November 14, 2023

Driving data privacy: How Smartcar navigates GDPR compliance

Erica Bickel

Content Marketing Manager

Tableau reports that 63% of global online users believe companies aren’t entirely truthful when it comes to how they use customer data. In the same poll, 48% of UK-based customers stated that they had entirely stopped using a company based on privacy concerns. With data protection at the forefront of political news, safeguarding user privacy should be a top priority for businesses in the 2020s.

On May 25, 2018, the European Union signed the General Data Protection Regulation into law, requiring all businesses operating in or with the EU to create and maintain a new level of consumer privacy. Compliance with the act, even as an American company, is mandatory to continue business in the EU — and Smartcar is committed to these regulations.

What is the GDPR?

The General Data Protection Regulation, or GDPR, is a law drafted by the European Union (EU) that establishes a comprehensive set of guidelines for the protection of personal data. Regarded as one of the toughest privacy and security regulations in the world, the act details requirements for companies operating in the EU, or those with customers that are European citizens or residents. Aimed at granting individuals greater control over their personal data, the GDPR levies seven transparency and accountability principles, among others, that organizations must adhere to to ensure compliance. Failure to do so results in significant fines (including up to 4% of global revenue!) and serious litigation risks from those affected.

What does the law protect against?

Compliance with seven “protection and accountability” principles is required for companies that process data in the EU. According to the European Commission, these include;

Data controllers must also prove GDPR compliance with written documentation, effective employee training, and data processing agreements with third-party agents when applicable. Except in extremely rare cases, companies cannot collect, store, or sell users’ personal data, as data subjects have extensive privacy rights — most notably, the right to erasure.

We encourage our users to read the full General Data Protection Regulation for more information.

What is Smartcar’s stance on the GDPR?

We’re happy to share that Smartcar is fully GDPR compliant. This means that we’ve successfully demonstrated accordance with GDPR’s substantial standards for data protection, privacy, and security for our customers, employees, and partners. Moving forward, all future decisions will be made “by design and by default,” or with data protection top of mind.

Under GDPR, Smartcar is considered a data processor with regard to vehicle data. This means that we process personal data on behalf of each data controller, i.e. companies or services that work with individual vehicle owners (referred to in the GDPR as “the data subject”). As always, we require consumer consent to connect, and do not collect, store, or sell personal data.

What other security measures does Smartcar have in place?

Smartcar unequivocally believes in the rights of vehicle owners to fully own and operate their personal data. In addition to GDPR compliance, we perform the following assessments.

Smartcar Connect is our user onboarding flow where user consent is collected in compliance with the OAuth2 authorization protocol and is SSL encrypted. Vehicle owners can review specific permissions requested by an app before providing consent for sharing access to those specific data points or actions. Smartcar’s End User Privacy Policy is embedded within the flow to ensure users know how their information is handled. Additionally, Smartcar allows customers to hyperlink their privacy policy into the flow as well.

Smartcar runs on industry-standard cloud infrastructure that establishes security best practices to prevent unauthorized access to our platform. All requests to Smartcar services must be encrypted using HTTPS, and all data stored on our platform is protected with Advanced Encryption Standard (AES) 256-bit encryption.

Smartcar also undergoes annual Penetration Testing, maintains a Vulnerability Disclosure Policy (VDP), and annually re-attests to SOC 2 Type 2 compliance. Our platform processes only the necessary data to serve our customers. With Smartcar, vehicle owners can revoke their consent at any time.

How can Smartcar help me?

Visit our data security page to learn about the measures we take to ensure the safety of the Smartcar platform, or contact your Customer Success Manager to see the full results of our various tests. If you’re evaluating Smartcar, you can contact our Sales team to request a copy of these reports as part of your vendor security and compliance process.

Everything you need to know about car APIs. Delivered monthly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.