Can road safety technologies be GDPR compliant

Background: Road safety as public health challenge

Road safety remains one of Europe's most pressing public health challenges. Despite decades of technological advancement and policy initiatives, the reality is that over 19,800 people lost their lives on European roads in 2024. While this represents a 3% decrease from the previous year, the pace of improvement falls significantly short of the EU's ambitious target to halve road deaths by 2030. The human and economic toll is staggering, creating ripple effects throughout society - from devastating impacts on families to substantial costs for businesses and healthcare systems.

While the 3% reduction in road fatalities is a step in the right direction, it is not enough. Too many lives are still lost on our roads every year. We must accelerate efforts to improve road safety, particularly for vulnerable road users and in high-risk areas like rural roads. Every death is one too many, and we remain committed to achieving our Vision Zero goal." (Apostolos Tzitzikostas, Commissioner for Sustainable Transport and Tourism)

This is not merely a challenge for policymakers to solve alone - it demands concerted action from all stakeholders, including those in the private sector. The UN General Assembly's Decade of Action for Road Safety 2021-2030 explicitly calls upon businesses with professional drivers to actively contribute through technology deployment and innovation. This global mandate is echoed at the European level, where both the European Commission and Parliament have emphasized that achieving "Vision Zero" - the goal of zero road fatalities by 2050 - requires coordinated action from all actors, including transport-related businesses. Fleet operators, who manage thousands of vehicles traversing European roads daily, are uniquely positioned to drive this change through their adoption of road safety technologies.

These technologies work as vigilant co-pilots, using sensors, cameras, and radar to check unsafe conditions simultaneously. They watch for potential collisions with vehicles, pedestrians, or obstacles, while also detecting if a driver is speeding, drifting from their lane or being distracted by their mobile phone. When unsafe conditions are detected, road safety technologies can respond in different ways: by alerting drivers through visual, audible or haptic warnings, by assisting with subtle corrections, such as minor steering adjustments, by actively intervening in emergencies - for instance, automatically applying brakes to prevent collisions, and by coaching drivers on how to prevent unsafe driving behavior from reoccurring. These technologies come in two main forms – built-in systems and retrofit systems. The first are pre-installed by manufacturers, typically standardized and increasingly common in newer vehicles, partly driven by regulatory requirements such as the Vehicle General Safety Regulation. The second are installed by fleet operators, customizable to fleet operators’ individual safety challenges, and more often found in existing vehicles and legacy fleets. However, built-in and retrofit technologies are not mutually exclusive. In an ideal world, they work in harmony as a hybrid solution to ensure road safety, depending on the specific safety challenges of fleet operators and drivers. 

When fully adopted across vehicle fleets, these technologies have the potential to prevent thousands of crashes annually. This makes them a crucial tool in achieving the EU's ambitious goal of halving road deaths by 2030 - a target that current progress suggests will require exactly these kinds of innovative solutions to achieve.

Problem: Caught between safety and privacy – fleet operators' GDPR dilemma

In deploying these life-saving technologies, fleet operators face a significant challenge: most road safety technologies necessarily process personal data about their drivers and potentially other road users. Every camera recording, behavior log, and location trace falls under the GDPR's broad definition of personal data, creating a complex dilemma. While operators have both legal and moral obligations to ensure road safety, they must also protect their drivers’ and other road users’ privacy under the GDPR, with violations risking fines up to EUR 20 million or 4% of global turnover.

Fleet operators consistently report to struggle finding regulatory guidance on how to implement these technologies effectively, but in a GDPR-compliant manner. Often, they feel that data protection authorities, while rightly focused on privacy, issue recommendations disconnected from scientific studies and operational realities. This has a chilling effect on the adoption of road safety technologies. Many fleet operators report holding back from implementing such technologies out of fear of GDPR non-compliance. The situation is particularly frustrating for fleet operators because they often find themselves caught between competing regulatory demands - transport authorities are pressing the accelerator for rapid adoption of road safety technologies, while data protection authorities are applying the brakes with overwhelming privacy requirements. Without clear guidance on how to navigate these competing requirements, many choose to err on the side of caution – potentially at the cost of road safety improvements. 

The challenge now facing the industry is clear: How can fleet operators harness the full potential of road safety technologies while ensuring robust data protection? 

Recommendation I: Get the GDPR basics right

The GDPR does not contain specific provisions for road safety technologies, which means fleet operators must ensure compliance with the fundamental privacy principles outlined in Art. 5 GDPR. Getting these privacy-by-design basics right is essential:

• Lawfulness requires fleet operators to establish a valid legal basis for processing personal data through road safety technologies. This might be driver consent or the legitimate interests pursued by the fleet operator and others. The specific requirements and considerations for each legal basis will be explored in detail below.

• Transparency demands that fleet operators clearly inform drivers about how their personal data is being processed. Depending on the technology used - particularly with video footage that might capture other road users - this obligation may extend beyond drivers to include the general public.

• Purpose limitation ensures that road safety technologies are used only for specific, legitimate safety purposes and not for unrelated or excessive purposes. For example, using the technology to assess employee productivity or work patterns would exceed the original road safety purpose.

• Data minimization requires fleet operators to collect only data necessary for road safety purposes. A key consideration is whether the technology can function with pseudonymized data, where drivers' identities are masked by default and only revealed when necessary (such as after a serious safety incident). While complete anonymization might seem ideal from a privacy standpoint, research shows that effective road safety technologies require a degree of oversight and personalized feedback. A balanced approach that combines robust privacy protections with constructive driver engagement allows for necessary oversight while fostering a positive safety culture.

• Accuracy obligations require fleet operators to ensure the reliability of the technology's data processing. This typically involves working with technology providers to regularly validate system accuracy and implement measures to prevent false alerts that could unnecessarily flag unsafe driving behavior.

• Storage limitation means personal data must not be retained longer than necessary. Fleet operators should establish retention periods based on the time reasonably needed to analyze road safety events, respond to incidents, or exercise and defend against legal claims.

• Data security requires implementing appropriate technical and organizational measures. For example, fleet operators should restrict access to authorized safety personnel only.

• Finally, accountability requires fleet operators to demonstrate GDPR compliance through comprehensive documentation. This includes maintaining data processing agreements with technology providers, keeping records of processing activities, and conducting data protection impact assessments for high-risk processing operations.

Among these privacy principles, establishing a valid legal basis for processing driver data is often the most challenging hurdle for fleet operators. The question of whether to rely on driver consent or legitimate interests - and how to implement either choice properly - has significant practical implications for system design and operation.

Recommendation II: Learn from success stories – “RIBAS”

A landmark German Federal Labor Court judgment from 2016 offers a blueprint for modern fleet operators seeking to implement road safety technologies in a GDPR-compliant manner. 

The case involved a public transport operator who introduced a new road safety technology to its fleet of buses. The technology, called RIBAS, measured five key aspects of driving behavior: over-revving (R), excessive idling (I), harsh braking (B), harsh acceleration (A), and speeding (S). It was designed to promote safer, more efficient driving while reducing fuel consumption and vehicle wear. The operator implemented RIBAS through a thoughtful approach in close consultation with both its works council and the competent data protection authority. Drivers could choose between two participation models: They could either use a pseudonymous system key that masked their identity while still contributing to overall fleet safety data, or they could opt into a personalized program that offered bonuses for maintaining safe driving behaviour. Under the personalized program, drivers received detailed feedback about their driving behaviour and could earn rewards for consistent safe driving practices. Those using pseudonymous keys would only be identified in cases of significant safety concerns, such as repeated harsh braking or consistent speeding. Nevertheless, a driver challenged the RIBAS technology compliance with privacy laws, particularly the requirement to participate even in pseudonymous form.

The Federal Labor Court dismissed the claim and recognized that modern road safety technologies inevitably involve processing personal data but found that this specific implementation struck an appropriate balance between road safety and privacy. The decision is particularly noteworthy for several reasons. The court acknowledged that data processing for road safety purposes can be based on consent or legitimate interests for employment purposes. The court clearly rejected closed-loop systems without operator’s oversight, technical speed limitations or general safety training as similarly effective alternatives to the RIBAS technology. In addition, the court took the view to not consider RIBAS’ specific implementation as constant monitoring. 

Some might question this judgment's relevance, noting the case predated GDPR or applied only in Germany. However, the court's reasoning reflects universal principles of European data protection law, such as lawfulness through either consent or legitimate interests, purpose limitation to safety objectives or data minimization through pseudonymization options. These universal principles remain remarkably relevant today, making the approach viable under the GDPR and across the EU (unless local laws apply restrictions).

Learning from RIBAS, fleet operators have three viable models for implementing road safety technologies in a GDPR-compliant way, each offering different benefits and requirements:

The consent-based model relies on driver consent and offers the most comprehensive safety feedback capabilities. Under this model, participation is entirely voluntary, and drivers who opt in receive full visibility of their driving behaviour. To ensure consent is freely given - particularly important in employment relationships – fleet operators must offer meaningful benefits, typically through a safety bonus scheme rewarding consistent safe driving. In the RIBAS case back in 2016, drivers received monthly gift cards with amounts that decreased based on their safety ranking. For example, the safest drivers (ranked 1-30) received EUR 40, while those ranked 31-55 received EUR 35, with the reward amount continuing to decrease for lower safety rankings. Fleet operators may also offer alternative or additional incentives, subject to local employment laws, such as prize drawings, company merchandise, recognition (both within and outside the company), and extra vacation days. Because drivers have explicitly consented, their driving data can be processed without masking their identity, enabling personalized coaching and detailed feedback. However, because this model is based purely on consent, drivers must have the ability to opt out completely from using the road safety technology. This limitation makes it less suitable for fleet operators who need to ensure baseline safety standards across their fleet.

The legitimate interests model allows fleet operators to make road safety technology mandatory based on their legitimate interest in ensuring road safety. Drivers cannot opt out completely (except for their right to object under the GDPR) because the fleet operator's legitimate interest in preventing accidents and ensuring safety typically outweighs individual privacy concerns, provided appropriate safeguards are in place. These safeguards must include driver masking by default, with driver identification permitted only when significant safety concerns arise, such as consistent unsafe driving behaviour. While this approach does not include a benefit scheme, it ensures consistent safety standards across the fleet while protecting driver privacy.

The combined choice model, as validated by the German Federal Labor Court, combines elements of both models. Drivers can choose between participating in the incentivized program with full identification or using the masked version based on legitimate interests. Importantly, drivers cannot opt out completely from using the safety technology - they must choose one of these two options. This ensures consistent safety standards while respecting privacy preferences. Drivers who prefer privacy can contribute to safety goals through masked participation, while those who opt for identified participation can benefit from both detailed feedback and safety bonuses.

Anticipating remaining privacy concerns and pressure tests

While the German Federal Labor Court's decision provides a valuable framework for implementing road safety technologies in compliance with the GDPR, individual data protection authorities or other stakeholders may still raise privacy concerns and pressure test the chosen model. Understanding and addressing these concerns proactively is therefore crucial for fleet operators.

Conclusion: The road ahead

The reality of nearly 20,000 lives lost on EU roads in 2024 serves as a powerful reminder of why the adoption of road safety technologies must be accelerated. While the 3% reduction in fatalities shows progress, it falls short of the EU's ambitious goal to halve road deaths by 2030. This gap between aspiration and reality underscores the urgency of enabling innovative safety solutions.

Fleet operators stand at a crucial intersection. They have access to technologies that can significantly improve road safety yet must navigate legitimate privacy concerns. The path forward, as demonstrated by pioneering implementations and court decisions, shows that these objectives do not have to conflict. Through thoughtful privacy-by-design models, road safety technologies can operate within GDPR requirements while maintaining their life-saving potential. Fleet operators who implement them compliantly today will not only protect their drivers and the public but also help shape a future where privacy and safety enhance rather than compromise each other.

Reading List: Essential resources

Road safety statistics and policy

• European Commission, EU road fatalities drop by 3% in 2024, but progress remains slow: https://transport.ec.europa.eu/news-events/news/eu-road-fatalities-drop-3-2024-progress-remains-slow-2025-03-18_en

• European Commission, EU road safety policy framework 2021-2030, https://op.europa.eu/en/publication-detail/-/publication/d7ee4b58-4bc5-11ea-8aa5-01aa75ed71a1

• European Automobile Manufacturers' Association (ACEA), Vehicles on European roads 2025, https://www.acea.auto/files/ACEA_Report_-_Vehicles_on_European_roads_2025.pdf

Road safety technology

• European Transport Safety Council (ETSC), Using In-Vehicle Safety Technology to Improve Road Safety At Work, https://etsc.eu/infographic-using-safety-technology/

• European Transport Safety Council (ETSC), Driving for Work: Using Telematics in Professional Vehicle Fleets, https://etsc.eu/infographic-driving-for-work-using-telematics-in-professional-vehicle-fleets/

Regulatory guidance and case law

• European Data Protection Board (EDPB), Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf

• European Data Protection Board (EDPB), Guidelines on Consent under Regulation 2016/679, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

• Art. 29 Working Party, Opinion 2/2017 on data processing at work, https://ec.europa.eu/newsroom/article29/items/610169

• Data Protection Authority DE/Lower Saxony, 27th Activity Report 2021, https://www.zaftda.de/tb-bundeslaender/niedersachsen/805-27-tb-lfd-niedersachen-2021-o-dr-nr-vom-02-06-2022/file

• Federal Labour Court, Judgment of 17.11.2016 - 2 AZR 730/15, https://openjur.de/u/2132199.html