The first and foremost prerequisite to consume data is to register your company in Caruso Dataplace. Upon successful registration, we will provide you with a consumerId. Using your preferred access credentials, you can log in and explore our marketplace. Our platform provides access to data from major brands and vehicle manufacturers in Europe and you can find respective offers for data items or data packages on our marketplace.
In order to be able to consume data through the Caruso Marketplace, it is required that you make a subscription. A subscription determines the selected data items, the selected pricing option, the selected means for lawful processing of personal data, etc., and last but not least, the terms & conditions applicable for data delivery. Once you subscribe, a purchase agreement for data delivery has been made and you are now authorized to request data for your subscription using your API Key. You will also receive a subscriptionId, which you need to provide when requesting data.
- consumerId: A unique identifier for a data consumer.
- subscriptionId: A unique id for your selected data plan.
- API Key: A unique code required to call our API.
You can see examples of data requests in the API Reference section.
Lawfulness Processing of Data
In-Vehicle Data is considered personal data in Caruso. This means a legal basis for lawful processing of personal data has to be selected. Depending on the data supplier, more or less options for lawful processing of personal data are possible. And depending on the agreed lawful processing basis, consumers need to integrate their system with Caruso accordingly.
The following options for lawful processing are supported by Caruso:
- Consent (Synchronous, OAuth based): In this case, the provider supports the consent provisioning as it is described in the the Extended Vehicle standard (ISO 20078). It means the end-user (registered keeper) needs to provide consent in an OAuth flow. The detailed integration steps are described here: User Consent .
- Consent (Asynchronous): In this case, the end-user needs to provide consent directly to the data provider. To initiate the consent process, the consumer first needs to make a data request using the API. Afterwards consumers inform the end-users to provide consent to the data provider directly. Once the end-user does it, the consumer can retrieve data.
- Contract: In this case, the end-user is already involved in the contracting process with the data provider, data consumer, and Caruso. The consumer does not need to do technical integration here.
- Legitimate Interest: In this case, the consumer does not need any technical integration. If the provider and Caruso agree that the consumer is allowed to get data based on legitimate interest, consumers can get it without any technical integration for lawful means.
- Not Applicable: If the data items are no personal data or for some exceptional cases, users do not need to approve the data delivery, the consumer does not need to do any technical integration. This case is preferably used for testing purposes only with cars owned by the data consumer.
Implementing a technical integration for lawful processing is a prerequisite for data delivery. Once the lawful processing has been integrated into your solution, you can start asking your end users (registered keepers of the vehicles) to provide consent and then, and only then start collecting in-vehicle data from the connected vehicles.
Please note, for synchronous, Oauth-based consent, you as consumer can always check whether or not a consent has been given for a particular VIN using the Consent Check API.
Authentication and Authorization
Caruso Dataplace uses API keys to authenticate client requests. The API key is a secret key for the data consumer and should be handled with care. Since Caruso is a B2B marketplace an API key is only issued once for your company (i.e., we do not provide API keys to individual users). You will learn about your API Key once you have made your first subscription on the marketplace. The API key is used to make requests on behalf of your organization. In other words, it’s a shared key for all associated users of your company. The API Key constitutes sensitive information and it is highly recommended that best practices for storage of sensitive information are applied.
||The subscription id. Consumer receives this id upon subscribing for a plan offered by a provider.||42dea87e-1b56-4faa-b2ad-e47d6a1c71dd|
||The API-Key provided by Caruso Dataplace to your company.||4safllqhtmbo1c6ndq91obslogcmimob[…]|
Authorization of your requests to our API are done by our platform by checking the validity of the API Key and the subscription made by you. In case an invalid subscriptionId is given in the request header, or the subscriptionId is missing, it will cause your request to fail. Please have a look in our error handling for different authentication and authorization failure cases.