← creativecyber.in/Regulatory Insights/DPDP Knowledge Hub/Resources & Checklists
PRACTITIONER FAQ

Auto OEM + Dealer + Insurer: Vehicle Telematics Is Personal Data — and Warranty Consent Doesn't Cover UBI

10 min read|Auto OEM DPO · Dealer Compliance · Motor Insurer Legal · Connected Vehicle Product Manager|April 2026
Share this article
LinkedInXFacebookWhatsApp
PRACTITIONER FAQ · EPISODE 07 OF 10Automotive · Dealer Network · Insurance

Auto OEM + Dealer + Insurer: Vehicle Telematics Is Personal Data — and Warranty Consent Doesn't Cover UBI

GPS location, speed, braking patterns. Three parties in the data chain. The "warranty and service" consent at purchase authorises none of the downstream uses. Here's the compliant telematics architecture.

🚗
THE SCENARIO

A passenger car OEM sells connected vehicles transmitting real-time telematics: GPS, trip history, speed, hard braking, engine diagnostics. Used for predictive maintenance and shared with dealers for service scheduling. The OEM partners with an insurer for usage-based insurance (UBI) where premiums are calculated from individual driving behaviour scores. Initial consent at purchase was for "warranty and service."

FIGURE — Three-Party Consent Chain
VEHICLE TELEMATICS — THREE-PARTY CONSENT CHAINOEMData Fiduciary #1Warranty consent✓ Predictive maintenance✗ UBI data without consent✗ Dealer sharing w/o consentAuthorized DealerLikely co-FiduciaryOrder contact data✓ Service scheduling✗ CRM marketing useDSA with OEM requiredInsurer (UBI)Independent FiduciaryTelematics data✓ UBI scoring w/ consent✗ Auto-enrolmentFresh consent at offerCustomer RightsCannot be conditionalCan refuse UBICore features intactCan withdraw consentSeparate per purpose
Q 7.1

Vehicle telematics data (GPS, driving behaviour) — is this personal data under DPDP?

Yes, unambiguously. Under §2(t), personal data is "any data about an individual who is identifiable by or in relation to such data." Vehicle telematics is tied to a registered vehicle number linked to a named owner — directly identifiable. GPS location history revealing home address, workplace, places of worship, and medical facilities visited is among the highest-risk processing activities under any data protection framework. The "warranty and service" consent does not cover: continuous GPS tracking, dealer sharing for commercial follow-up, or insurer sharing for premium calculation.

Q 7.2

Can the OEM share telematics with the insurer for UBI pricing without specific consent?

● PROHIBITED

Prohibited without specific consent. This is a materially different purpose from the original warranty/service consent. The OEM must present a distinct UBI consent at the appropriate moment. Critically, the customer must be able to refuse UBI data sharing without losing core vehicle features (navigation, remote diagnostics for safety). Conditioning core product functionality on insurance data sharing consent is coercive consent under §6(3).

Q 7.3

Dealers receive customer contact data for service follow-ups. Are dealers Processors or Fiduciaries?

Dealers are likely independent Data Fiduciaries — they make independent decisions about CRM use, follow-up timing, cross-selling, and retention. The OEM needs a Dealer Data Agreement (distinct from the franchise agreement) that: specifies permissible uses, prohibits dealers from using data beyond OEM-referred services, requires dealers to honour customer data requests, and mandates breach notification to the OEM.

Map your connected vehicle data flows to DPDP requirements.

Request a demo →
Share this article
LinkedInXFacebookWhatsApp

Get DPDP compliance insights in your inbox

Practical guides for CISOs, DPOs, and compliance teams — no spam, unsubscribe anytime.

Ready to implement what you've read?

The CreativeCyber DPDP Assurance Platform puts every framework, workflow, and control referenced in this article into a single audit-ready platform — built specifically for BFSI.

Book a Live Demo →