MIL-OSI Europe: Answer to a written question – Data leak affecting owners of Volkswagen Group electric vehicles – E-000182/2025(ASW)

1. Based on the limited information available to the Commission, it is not possible to assess whether such data-collecting activity may infringe the EU competition rules. This would require an in-depth investigation of all the facts of the case which may require, for example, the definition of the relevant market(s), Volkswagen Group’s position on the market(s), and the conditions under which the data is collected.

2. When personal data are processed, controllers must comply with the General Data Protection Regulation (GDPR)[1]. This includes the obligation to comply with principles related to the processing of personal data, including data minimisation, storage limitation and integrity and confidentiality[2]. Controllers are required to implement technical and organisational measures to ensure a level of data protection and security appropriate to the risk of processing[3]. The GDPR lays down obligations for controllers in the event of a personal data breach, including the obligation to inform the competent national supervisory authority and, where the data breach is likely to result in a high risk, the data subject[4].

In 2020, the European Data Protection Board issued guidelines concerning the application of the GDPR to connected vehicles[5].

3. Without prejudice to the competences of the Commission as guardian of the Treaties, the enforcement of the GDPR in individual cases lies primarily with the competent national supervisory authorities and courts, who would be well placed to answer these specific questions.

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88.
• [2] Article 5(1) GDPR.
• [3] Articles 25 and 32 GDPR.
• [4] Articles 33 and 34 GDPR.
• [5] Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications, https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012020-processing-personal-data-context_en