EaP RSO webinar explores data protection essentials for road safety

Published on: December 16, 2025

On 12 December 2025, the EaP RSO hosted a webinar on data protection and road safety data management. Data protection expert Aida Kaloci from a leading Belgian law firm guided participants through the legal landscape governing road safety information under the EU's General Data Protection Regulation (GDPR).

Road safety improvements are built on solid data, but data protection compliance ensures authorities collect what they need, protect what they collect, and maintain public trust. While GDPR is EU legislation, Eastern Partnership countries are increasingly adopting similar frameworks, with the core principles - lawfulness, transparency, accountability, and individual rights -serving as universal standards for responsible data handling.

Data protection and privacy is rightfully an important consideration for Eastern Partnership countries. However, it can often be cited as a barrier to fully sharing data – limiting the effectiveness of interventions due to insufficient evidence upon which to base decisions. However, this does not need to be the case. Rather, when delivered in compliance with GDPR and universal principles of data protection, road safety data is safe to share not only with road safety observatories but also between government departments within the same country to aid effective governance and decision making.

The aim of the webinar was to guide public authorities on safe and legal ways in which road safety data can be shared and processed. It focused on several key areas.

1. The valid legal basis for collecting, sharing, and processing road safety data. 

Kaloci highlighted that in the context of road safety, data processing will typically fall into one of two legal categories: 

  • Public task - when processing is necessary for performing duties in the public interest, such as improving road safety. 
  • Legal obligation - when law explicitly requires data processing.

She emphasised that choosing the correct legal basis is not optional, but that for public authorities, the legal basis of "consent" is rarely appropriate due to inherent power imbalances. Organisations must maintain consistency once they have selected a legal basis.

2. What constitutes personal data, and what is necessary to collect for informing road safety policies.

Beyond obvious identifiers like driver names and vehicle registration numbers, indirect identifiers can be equally sensitive. GPS coordinates, regular journey patterns, vehicle make and model combinations, and timestamp-location combinations can all identify individuals when combined or cross-referenced.

Key compliance strategies therefore need to include: 

  • Data minimisation - such as presenting or sharing data by location, time, or vehicle type and not by individual driver details,
  • Implementing strong security measures with encryption and access controls - such as adhering to Observatory requested file formats and submission guidelines,
  • Maintaining transparency through clear signage, audit trails, and privacy notices,
  • Establishing retention schedules.

As Kaloci emphasised, GDPR compliance is not merely a legal requirement - it is essential for maintaining public trust and ensuring road safety systems function effectively. 

3. The use of event data recorders (EDRs), telematics and other emerging technologies.

EDRs and telematics can capture highly valuable information such as vehicle speed, braking, location, and driver behaviour – all of which helps authorities to better understand crash causes, improve vehicle design, and develop evidence-based road safety policies. These technologies are increasingly mandated or encouraged, for example, the EU's General Safety Regulation mandates EDRs in new vehicles from July 2024 because of their strong potential to reduce fatalities and serious injuries when data are used responsibly and proportionately.

At the same time, emerging technologies are transforming road safety by enabling real-time monitoring, predictive analytics, and deeper insight into crash risks, but they also significantly increase data protection risks. The Tesla case illustrates governance challenges when manufacturers resist sharing vehicle data with authorities, citing proprietary concerns and customer privacy. This highlights the need for clear legal frameworks balancing innovation, privacy, and public safety.

The webinar concluded with recommending a practical action plan to aid GDPR compliance in the road safety context. Steps included:

  • audit current practices against GDPR principles,
  • engage data protection officers early in new projects,
  • conduct impact assessments for high-risk processing,
  • document all processing activities,
  • implement privacy-by-design,
  • train staff regularly,
  • create efficient procedures for handling data subject rights requests.

The topic of this webinar was requested as a core area of learning by national stakeholders and counterparts in the EaP member countries. For latest details about upcoming webinars and learning opportunities, check out our News and Events page.

Related Items

Data Report Road User Vulnerability Oct 2025 Thumbnail

Data Report | Mapping road user vulnerability: Regional patterns in fatalities and injuries

Produced by the Eastern Partnership Road Safety Observatory.

CADAS Thumbnail

Editorial | Road safety data: CADaS, Mini-CADaS and the EaP RSO database

One of the core objectives of the EaP RSO is to unify and simplify data collection across the region based on CADaS and Mini-CADAS processes and make this available to decision makers.

EU Policy Framework Thumbnail

EU road safety policy framework 2021-2030

Produced by the European Commission: Directorate-General for Mobility and Transport.