can support pseudonymous identifiers for certain use cases. The Otonomo Dynamic Anonymization Engine also applies multiple types of anonymization techniques to a range of data to protect driver privacy.

Frequently Asked Questions

What data does Otonomo collect that is considered “personal data” under GDPR?2019-07-09T08:04:58+03:00

Otonomo may collect two types of personal data from EU data subjects:

  • Personal data, which may include a vehicle identification number (VIN) or a data provider identifier that represents it, or location data.
  • Pseudonymous data: The Otonomo Platform uses hashed pseudonymous identifiers to recognize automotive data that’s ingested as coming from a single vehicle, regardless of consent status. Otonomo has further deployed an anonymization framework to securely process data for use cases that do not require personal automotive data. Doing so makes it practical to aggregate data points for use cases such as traffic, mapping, or smart city hot spot identification. We pseudonymize or anonymize data promptly upon collection, aggregate data for anonymous use case analytics, and promptly honor all opt-out requests.

Otonomo does not process special categories of data (“sensitive data”).

How does Otonomo obtain unambiguous consent for processing the data of EU data subjects?2019-07-09T07:34:31+03:00

Otonomo gets user consent (Grant/Revoke) directly from the OEMs or data providers and offers a centralized Consent Management Hub to support the consent process with data subjects.

Does Otonomo collect data about data subjects under the age of 16?2019-07-09T07:35:28+03:00

No, Otonomo does not knowingly collect data about data subjects under the age of 16.  

How can data consumers who leverage the Otonomo Platform demonstrate that they are GDPR compliant?2019-07-09T07:36:16+03:00

As part of the Otonomo terms of service, service providers that require personal data must comply with applicable requirements under GDPR. Otonomo will not provide any service provider with identifiable personal data unless we have received sufficient assurances of consent.

Each service provider needs to confirm that it is protecting such data under GDPR and that it will delete any personal data based on a revoke request by Otonomo or directly from the data subject.

How does Otonomo implement the Right to Access and Right to Rectification?2019-07-09T07:36:45+03:00

The Otonomo Consent Management Hub gives data subjects transparency into what data is shared with specific services. Because Otonomo only holds data that is automatically generated and collected from vehicles, the Right to Rectification is not relevant.

How does Otonomo implement the Right to Be Forgotten?2019-07-21T09:54:44+03:00

Data subjects may contact their OEMs, individual data providers, or Otonomo directly to make a request relating to their Right to Be Forgotten. Otonomo shall remove all data records related to that data subject from its storage and will request all data consumers who have received such data, all or in part, to delete it.

Contact Otonomo

Is Otonomo considered a data processor or a data controller as per GDPR?2019-07-09T07:38:07+03:00

Otonomo is a data controller.

How does Otonomo comply with GDPR principles, including lawful, fair, and transparent processing; purpose limitation; collection minimization; accuracy; storage limitation; integrity and confidentiality; and accountability?2019-07-09T07:39:04+03:00

These principles are all part of the Otonomo approach to privacy by design and are deployed in practice, through internal procedures and policies, our privacy policy, and our engagements with our partners. 

Does Otonomo have GDPR certification?2019-07-09T07:39:38+03:00

No such certification exists as of the writing of this document. When formally approved GDPR data protection certification mechanisms are introduced, pursuant to Articles 42 and 43 of GDPR, Otonomo will review and evaluate them.

Otonomo's Platform Features Consent Management and Dynamic Anonymization

Learn More