Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

Paragraph 2.1.3  Data revealing criminal offenses or other infractions

64. It is possible that personal data from connected vehicles could reveal the commitment of a criminal offence or other infraction (“offence-related data”) and therefore be subject to special restrictions. For instance, the instantaneous speed of a vehicle combined with precise geolocation data or data indicating that the vehicle crossed a white line could be considered offence-related data. As a result, processing of such data can only be carried out under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects as stated in art.10 GDPR. The EDPB considers that instantaneous speed is, not on its own, offence-related data since it does not, by itself, reveal an offence given that speed restrictions vary by location. However, such data could nevertheless become offence-related data because of the purpose for which it is collected (e.g., for the purposes of investigating and prosecuting criminal offence), in which case the safeguards set out in art.10 GDPR would apply.

65. In order to process data that relate to potential criminal offences, EDPB recommends to resort to the local processing of the data where the data subject have full control over the processing in question (see discussion on local processing above, in section 2.1). Indeed – except for some exceptions (see the case study on accidentology studies presented below in section 3.2) – external processing of data revealing criminal offences or other infractions is forbidden. Thus, according to the sensitivity of the data, strong security measures such as those described in section 2.7 must be put in place in order to offer protection against the illegitimate access, modification and deletion of those data.