The project title AUTOPSY relates to the Greek αὐτοψία (autopsia) “to see for oneself” to resemble that privacy requires to be transparent, especially in the context of GDPR, and additionally highlights the automotive focus of the project.

Faster and faster innovation cycles in the IT and electronics industry lead to new global trends such as IoT, cloud, or AI that change several aspects of our everyday lives. For example, in the transportation domain, trends such as autonomous driving, e-mobility and shared mobility will significantly impact our ways of life towards more safety, quality of life and sustainability. They all have in common that they heavily benefit from and rely on large amounts of very specific data that are continuously generated on the user, the environment or the underlying technical system.

As illustrated below, the development and deployment of connected vehicles, Smart Cars Applications and Automotive Services (e.g., Mobility, Traffic Management, Parking Management, etc.) relies on the generation, processing and sharing of unprecedented amounts of data. This need is further exacerbated in the context of autonomous driving vehicles wherein data, that needs to be shared with other vehicles, the infrastructure and remote services hosted in the Cloud, is of particular importance.


To allow such complex systems, special ECUs (Electronic Control Units) are commonly installed in vehicles to control the operation of telematics systems. The Telematics Control Units (TCUs) are in charge of wireless tracking, diagnostics and communication to/from the vehicle. These systems are also used in eCall crash notification, electronic tolling, vehicle locating and monitoring, geo-fencing, remote operations (e.g., start/stop, door lock/unlock), among many others. In parallel, Smart Cities Infrastructures and streets are progressively instrumented with Road Side Units (RSU), Intelligent Traffic Lights (ITL), and Smart Parking Meters, among many other connected devices (IoTs) that continuously monitor the environment (e.g., vehicles, pedestrians, weather) and collected and/or aggregated data is sent to the cloud (or intermediary edge-nodes/gateways) to feed smart applications and services.

In January 2020, the European Data Protection Board published a draft “Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications”. In this draft version, open to feedback until March 2020, the EDPB states that the compliance with the European Data Protection and Privacy Laws implies, for each stakeholder, to incorporate the “protection of personal data” dimension from the product design phase, and to ensure that car users enjoy transparency and control in relation to their data. While for example Internet browsers provide mature and sophisticated methods to provide services and ensure privacy, the implementation of such guidelines is still fully unclear in application domains such as automotive to date.

“… the connected vehicle and every device connected to it shall be considered as a ‘terminal equipment’ (just like a computer, a smartphone or a smart TV) and provisions of art. 5(3) ePrivacy directive must apply where relevant.”[1] This means, that the same high standards will be applied and must be integrated into products with significantly longer development cycles of 7 years or more.

The EU set global standards by establishing GDPR. While the Internet and IT driven domains are already adopting the standards, other domains fell behind. Recent cases such as the 200 million € fine on British Airways[2] or the 100 million € fine on Marriot[3] show that privacy is taken seriously and will be enforced. AUTOPSY aims at establishing a model-driven approach to privacy to assess an implementation strategy and technical concepts for GDPR compliant communication in the automotive domain.

The core aspects of GDPR according to GDPR Article 5(1) and (2) are:

  • Lawfulness, fairness and transparency: are the legal requirements for processing data fulfilled?
  • Purpose limitation: is the data only processed in the specified, explicit and legitimate purposes and not further?
  • Data minimization: is the processing adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed?
  • Accuracy: inaccurate personal data or data not up to date has to be erased
  • Storage limitation: data permitting identification of subjects shall be stored for no longer than necessary.
  • Integrity and confidentiality: appropriate security mechanisms have to be implemented to protect the data.
  • Accountability: the processing authority has to be able to demonstrate to comply with the previous criteria


Identifying the critical aspects and bringing them into technology, are the core objectives to be investigated in this project proposal. As sample, data flow across multiple technical layers is shown in Figure 1.The system contains several data flows, points of aggregation and analysis and potential mergers of data. The impacts have to be modelled to create a privacy-preserving architecture.

[1] Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications