Consent: in obtaining consent for data use, companies cannot use indecipherable terms and conditions filled with legalese. It must be as easy to withdraw consent as it is to give it.
Breach notification: In the event of a data breach, data processors have to notify their controllers and customers of any risk within 72 hours.
Right to Access: Drivers have the right to obtain confirmation from a data controller of whether their personal data is being processed. The Data controller should provide an electronic copy of personal data for free to data subjects.
Right to be forgotten: When data is no longer relevant to its original purpose, drivers can request that the data controller erases their personal data and ceases its dissemination.
Data portability: Allows drivers to obtain and reuse their personal data for their own purposes by transferring it across different IT environments.
Privacy by design: Calls for the inclusion of data protection from the onset of designing systems, by implementing appropriate technical and infrastructural measures.
Data protection Officers: Professionally qualified officers must be appointed by public authorities, or organizations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data. In Arval each country entity has nominated a highly qualified employee to manage requests regarding GDPR.