4.4.1 Afspraken: Engagementen van alle actoren - Data

Under the draft, “(real-time) location data” is to be considered personal data of a sensitive nature and may also qualify as “special categories of personal data” to the extent they reveal passenger’s political opinions, religious beliefs, sexual orientation, etc (Article 9 GDPR). The framework should therefore recognise that MaaS providers, acting as data controllers, are under no obligation to share users’ location data. Mandating 3rd party data access/use is unlikely to meet the principles of necessity and proportionality. Furthermore, MaaS providers may share location data providing that passengers and drivers have given their consent (Articles 4, 7, 9). 3rd parties must also stop the processing as soon as users have withdrawn their consent, either on the MaaS provider’s platform, or directly from the third party controller (Article 14(2)(d)). Finally, this data governance scheme should not be understood as an exercise of users’ right to data portability under GDPR.