Lawful Processing of Data
In-Vehicle Data is considered personal data in CARUSO. This means a legal basis for lawful processing of personal data must be in place for data consumption. Depending on the kind of vehicle and also depending on the data supplier, more or less options for lawful processing of personal data are possible. And depending on the agreed lawful processing basis, consumers need to integrate their system with CARUSO accordingly.
- Individual Vehicle: Any vehicle owned, leased, or used by one or more individuals or a family.
- Fleet Vehicle: Any vehicle owned or leased by a business, government agency, or other organization rather than by one or more individuals or family. In some jurisdictions and countries, fleet vehicle may also mean a vehicle that is privately owned by employees, or on novated leases, but is being mainly used for work or commercial purposes.
Lawful Processing of Data for Individual Vehicles
The following options for lawful processing of data for individual vehicles are supported by CARUSO:
- Consent (Synchronous, OAuth based): ): In this case, the provider supports the consent provisioning as it is described in the Extended Vehicle standard (ISO 20078). It means the end user (registered keeper) needs to provide consent in an OAuth flow. The detailed integration steps are described here: User Consent.
- Consent (Asynchronous): In this case, the end user needs to provide consent directly to the data provider. To initiate the consent process, the consumer first needs to make a data request using the API. Afterwards consumers inform the end users to provide consent to the data provider directly. Once the end user does it, the consumer can retrieve data.
- Contract: In this case, the end user is already involved in the contracting process with the data provider, data consumer, and CARUSO. The consumer does not need to do technical integration here.
- Legitimate Interest: In this case, the consumer does not need any technical integration. If the provider and CARUSO agree that the consumer is allowed to get data based on legitimate interest, consumers can get it without any technical integration for lawful means.
- Not Applicable: If the data items are no personal data or for some exceptional cases, users do not need to approve the data delivery, the consumer does not need to do any technical integration. This case is preferably used for testing purposes only with cars owned by the data consumer.
Implementing a technical integration for lawful processing is a prerequisite for data delivery. Once the lawful processing has been integrated into your solution, you can start asking your end users (registered keepers of the vehicles) to provide consent and then, and only then start collecting in-vehicle data from the connected vehicles.
Please note, for synchronous, Oauth-based consent, you as consumer can always check whether or not a consent has been given for a particular VIN using the Consent Check API.
Lawful Processing of Data for Fleet Vehicles
The following options for lawful processing of data for fleet vehicles are supported by CARUSO:
- Contract: : In this case, CARUSO and the consumer sign a Data Delivery Agreement for fleet vehicles. Vehicles joining the fleet are allocated to a subscription for fleet vehicles. The vehicles joining and leaving the fleet must be provided truthfully by the consumer. The consumer is obligated to keep the documentation of the vehicles in Data Delivery up-to-date at all times. The consumer must particularly ensure that they are authorized to do so. At CARUSO’s request, the consumer must provide documentary evidence to this effect. A process will be defined jointly between the Consumer and CARUSO to handle this.
- Legitimate Interest: If the Data Supplier and CARUSO agree that the consumer is allowed to get data based on legitimate interest, consumers can get it without any technical integration for lawful means.
For fleet vehicles, the consumer does not need to do any technical integration.