EU GDPR and Fleet Management
Are fleet managers affected by the EU General Data Protection Regulation (GDPR). The answer is clearly yes! However, the situation is very complex.
The GDPR covers all data generated by a car in a fleet. This is because the German Association of Vehicle Manufacturers (VDA) and the German Data Protection Authority consider all data related to a vehicle identification number (VIN) to be personal data, and the GDPR covers personal data.
Within a fleet, however, there are owners, keepers and drivers – usually all different. The owner is either the leasing company or the company providing the car itself. The keeper is often the company the car is registered to, although the keeper can sometimes also be the leasing company or the company providing the car. There can be one assigned driver, as in the case of company cars, or multiple assigned drivers, as with pool cars.
Responsibilities of the Fleet Manager
Under the GDPR, all of the following can be considered personal data:
- Data regarding when and where a car was sent for inspection or repair
- Telematics data
- Diagnostic data
- Navigation data
- Telecommunication data
The fleet manager, as the data controller, must inform the affected individual, that is, the assigned driver, about the collection and processing of data in simple, plain language. If the acquisition of data is not directly required for management of the fleet, the fleet manager might have to obtain consent.
Regardless of whether consent is required, data must be stored in a way that protects the individual’s rights when they request information or ask for data to be corrected, transferred or deleted. Therefore, the fleet manager must ensure that the data is stored in a structured manner and only for the time and the purpose for which it is needed.
Should consent be obtained universally?
Not necessarily. A vehicle will contain a great deal of data that is required to manage the fleet. Once the car is de-fleeted, this data will have to be deleted or anonymized. One of the main principles of the GDPR is data reduction — data should only be stored when it is needed. Therefore, always obtaining consent to gather data is a strategy that can backfire.
How SGS can help
To help automotive dealers comply with GDPR, we provide a suite of services through our management system, GDPRonline. In addition, our onsite consultants will help dealers perform self assessments, identify gaps and set up action plans.
For further information, please contact:
Global Head of Field Services
t: +49 6128 74873 812
m: +49 172 7648658