DETECTION OF NON-PERSONAL DATA LEADING TO USER IDENTIFICATION, INCLUDING RELATED RECOMMENDATIONS FOR THE FIELD OF AUTONOMOUS MOBILITY

This paper introduces the issue of personal and non-personal data in autonomous vehicles. Its main objective is to provide a procedure for determining the processed and retained data, to explain the current legal regulation that must be met, and to propose appropriate recommendations for each data category. Current law (and the regulatory framework which it has produced) generally distinguishes between two basic types of data, i.e. non-personal data and personal data. The phenomenon that a combination of several pieces of non-personal data may, under certain circumstances2, result in processing of personal data, which is subject to significant regulation, is not limited solely to the field of autonomous mobility. This paper deals with data classification in autonomous vehicles, focusing on the challenging cases of non-personal data that can turn into personal data. The initial stage involves identifying the data to be processed, followed by the classification of the identified data. Based on this classification, relevant legal obligations and recommendations are described. The primary objective of this article is to provide guidance to data administrators (or, to use the terminology of data protection laws, data controllers) in autonomous mobility, enabling them to identify data and take appropriate measures to ensure compliance with legal regulations. The ultimate aim is to ensure that data controllers adhere to legal requirements, a goal that is critical for all data controllers. Beyond that, this article should be relevant also for other stakeholders in the autonomous mobility ecosystem, such as vehicle manufacturers and their suppliers, software application and service providers, and others.