Telematics privacy regulation

Category: Telematics · Reviewed by Matt Bartlett, Director · Founder · Last reviewed 2026-06-10

Telematics privacy regulation is the body of UK and retained-EU data protection rules — principally the UK General Data Protection Regulation and the Data Protection Act 2018, supplemented by ICO and former EDPB guidance — that governs the collection, use, sharing and retention of personal data generated by motor telematics devices, dongles, smartphone applications and connected-vehicle modules.

Category: Telematics Aliases: telematics data protection, connected vehicle privacy, vehicle data protection Established: UK GDPR effective 1 January 2021; DPA 2018 in force 25 May 2018; ICO 2024 connected vehicles guide published 2024 Related: GDPR telematics, Black box car insurance, Driver scoring, UK GDPR, Data Protection Act 2018, ICO

Definition

A telematics dataset comprises personal data within the meaning of Article 4(1) of the UK GDPR: the data can identify an individual, directly through device-linked identifiers and indirectly through journey patterns that often single out one household member. The Court of Justice of the European Union’s judgment in Breyer (C‑582/14) established that data may be personal even if identification requires lawful third-party information; the same reasoning applies in retained law.

Telematics privacy regulation therefore covers all stages of processing: hardware design (Article 25 — data protection by design and by default), lawful collection (Articles 5, 6, 9), transparency (Articles 13, 14), data subject rights (Articles 15–22), retention (Article 5(1)(e)), security (Article 32), and high-risk assessment (Article 35).

Legal and regulatory basis

Statute and regulation

The Data Protection Act 2018 implements and supplements the UK GDPR. For motor telematics, Articles 5 (principles), 6 (lawful basis), 9 (special category data, where journey data implies religious worship, trade union membership, health), 13/14 (transparency), 22 (automated decision-making), 25 (by design and default), 32 (security) and 35 (DPIA) are the central provisions.

The Privacy and Electronic Communications Regulations 2003 (PECR), as amended, apply where information is stored on or read from terminal equipment — relevant to OBD-II dongles and smartphone applications and requiring informed consent for non-strictly-necessary processing.

Guidance

The European Data Protection Board’s Guidelines 1/2020 on processing of personal data in the context of connected vehicles and mobility related applications (final March 2021) remain a cross-border reference. The Information Commissioner’s Office’s 2024 guide Vehicle data — guide on collection of personal data in connected vehicles is the current UK supervisory document and addresses connected-car factory data, infotainment-system data, biometric and inferred data, and the role of insurers and telematics suppliers. ICO sandbox findings on connected vehicle pilots (where published) inform the practical operationalisation.

FCA cross-cutting

The Consumer Duty in PS22/9 does not displace data protection law but reinforces transparency expectations regarding the use of personal data in pricing.

How it works in practice

Insurers and their telematics suppliers normally rely on:

• Article 6(1)(b) (contract necessity) for data strictly required to operate a metered or behaviour-based policy.
• Article 6(1)(f) (legitimate interests) for risk modelling, fraud prevention and claims investigation — supported by a documented balancing test under Article 6(1)(f).
• Article 6(1)(a) (consent) for ancillary uses such as marketing, where required, and for PECR-regulated cookie-style storage on devices.

Special category data (Article 9) is generally avoided by design: scoring algorithms should not infer health, religious worship or trade union membership. Where such inferences are unavoidable, an Article 9(2) condition (typically explicit consent or substantial public interest) is required.

A DPIA under Article 35 is generally mandatory for systematic monitoring; the ICO’s list of processing operations requiring a DPIA expressly includes large-scale processing of location data. Retention periods should reflect the purpose: claims investigation may justify several years; behavioural scoring rolling windows are typically 90 days.

Common variations and subsequent developments

Subsequent developments include the ICO’s 2024 connected vehicles guide, the EU Data Act (Regulation (EU) 2023/2854) on access to in-vehicle data (with cross-border implications for UK fleets operating into the EU), and ongoing UK reform proposals reflected in the Data (Use and Access) framework.

Example

A young-driver black-box product undertakes a DPIA covering 24-hour location capture, harsh-event detection and renewal pricing. Retention is set at 24 months for raw GPS (claims forensic purpose), 12 months for aggregated journeys (renewal pricing) and the policy lifetime for the score itself. Article 22 safeguards are built into cancellation triggers, with mandatory human review.

See also

• GDPR telematics
• Black box car insurance
• Driver scoring
• UK GDPR
• Data Protection Act 2018
• ICO

References

• UK GDPR (retained Regulation (EU) 2016/679).
• Data Protection Act 2018. https://www.legislation.gov.uk/ukpga/2018/12
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended). https://www.legislation.gov.uk/uksi/2003/2426
• European Data Protection Board, Guidelines 1/2020 on processing of personal data in the context of connected vehicles and mobility related applications, v2.0, 9 March 2021.
• Information Commissioner’s Office, Vehicle data — guide on collection of personal data in connected vehicles, 2024.
• Information Commissioner’s Office, list of processing operations requiring a DPIA.
• Breyer v Bundesrepublik Deutschland, Case C-582/14, judgment 19 October 2016.
• Financial Conduct Authority, PS22/9: A new Consumer Duty, July 2022. https://www.fca.org.uk/publication/policy/ps22-9.pdf

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.