GDPR telematics

Category: Telematics · Reviewed by Amy Price, Account Executive · Last reviewed 2026-06-10

The GDPR analysis of telematics is the structured application of UK General Data Protection Regulation Articles 5, 6, 9, 13, 14, 22, 25, 32 and 35 to motor telematics processing — covering lawful basis, special-category data, transparency, automated decision-making, by-design protections, security and impact assessment.

Category: Telematics Aliases: UK GDPR telematics, telematics lawful basis, telematics Article 6, telematics DPIA Established: UK GDPR effective 1 January 2021; DPA 2018 in force 25 May 2018 Related: Telematics privacy regulation, UK GDPR, Data Protection Act 2018, Driver scoring

Definition

GDPR telematics analysis is the practical mapping of UK GDPR obligations onto motor telematics. The exercise is purpose-specific: the same dataset may be processed for several purposes (rating, claims, fraud, marketing), each requiring a separate lawful basis, transparency notice section and retention rule.

Legal and regulatory basis

Article 5 — principles

Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability. In telematics, data minimisation (5(1)(c)) is acute: collection of cabin audio, contact lists, infotainment search history or biometric data is rarely necessary for insurance purposes. Storage limitation (5(1)(e)) is operational: raw GPS is typically retained for the limitation period relevant to claims, with aggregated derivatives retained longer for rating.

Article 6 — lawful basis

For an insurance contract:

• Article 6(1)(b) (contract necessity) — supports collection of mileage and the score where the policy is metered or behaviour-rated.
• Article 6(1)(f) (legitimate interests) — supports risk modelling, fraud prevention and claims investigation, subject to a documented legitimate-interests assessment.
• Article 6(1)(c) (legal obligation) — supports disclosure to law-enforcement on lawful demand and to the Motor Insurers’ Bureau under the Uninsured Drivers Agreement.
• Article 6(1)(a) (consent) — supports marketing uses and is required under PECR 2003 regulation 6 for non-strictly-necessary storage on terminal equipment.

The Information Commissioner’s Office has cautioned against relying on consent where data is operationally required (because consent is then not freely given).

Article 9 — special category data

Journey data can reveal special category data: location at a place of worship (religious or philosophical beliefs); attendance at a trade union meeting (union membership); attendance at a clinic (health). The controller should design out such inferences where possible; where unavoidable, an Article 9(2) condition is required — most often explicit consent under 9(2)(a) or the substantial public interest condition (9(2)(g)) read with Schedule 1 to the DPA 2018.

Articles 13 and 14 — transparency

Privacy notices must explain the categories of data collected, the lawful bases, the recipients (including telematics suppliers, fraud-prevention bureaux such as the Insurance Fraud Bureau, claims handlers), retention, the existence of automated decision-making and Article 22 safeguards. Where a third-party device-fitter handles the data, the chain must be documented.

Article 22 — automated decisions

Cancellation, refusal to renew or material price change based solely on a score generally falls within Article 22. Permissible bases under 22(2) include contract necessity, member-state law authorisation, or explicit consent. Article 22(3) safeguards — human intervention, the ability to express a view and contest — must be operationalised.

Article 25 — by design and default

By-design controls include local scoring (computing the score on-device with only the result transmitted), aggregation windows, pseudonymisation of device identifiers, and retention defaults that minimise raw data.

Article 32 — security

Encryption in transit (TLS 1.2+), encryption at rest, supplier due diligence, role-based access, and incident response. The Network and Information Systems Regulations 2018 are not currently in scope for most telematics processors but may apply to in-vehicle infrastructure operators in future.

Article 35 — DPIA

Mandatory for systematic location monitoring at scale. The DPIA should be reviewed when the algorithm is materially changed.

How it works in practice

Insurers and brokers typically maintain a single GDPR file per telematics product covering: data map; lawful-basis grid; retention schedule; supplier register and Article 28 processor contracts; DPIA; privacy notice; Article 22 governance; and DSAR procedure under Article 15.

Common variations and subsequent developments

The Information Commissioner’s Office’s 2024 Vehicle data guide and the EU Data Act (Regulation (EU) 2023/2854) on access to in-vehicle data set the direction of travel. UK reform proposals in the Data (Use and Access) framework may adjust scoping of legitimate interests and Article 22.

Example

A PHYD product’s DPIA documents Article 6(1)(b) for score-driven pricing, 6(1)(f) for fraud detection, retention of 24 months for raw GPS, an Article 22 cancellation review process with a named senior manager, and quarterly accuracy testing of the score under Article 5(1)(d).

See also

• Telematics privacy regulation
• Driver scoring
• UK GDPR
• Data Protection Act 2018
• ICO

References

• UK GDPR (retained Regulation (EU) 2016/679), Articles 5, 6, 9, 13, 14, 22, 25, 32, 35.
• Data Protection Act 2018, Schedule 1. https://www.legislation.gov.uk/ukpga/2018/12
• Privacy and Electronic Communications (EC Directive) Regulations 2003, regulation 6 (as amended). https://www.legislation.gov.uk/uksi/2003/2426
• Information Commissioner’s Office, Vehicle data — guide on collection of personal data in connected vehicles, 2024.
• European Data Protection Board, Guidelines 1/2020 on processing of personal data in the context of connected vehicles and mobility related applications, v2.0, 9 March 2021.
• ICO, list of processing operations requiring a DPIA.

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.