FAQ: Access to Vehicle Data and Data Governance – EU Regulatory Frameworks and Practical Guidance for Automotive Industry Companies (Part 1) | TWheel

In the vehicle ecosystem, data serves as a valuable resource, encompassing condition, diagnostic, usage, and environmental data—captured within the vehicle, through on-board interfaces, and increasingly via backends (“connected car”). These datasets are essential for gaining insights into product performance and quality, while also forming the foundation for developing new products and services.

As the significance of data continues to grow, so too do expectations around its availability and interoperability. Independent repairers and tool manufacturers require access to repair and maintenance information, fleets and end customers demand greater transparency and portability, new service providers seek to create data-driven services, and public authorities, in certain cases, access safety-related or accident-related data.

This area of conflict is increasingly defined not only by technical issues but also, and more significantly, by legal and organizational requirements. For OEMs and suppliers, multiple and partially overlapping regulatory frameworks must be taken into account. These include access to RMI under Regulation (EU) 2018/858 on type approval, requirements concerning EDR data (event data recorder), antitrust and competition-law access claims, the EU Data Act as a new horizontal data access regime in an IoT context, and data subject rights under the GDPR, as well as national-specific rules (e.g., in Germany, the Road Traffic Act (StVG) concerning automated driving functions)

The result: data access has evolved from being a mere “one-off ticket” to becoming a systemic compliance domain, encompassing risks such as market surveillance measures, administrative fines, civil disputes, antitrust proceedings, and reputational harm, while also presenting opportunities for innovative services and partnerships.

This is precisely where data governance becomes crucial. In the automotive context, “data governance” is understood as the comprehensive framework of roles, rules, processes, and technical controls that ensures that

• Data are accurately classified (e.g., RMI vs. telemetry vs. EDR; personal data vs. non-personal data; safety-critical vs. non-critical),
• Access is managed consistently, without discrimination, and in an auditable manner (e.g., through APIs, portals, audit logs, and authorization models), and
• Legal requirements are incorporated “by design” into product development, after-sales, and operational processes.

Without robust governance, companies often encounter common conflicts: security measures obstruct legally guaranteed access, data protection requirements are mistaken for data access rights, or inconsistent decisions arise across business units. In contrast, a strong governance framework facilitates lawful, efficient, and scalable data access management, thereby fostering innovation.

This FAQ is tailored for decision-makers and practitioners within OEMs and automotive service providers, particularly in the fields of Legal/Compliance, After-Sales, Product/Engineering, Data/IT Security, and Business Development. Its objective is to present the relevant legal frameworks in a manner that is both comprehensible and legally precise, addressing common practical questions and offering actionable implementation ideas: What actions are required from an OEM today? What claims are available to users and market participants? Where do potential points of dispute arise? And how can all of these elements be effectively incorporated into a sustainable governance model?

This FAQ is organized as follows:

In Part 1, we primarily examine the substantive legal requirements of the relevant instruments and their implementation, including:

• Overview of the key rules and data categories (RMI, EDR, competition law, Data Act, GDPR, StVG).
• Obligations and actionable options for RMI and EDR, including competition law guidance and practical implementation frameworks
• Implications of the Data Act and its distinction from existing frameworks
• Comparison of GDPR access rights with other data access mechanisms,
• Typical areas of conflict and solution approaches
• Other applicable regulations.

In Part 2, we discuss the establishment of a corresponding Data Governance Management System, including its organization, processes, controls, and responsibilities, as well as the implications of infringements and the strategies for enforcing rights and defending against claims.

The FAQ is designed to provide orientation and a framework for legal classification, the development of data access and contractual models, and, most importantly, the establishment of governance to ensure manageable data access within the automotive industry.

 

1. What rules regulate access to vehicle data for companies operating in the automotive industry?

Several European and national provisions regulate access to vehicle data and the associated rights. For vehicle manufacturers (OEMs) and suppliers, the following areas are of particular importance:

• Repair and Maintenance Information (RMI) under Regulation (EU) 2018/858: The type-approval Regulation mandates manufacturers to provide independent operators with access to on-board diagnostics (OBD) data, along with repair and maintenance information. The aim is to ensure fair competition within the sector: both independent and authorised repairers must have equal, non-discriminatory access to the data necessary for maintenance and repairs. Article 61 of Regulation (EU) 2018/858 stipulates that RMI must be made available electronically and offered at reasonable, non-deterrent fees
• Event Data Recorder (EDR) Under EU Safety Rules: New vehicles are required to be equipped with an Event Data Recorder (EDR) (mandatory for passenger cars since July 2024). Regulation (EU) 2019/2144 (“General Safety Regulation 2”) and its implementing rules (e.g., Implementing Regulation (EU) 2022/545) stipulate which crash data must be recorded and how such data may be accessed. EDR data (e.g., speed, braking status prior to impact) are stored locally and can be accessed via the standardised OBD interface or directly at the airbag control unit. Manufacturers (OEMs) must ensure data protection against manipulation and facilitate access for authorised entities.

  Please note: EDR data may only be utilized for accident investigations and safety improvements, not for continuous monitoring purposes. Data protection requirements include, among other things, ensuring that no personal data, such as full vehicle identification numbers (VINs), is stored, and that the data generally “belongs” to the driver or vehicle holder.

• Antitrust and Competition-Law Access Claims: In addition to specific regulations, general competition law may also apply. Manufacturers holding market power must not unreasonably deny access to essential in-vehicle data, as prohibited under rules against abuse of dominance (e.g., Article 102 TFEU). In October 2023, the Court of Justice of the European Union (CJEU) clarified that OEMs cannot circumvent data access requirements guaranteed by regulation (in the case at issue: the OBD data stream) through their own conditions or the imposition of technical barriers. Furthermore, national courts may enforce access rights under competition law or laws against unfair competition, such as Germany’s UWG, particularly where independent service providers face discrimination. These aspects must therefore always be taken into account when making an assessment.

   

• EU Data Act: The Data Act (Regulation (EU) 2023/2854) has established, since September 2025, a comprehensive horizontal framework for access to data generated through usage, including that of connected vehicles. It grants users (e.g., vehicle holders or lessees) the right to access usage data and to share such data with third parties of their choosing. Data holders (typically the manufacturer) are obligated to provide this data without undue delay, in a secure manner, free of charge, and in a commonly used, machine-readable format. Unlike sector-specific regulations, the Data Act adopts a user-centric approach, whereby third-party access is generally mediated through the user (unless the third party itself qualifies as a user). However, access may be denied or restricted under certain circumstances, such as for security reasons or to safeguard trade secrets, provided such actions comply with other applicable laws (e.g., the GDPR). Overall, the Data Act is poised to play a significant role in shaping the future framework for data access (see details in Question 3)

   

• Data Protection Law (GDPR): In-vehicle data often qualify as personal data (e.g., location history, driving behavior) and fall under the scope of the GDPR. Article 15 GDPR grants individuals the right of access, while Article 20 GDPR provides the right to data portability, requiring the availability of such data in a transferable format. In practice, these provisions result in data access claims by drivers or vehicle holders against OEMs for personal data concerning them. OEMs are therefore obligated to provide, upon request, user-related driving data, irrespective of whether additional data access rights (e.g., under the Data Act) are applicable concurrently. Simultaneously, the GDPR mandates that personal in-vehicle data may only be processed where a legal basis exists or explicit consent has been obtained. (For further details, refer to Question 4.)

   

• Road Traffic Act (StVG) and National Rules: National law, specifically in Germany, includes detailed requirements concerning automated driving functions. Section 63a StVG mandates that certain vehicles equipped with automated driving functions must store specific data, such as position and time information, when switching between human control and automated driving. This data is crucial for determining responsibility and may be requested by public authorities. Additionally, vehicle holders are obligated, at the request of third parties (e.g., the opposing party in an accident or insurers), to ensure the data is provided when necessary for enforcing rights after an accident. Regarding data retention periods, the law specifies a duration of 6 months if no accident occurs; otherwise, the data must be retained for 3 years. Section 63a (5) StVG also permits the anonymized transmission of such data for the purpose of accident research. Furthermore, Sections 63c and 63e StVG outline additional scenarios for data access, such as emission-zone controls and traffic management, which may utilize data like position, speed, and weather-related indicators (e.g., windshield wiper status). In conclusion, alongside EU regulations, specific national provisions may apply, especially in connection with highly automated driving or hazard prevention measures.

 

2. RMI and EDR Data: What are the obligations, relevant CJEU case-law, and practical implementation strategies to know?

• RMI (Repair and Maintenance Information): Repair and Maintenance Information (RMI) must be made electronically available in accordance with Articles 61 et seq. of Regulation (EU) 2018/858. Availability is facilitated via the OBD-II interface. It must be ensured that third-party tools can process the data further. Fees are permissible; however, they must be proportionate and must not serve as a deterrent. Equal treatment must be ensured, meaning that independent repairers or service providers must not face disadvantage compared to authorised partners. In practice, disputes have arisen regarding access barriers, such as security gateways that restrict OBD access unless registration and an online connection to the manufacturer’s server are completed.

  The CJEU has established clear limits in this regard. In Carglass/A.T.U. v FCA (judgment of 5 October 2023), the court determined that manufacturer-specific additional conditions, which de facto make access more difficult, are impermissible. Requirements such as personal registrations, mandatory online connections, or paid add-on subscriptions are not stipulated by the Regulation. Security concerns, as a general rule, do not absolve manufacturers from their access obligations; instead, “security by design” measures should be implemented without disproportionately restricting the mandated data access. However, as the ECJ's guidelines remain somewhat ambiguous, there is potential for debate and disputes in practice.

  Pragmatic Implementation for OEMs: OEMs typically design their diagnostic and access architectures to allow multi-brand diagnostic tools to utilize the OBD interface effectively. Safety-critical functions, such as immobilisers, are secured separately, often employing standardized mechanisms wherever feasible. For security-related repair and maintenance information (RMI), the EU-wide certification scheme SERMI (Security Related RMI) is already available.

• EDR (Event Data Recorder): Implementing Regulation (EU) 2022/545 mandates that new vehicle types automatically record specific accident data. OEMs are required to integrate EDR systems and adhere to the technical specifications outlined, including those under UN ECE Regulation No. 160 and Implementing Regulation (EU) 2022/545. The EDR must capture and store predefined crash data from moments shortly before, during, and after an impact (e.g., speed, braking status, delta-v, seatbelt, and airbag status). A key requirement is ensuring that the recorded data can be retrieved. Pursuant to Article 4 of Implementing Regulation (EU) 2022/545, EDR data must be accessible via the standardized OBD/DLC port. If the port is rendered unusable due to a crash, direct access to the EDR module must still be possible. Moreover, OEMs are obliged to provide type-approval authorities and, upon request, interested manufacturers or repairers of diagnostic tools, with the necessary information to access, retrieve, and interpret EDR data. The regulation does not, however, specify detailed requirements in this regard. Tools for reading out EDR data are already available on the market for various manufacturers, but due to the regulation’s lack of detailed guidance, practical disputes often arise regarding the circumstances and level of detail with which such information must be provided.

  Data Protection and Use of EDR Data: EDRs may not be used within the EU for behavioural monitoring. EDR data are primarily designated for accident reconstruction and safety enhancements, remain stored within the vehicle, and are not (permanently) transmitted. The “black box” becomes relevant solely in the context of an event scenario and does not continuously record driving data. Access to this data typically occurs through authorities or experts appointed by authorities during proceedings. Without the vehicle holder’s consent, third-party access to the data is generally not envisioned; however, in cases of severe accidents, law enforcement authorities may mandate its read-out. OEMs are required to maintain clear processes for expeditious, GDPR-compliant cooperation with official requests and ensure transparent communication regarding the installation of an EDR and the nature of data stored in the event of an incident. Establishing a clear distinction from eCall systems and defining internal responsibilities (e.g., a trained team) are also crucial to ensuring compliance and fostering consumer trust

   

  3. What is the impact of the EU Data Act on vehicle data, and how does it interact with existing regulations?

  The EU Data Act (Regulation (EU) 2023/2854), applicable since September 2025, brings significant changes to access rights for in-vehicle data. Unlike sector-specific regulations (e.g., RMI rules), it adopts a general, user-centric framework. Key implications include:

• User-Driven Data Access Right: Users of connected products—commonly including vehicle holders, lessees, and fleet operators within the automotive sector—are entitled to access and utilize the data generated through product usage. This right primarily encompasses raw and pre-processed data (e.g., sensor or usage data), but excludes the manufacturer’s internal analyses or inferred data. Access may be provided directly within the vehicle, as stipulated in Article 3 of the Data Act, or may be obtained upon request from the OEM, as per Article 4 of the Data Act. In practice, access is often facilitated via apps, web portals, or the manufacturer's cloud systems. Access to the data must be free of charge and provided in a machine-readable format. Although real-time access through an API may be required depending on the specific use case, it is not mandatory in all instances. Practical disputes persist regarding further specifics, such as data formats. The European Commission has issued detailed guidance on managing in-vehicle data in compliance with the Data Act.
• Right to Make Available to Third Parties: Users may authorize third parties to directly access data from the data holder (e.g., independent repairers, roadside assistance providers, insurers, telematics providers). The data holder (e.g., the OEM or operator of a connected vehicle service) is obliged to facilitate this transfer (e.g., through an API/token system or by enabling retrieval by the third party with the user’s authorization). Users must not incur a financial burden for this process. In dealings with third parties, remuneration may be requested; however, this must be on fair, reasonable, and non-discriminatory (FRAND) terms, as outlined in Chapter III of the Data Act. Excessive charges that effectively hinder the transfer process are expressly prohibited. The Commission has issued model contractual terms, which are frequently employed in practice to structure the relevant data-sharing agreements.
• Delineation from Existing Data Access Rights: The Data Act supplements existing rules but does not replace them. Sector-specific laws (e.g., Articles 61 et seq. of Regulation (EU) 2018/858 on RMI) continue to apply concurrently. Overlaps exist (e.g., maintenance/fault data), though through distinct mechanisms: RMI allows direct access for independent operators, whereas access under the Data Act is often initiated via the user when the third party is not the user themselves. For OEMs, this necessitates the organizational and technical support of both “tracks.” Simultaneously, the Data Act facilitates new data flows that were previously minimally regulated, creating opportunities for innovative services while also intensifying competition. Coordinating these sets of rules into a coherent, functional process presents a practical challenge, which will be addressed in Part 2 of this FAQ.
• Safeguards for Data Holders (Including OEMs): Data holders may refuse or restrict access solely in narrowly defined, justification-dependent exceptional circumstances, such as specific cybersecurity risks, the protection of trade secrets, or the safeguarding of personal data of third parties. These grounds must be interpreted restrictively and cannot serve as a general instrument for blocking access. Where appropriate, alternative or secured access, or filtered data, must be provided to ensure that the core entitlement remains effective. Any refusal must also comply with the GDPR, ensuring that data subject rights concerning personal data are upheld.
• Relation to GDPR: Regardless of this, numerous unresolved issues remain concerning the sharing of personal data with third parties, particularly in multi-user scenarios (e.g., shared vehicle use). As the data holder is legally obligated under the GDPR to ensure that such data sharing is based on a valid legal basis, they will, in practice, conduct at least a basic review of data protection requirements—a process that can be operationalized. In shared user scenarios, it should be deemed permissible to rely on the so-called "primary user" (i.e., the owner or driver of the vehicle identified by the OEM), as ensuring compliance with data protection requirements when verifying access requests from other users unknown to the OEM would generally be challenging. In any case, effective data governance under the Data Act necessitates parallel data protection management to adequately address the associated risks. Further details can be found in Part 2 of our FAQ.
• Practical Impact and Relationship to Existing Rules: OEMs are required to design vehicles and IT systems to be “Data Act-ready,” encompassing the entire process from vehicle development to backend systems and customer processes. Data are considered “accessible” even if they are not displayed on the vehicle interface, provided they can be collected from the vehicle and made available via the backend without disproportionate effort. However, uncertainty arises regarding the accessibility of data that can only be retrieved in a workshop via the OBD II system (e.g., when a vehicle is not “connected”), which has led to disputes in practice. As many modern vehicles transmit telemetry data to manufacturer servers (“extended vehicle”), such connected vehicle data will typically be considered accessible and thus fall within the scope of the Data Act. Strategies aimed at avoiding data collection or storage are increasingly under scrutiny. The Commission’s guidance underscores that data which are technically easy to access should not be effectively withdrawn by employing “data minimisation as an access barrier.” Numerous borderline classification cases persist.
  The Data Act primarily addresses data access beyond traditional repair purposes, enhancing data access rights for actors outside the scope of RMI, such as fleet analytics service providers. While the CJEU in 2023 clarified workshop access to OBD/RMI, the Data Act establishes an independent claim for user-triggered access to third parties, thereby imposing interface and process obligations on data holders, including OEMs. In practice, it remains to be determined whether the "via the user" principle sufficiently supports aftermarket applications, as parallel discussions are ongoing regarding sector-specific models, such as data platforms with real-time access. For OEMs, the critical requirement is that access must be user-friendly, free from unnecessary technical barriers, and non-discriminatory, ensuring parity of quality.
  Overall, the Data Act mandates systematic planning for data access from the vehicle to the cloud/API, ensuring adherence to compliance and competition requirements.

 

4. What rights to data access are provided under the GDPR, and how do they correspond to the aforementioned rules?

• Right of access (Article 15 GDPR): Data subjects (e.g., vehicle holders or identifiable drivers) have the right to request information from the controller (typically the OEM or connected service) regarding which personal in-vehicle data are being processed. Upon such a request, the controller must provide a copy of this data. In practice, this encompasses telemetry and usage data stored in the backend (e.g., location or condition data) once such data are collected and processed from the vehicle by the controller. This right is independent of any other data access rights and operates alongside sector-specific regimes or the Data Act.
• Right to Data Portability (Article 20 GDPR): Data subjects are entitled to request the provision (or direct transmission) of their personal data in a structured, commonly used, and machine-readable format, provided such data is processed by automated means and typically based on a contract or consent. For in-vehicle data, this right can be particularly relevant, for instance, in cases involving the transfer of data to a telematics service. In comparison to the Data Act, Article 20 GDPR is more restrictive, with additional potential limitations, such as those arising from third-party rights.
• Comparison with RMI Regulations/Data Act and Compatibility: The GDPR partially overlaps with the RMI regulations and the Data Act but is distinguished by its distinct purpose and mechanisms.

GDPR Purpose and Procedure: The GDPR is designed to safeguard individuals and grant them control over their personal data. Articles 15 and 20 GDPR outline provisions for access and portability; however, they do not inherently mandate the establishment of a continuous third-party interface. The law refrains from specifying detailed methods for providing access under Article 15 GDPR. Its requirements are comparatively less stringent than those under the Data Act. Nevertheless, the Data Act serves to facilitate and expedite user-initiated sharing of data with third parties.

RMI Access vs. GDPR: RMI primarily focuses on fostering competition in servicing and typically involves non-personal or partially personal data (e.g., fault codes, repair information). OEMs are required to provide RMI access while simultaneously ensuring GDPR compliance by protecting personal data (e.g., restricting the data retrievable through the OBD interface where mandated by the GDPR). These frameworks operate concurrently. This is further reinforced by the Data Act, which explicitly states that adherence to the Data Act does not permit violations of the GDPR; data pertaining to third parties may need to be filtered or anonymized to ensure compliance.

Coherence and Integration: In practice, establishing a central portal that consolidates GDPR right-of-access/right-to-data-portability functions alongside the Data Act's "share data" features is a sound approach. This should include mechanisms for consent management and filtering of third-party data. Additionally, harmonising formats, such as ensuring machine-readable options via JSON or CSV, is strongly recommended.

In summary, the GDPR serves as the foundational protection for personal in-vehicle data. The Data Act and RMI complement the GDPR depending on their objectives—whether it pertains to user/third-party data access or workshop competition—but they provide significantly more specific provisions regarding the methods of data availability. By implementing "privacy by design" principles, such as access roles, legal basis, and filtering of third-party data, these regulatory frameworks can be practically harmonized.

 

5. What other rules are pertinent to accessing in-vehicle data?

In addition to the aforementioned rules, additional provisions and standards govern access to in-vehicle data and traffic-related data. Notable examples include

• eCall Regulation (EU) 2015/758: Since March 2018, all new passenger car models in the EU are required to be equipped with an automatic emergency call system (eCall). In the event of a serious accident, the system automatically contacts the emergency call center and transmits a Minimum Set of Data (MSD), which includes the time of the incident, GPS position, direction of travel, vehicle identification, and information about the occupants.

  Data Protection and Access: eCall remains inactive during normal operation. Location data may only be transmitted in the event of an emergency. Continuous tracking is strictly prohibited, and any data that is not required is promptly discarded.

  Strict purpose limitation: Use permitted solely by authorized emergency services. The Regulation further mandates a clear separation of eCall from other services, prohibiting any “co-use” of the 112 infrastructure for telemetry. For OEMs and suppliers, this stipulates that eCall components must be operated in a technically independent manner from infotainment and telematics systems, with the regulation deliberately imposing strict limits on data access in this context.

• Intelligent Transport Systems (ITS) and the sharing of traffic-related data: EU legal acts encourage the exchange of safety-relevant traffic information (e.g., accident locations, ice warnings, wrong-way driver alerts) and, in certain cases, mandate its free-of-charge availability. Concurrently, initiatives such as "Data for Road Safety" involve OEMs voluntarily reporting anonymized sensor data (e.g., ABS interventions, fog light usage) to designated platforms. National laws may provide additional regulations in this domain (e.g., Section 63e StVG concerning traffic management). For OEMs, this field is often characterized by cooperation but remains heavily standards-driven: suppliers should ensure compliance with relevant formats and standards (e.g., DATEX II, ETSI CAM/DENM).
• Cybersecurity and Software Update Rules (UN ECE R155/R156, Regulation (EU) 2019/2144): These regulations mandate cybersecurity management and secure software practices throughout the lifecycle. While their main focus is IT security, they also impact data access by stipulating that security measures (e.g., secure gateways) must not effectively block legitimate access for independent repairers or public authorities. Additionally, UN ECE R156 enhances transparency regarding software status, imposing practical requirements to ensure update and status information remains accessible. Therefore, OEMs should consistently address security requirements in conjunction with data access rights.
• National Liability and Rules of Evidence: In certain instances, data retention and access requirements stem from considerations within civil law. For example, in Germany, Section 63a StVG establishes a legal entitlement to specific driving mode or accident-related data, with the possibility of further strengthening these provisions (e.g., granting more direct access to injured parties or insurers). Additionally, there is ongoing discussion regarding secure access by testing organisations (such as TÜV and DEKRA) to electronic systems and fault memory data for the purpose of conducting periodic technical inspections (HU). This issue is of particular significance for diagnostic service providers.
• Data Governance Act (DGA) and Data Altruism: The Data Governance Act (DGA), effective since September 2023, facilitates data sharing by establishing a framework for data intermediation services and voluntary data sharing (“data altruism”). While it does not create individual data access rights, it enables trustee/intermediary models wherein a neutral third party pools in-vehicle data and provides access in a controlled manner. This framework offers an appealing solution for OEMs and suppliers to organize secure, GDPR-compliant data transfers and foster trust.

In summary, additional regulations governing access to in-vehicle data are distributed across various domains, including emergency call systems, road safety, IT security, and matters of liability and evidence. These rules impose, in part, additional obligations and, in part, define clear limitations. Notably, eCall requirements and national evidence laws demonstrate that legislators aim to balance safety, privacy, and data access in a deliberate manner. Consequently, companies should regard these requirements as integral to a comprehensive data governance strategy (see PART 2, which you find here)