General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) - Are you prepared?

Each company with company vehicles – whether they are benefit cars, service cars and vans or pool cars – owns and collects data about these vehicles. And each of their service providers such as leasing companies, garages, fuel companies or tire shops too. And because we live in a digitized world more and more cars are equipped with telematics systems; and will be equipped with a mandatory emergency call functionality from 31st March 2018. . Various companies collect and work with different data streams to manage a company fleet. But what have all these companies to do to ensure that they are compliant with the new General Data Protection Regulation?

Why introduce a new data protection regulation?

Companies store more and more highly sensitive customer information. This means information from various sources to study the driver’s behavior and performance. For example; where has the driver paid for fuel, what are the addresses in the on-board navigation system, contract data to manage and adjust the car contract, accident data, maybe alcohol or drug abuse, fines etc. Leasing Companies process the personal data of the drivers on behalf of the customers. Data is associated with significant risk if it is stolen and abused. Because everything becomes more and more digital a new data protection regulation was necessary. This brings us to the expectation that it will be a mandatory question in each new tender if the Leasing Company is “GDPR  approved”.

What is GDPR?

The General Data Protection Regulation specifies how consumer data should be used and protected. GDPR was officially adopted by the European Parliament in April 2016. And following a two year pre-adoption period it will become enforceable throughout the EU in May 2018.

It applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the organization is located within the EU or not.

Who does GDPR apply to?

GDPR goes with the residence; if a company collects data relating to an EU resident, regardless of where the company have their physical location, GDPR applies to the company. This includes also companies in Switzerland or Norway if they have employees who are resident in the EU. In Switzerland, there is a draft new data protection law at federal level and these decrees are intended to improve the rights of individuals. Companies domiciled in Switzerland are subject to Swiss data protection law.

Data controller and data processor?

Data controller is what it sounds like; it  is the company which controls the data that they receive. The company makes decisions as to what is going to happen with the data; the company who’s collecting it and determining how it’s to be used.

A data processor processes data. For example it is normal that drivers with a company car call the leasing company when they involved in an accident or when they need advice on how to configure a new car to be in line with the company car policy. To provide this service it is necessary that the leasing company, the insurance company and the garage collect and process data from the driver of the car.

What are the major requirements?

Consent: in obtaining consent for data use, companies cannot use indecipherable terms and conditions filled with legalese. It must be as easy to withdraw consent as it is to give it.

Breach notification: In the event of a data breach, data processors have to notify their controllers and customers of any risk within 72 hours.

Right to Access: Drivers have the right to obtain confirmation from a data controller of whether their personal data is being processed. The Data controller should provide an electronic copy of personal data for free to data subjects.

Right to be forgotten: When data is no longer relevant to its original purpose, drivers can request that the data controller erases their personal data and ceases its dissemination.

Data portability: Allows drivers to obtain and reuse their personal data for their own purposes by transferring it across different IT environments.

Privacy by design: Calls for the inclusion of data protection from the onset of designing systems, by implementing appropriate technical and infrastructural measures.

Data protection Officers: Professionally qualified officers must be appointed by public authorities, or organizations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data. In Arval each country entity has nominated a highly qualified employee to manage requests regarding GDPR.

What happens if the law is broken?

Organizations can be fined up to EUR 20 Million or 4% of their global turnover which ever one is greater.

Don’t panic: What companies should do

Documentation is a must; Companies should start to document who collects, owns and process which kind of data. Then they should ask the drivers of the company vehicles to give their written consent. On the other hand they should ask the Leasing company to guarantee (GDPR cover) that they erase all private driver data at the end of the contract unless the driver gets a new company car. And the Company should share the contact information of the data protection officer of the leasing company with their drivers.

Quick checklist to prepare yourself:

  1. Documentation:
    It’s a must to have an overview of which kind of data is stored where it is stored and by whom it is processed. This data register must be kept up-to-date and also to be available for audits or requests by employees.

  2. Data protection assessments:
    If the company stores highly sensitive data like for example; bank account details, fines and penalties, social security numbers, medical certificates ( i.e. a lumbar support) the company will be required to perform data protection assessments

  3. Adequate security level:
    To ensure that there is adequate security  the company must implement the necessary measures to protect personal data

  4. Communication and privacy data terms of use:
    Check all kinds of communications and terms of use to ensure that they are GDPR compliant. Make sure that data processors who works on behalf of the company have done the same (a written confirmation is essential).

  5. Data breach registration and notification:
    Implement a system to record, track and communicate data breaches to customers and drivers.

  6. Data protection Officer:
    a data protection officer should be appointed and his contact details communicated to drivers.

Do you have any questions about the GDPR? We will be happy to provide you with information in person.

Malte Lindberg
Head of Consulting & CVO

Contact us

You will find the data privacy policy here.