Vehicles from the manufacturer Tesla are becoming increasingly popular, especially in the e-mobility scene. No wonder, then, that the idea of using Tesla vehicles as company vehicles is also quickly emerging. In data protection law, this is primarily related to considerations of data transfer to third countries, since Tesla uses American cloud services and is a US company.
How does Tesla handle data?
Vehicles from the manufacturer Tesla feature a wide range of automotive assistance systems that also enable automated driving to a certain extent. They are intended to increase safety and comfort during use. Examples include assistance systems that influence lane and braking behavior, automatically deploying airbags or eCall systems designed to mitigate the consequences of accidents, navigation systems, and entertainment and service offerings.
Through this broad offering, personal data about the owner, the driver, passersby in the parking lot and on the roads, the occupants, and other road users are digitally collected, stored, and analyzed. Tesla itself states that it shares this data with service providers and business partners, as well as third parties authorized by them and required by law. The data is only passed on with the consent of the owner, a Call by police or court order, or when necessary to defend Tesla itself.
This data is stored in Tesla's own cloud in the USA and other parts of the world, and the vehicles are also cloud participants / mobile cloud storage (in the sense of a mobile USB hard drive) that Tesla can access at any time. Moreover, without a cloud connection or internet connection, most features are unavailable. Thus, at the end of November, many Tesla drivers were unable to open their vehicle via the Tesla appbecause there was a technical failure. Every user of a Tesla (for the complete use of his car) is thus forced to transfer personal data to third countries (USA).
Data transfer to third countries - What needs to be considered?
The ECJ rulings Schrems I and Schrems II declared any attempts at agreements null and void because they violate the GDPR. European data protection standards cannot be upheld by U.S. companies because of the wide access of U.S. intelligence agencies to foreign user data. Efforts to create a new international agreement have so far been unsuccessful.
To ease this conflict, the agreements are being replaced by standard contractual clauses. These are contractual clauses that have been approved by the data protection authorities. They are intended to guarantee the security of European users' data on American servers through additional measures and controls. This solution has already been challenged by the ECJ, but has not (yet) been found to be illegal.
Consequences for data transfer at Tesla
These considerations regarding data transfer to third countries mean that suitable order processing contracts with standard contractual clauses must exist for the data protection-compliant use of a Tesla as a company car in the EU. If this is not the case at this point in time, there is no legal basis for Tesla to process the accruing data.
In addition, the GPS tracking of company vehicles (as it is at least possible with Tesla) according to the whitelist of the data protection conference in principle a data protection impact assessment (Art. 35 DSGVO). This obliges the company that wants to use a Tesla vehicle as a company car to appoint a data protection officer (regardless of the size and the field of activity of the company).
The legal situation surrounding data transfer to third countries is very confused. In addition, large American IT companies come into contact with it time and again. In order to be able to deal with this in a data protection-compliant manner, you need to seek professional advice.
Our team of experts will be happy to assist you!