GDPR and NIS2 in the automotive sector – data protection

We designed ODO 24 services to meet the most demanding expectations of companies and institutions, tailoring solutions to each client's individual needs.

ODO 24 services banner

ODO 24 services – our mission

Our mission is to build safe working environments that ensure full compliance with regulations and cyber resilience. By choosing ODO 24, your organisation gains not only professional support, but also peace of mind that challenging topics are in the best hands.

See our services and what we can help you with

Data security in the automotive sector – business case

GDPR: experience in the automotive sector

The automotive sector mainly processes personal data about customers — both retail and business buyers. Premium clients often expect a higher standard of data protection. Under the GDPR, a key challenge is new in-vehicle technology that collects additional personal data, integrating data from multiple sources and sharing data with external parties.

At ODO 24 we have addressed many issues typical of the automotive industry. We assessed whether personal data from connected cars is processed lawfully. For clients we also analysed whether telemetry, location and driver behaviour data qualify as personal data and who acts as controller.

We have also regulated GPS fleet monitoring, reviewed the lawfulness of continuous monitoring of employees in company cars and drafted privacy notices for drivers. We examined biometric processing in vehicles — for example starting a car with face or fingerprint recognition. When reviewing manufacturers' mobile apps we checked whether solutions that collect driving style, location and usage data meet privacy-by-design and privacy-by-default requirements.

Where data is shared with third parties, we structured transfers of driver data to insurers, service providers and digital suppliers — including legal bases and processor agreements. We routinely support everyday dealership and workshop processing too: contact details, repair history and test drives, especially retention periods and data minimisation.

For infotainment systems and related passenger information we regulated processing of contacts, calls and multimedia data, with a focus on responsibility split between manufacturer and user. In car-sharing and short-term rental we defined proportional scope for user location and behaviour data. Transfers outside the EU — including from vehicles to servers outside the EEA — often need formal safeguards; we design mechanisms to legitimise them. We also support breach response, including leaks from vehicle systems or apps, and procedures with notifications to the supervisory authority.

We serve or have served, among others. Dynamics Motors – BMW, Mazda Odyssey Nissan and Mazda Jaworski Auto – Toyota, Mercedes Wróbel, Auto Hero, TB TRUCK Serwis, Auto 1.

GDPR and cybersecurity – challenges for the automotive sector

Vehicles generate large volumes of information: location, driver behaviour and, via infotainment, sometimes contacts or interests. Much of this is processed in real time in integrated monitoring environments.

Given the scale of processing, robust cybersecurity is essential: access control, encryption, and fast detection and response to incidents.

Effective protection of the data of car owners, drivers and passengers is the basis for building the credibility of the seller and the brand itself.

We use recognized international standards.
This is how you recognize quality

We use recognized international standards. This is how you recognize quality

CIPM

Implementation of privacy and personal data protection system

ISO/IEC 27001

Information technology - Security techniques - Information security management systems

ISO/IEC 29134

Information technology - Security techniques - Guidelines for data protection impact assessment

ISO/IEC 27001

Privacy information management system

ISO 31000

Risk management - Principles and guidelines

PRINCE2 and SMC™

Project management methodologies

ISO 19011

Guidelines for auditing management systems

ISO/IEC 27005

Information technology - Security techniques - Information security risk management

ODO 24 expert

Looking for solutions tailored to
the automotive sector? We invite you to work with us.

What our customers say about our services

Marcin Wieczorek

Wojas

foto-lizard-media.jpg

I am very impressed with the high level of substantive expertise of the training staff

From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.

Magdalena Węglewska

Mazda

foto-mazda.jpg

We can wholeheartedly recommend ODO 24 as a professional and reliable partner

For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.

Agnieszka Karłowicz

Spiżarnia

foto-spizarnia.jpg

A practical approach, continuous advisory availability, and positive working relationships

We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.

Tomasz Siwicki

Gefco

foto-gefco.jpg

I recommend the company ODO 24 as a professional partner

For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.

Opinion of the participants

Google

Tomasz G.

Google

2 years ago

starstarstarstarstar

I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.

Google

Aleksandra P.

Google

2 years ago

starstarstarstarstar

Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.

Google

Sławomir M.

Google

2 years ago

starstarstarstarstar

Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.

Google

Wacław T.

Google

3 years ago

starstarstarstarstar

The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.

Google

Maria K.

Google

1 year ago

starstarstarstarstar

The training was conducted in a way that was understandable even to those without previous experience in this field.

Google

Piotr N.

Google

10 months ago

starstarstarstarstar

Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.

Google

Anna W.

Google

8 months ago

starstarstarstarstar

A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!

Google

Jan K.

Google

1 year ago

starstarstarstarstar

It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.

Google

Katarzyna J.

Google

6 months ago

starstarstarstarstar

The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.

Google

Michał L.

Google

4 months ago

starstarstarstarstar

Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.

Google

Joanna D.

Google

3 months ago

starstarstarstarstar

I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.

Google

Andrzej S.

Google

2 months ago

starstarstarstarstar

Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.

Automotive sector GDPR icon

GDPR in the automotive sector questions and answers

How should a car dealership process customer data under the GDPR?

A dealership mainly processes customer data to perform the vehicle sales contract, prepare an offer and provide after-sales service. Data may be processed without consent where necessary to perform a contract or to take steps at the customer's request before entering into a contract. The dealer must also provide a privacy notice and ensure appropriate security in sales systems and CRM.

Can a car dealer use customer data for marketing?

Yes, but only on specific legal grounds. Sending commercial information by electronic means or telephone generally requires valid marketing consent. The dealer should make it easy for customers to withdraw consent.

How long can a car workshop retain customer data?

After the service is completed, customer data must be kept for as long as tax and accounting law requires, and may be kept until limitation periods for claims under the contract expire. In practice this often means several years from the sale or completion of the service.

Does a vehicle service history contain personal data?

Yes. If the service history allows the owner or user of the vehicle to be identified, it is personal data. The workshop or dealer must then ensure appropriate system security, access controls and defined retention periods.

Is CCTV in a showroom or workshop GDPR-compliant?

Video surveillance is permitted where it protects property, ensures employee safety or helps prevent theft. The company must inform people on the premises about monitoring and set rules for storing recordings — they should not be kept longer than necessary.

Can customer data be shared with the importer or vehicle manufacturer?

Often yes — for example to honour warranties, provide servicing or run recall campaigns. Such sharing must have a legal basis and be clearly described in the privacy notice given to the customer.

Can fleet management companies monitor drivers?

Fleet operators often use GPS and telematics. Where the system can identify a specific driver, that information is personal data. Employees should be informed about monitoring, its purpose and what data are processed.

Do data from vehicle telematics systems fall under the GDPR?

Yes, when telematics data can identify the vehicle owner or driver. Location, driving style or usage time may be personal data and must be processed in line with GDPR rules.

How should dealers secure customer data in sales systems?

CRM, leasing and vehicle sales platforms need appropriate technical and organisational measures: access control, encryption, logging of user actions and regular security reviews.

How should an automotive business prepare a data protection framework?

Companies in the sector should adopt a data protection policy, maintain a record of processing activities, train staff and define breach response procedures. Regular GDPR audits help identify risks and demonstrate accountability.

Our greatest value is the trust of our customers.

How can we help you?

Write or call, we will find a solution

Form decoration

Use the form

The data controller will be ODO 24 sp. z o.o. with its registered office in Warsaw at ul. Kamionkowska 45. Your data will be processed for the purpose of preparing, sending and archiving the cooperation offer. More information can be found in the Privacy Policy