Andres Saravia 2025

Another Brick in the Wall

The Intersection of Carmakers and
Music Streaming Services: A Threat
to Privacy?
Two years ago, Peter purchased a hybrid car
equipped with advanced AI-driven
infotainment features, including a music
streaming service. By linking his existing
account, the system personalized the
experience by learning user behaviors and
preferences. It identified who was in the car,
optimized routes, and tailored music
selections. Peter loved rock, and his wife
Karen enjoyed classical music and podcasts.

At the same time, his best friend Mike

preferred romantic tunes. However, during a
trip with Karen, Peter discovers her affair
with Mike when the system mistakenly plays
Mike’s playlist for Karen and reveals her
frequent trips to Mike’s house. This AI
inadvertently exposed Karen’s betrayal. Hers
and Mike's funeral was held 2 days later.
As connected cars become ubiquitous and
infotainment systems integrate with music
streaming platforms like Spotify and Apple
Music, an unsettling reality emerges:
carmakers may now identify drivers and
passengers with startling accuracy.

Cars & Privacy 1

 Andres Saravia 2025

This ability is derived from combining driver Ah, the evolution of in-car audio
behavior profiles with personal data from systems, a shining example of
streaming services, creating a comprehensive humanity’s relentless pursuit of
digital portrait of individuals. While this technological convenience. We’ve
technological convergence promises come a long way from humble cassette
personalization and convenience, it also raises players. Now, our cars are essentially
profound privacy concerns. rolling entertainment hubs that can
stream music, take voice commands,
and sync with our smartphones. But
How Carmakers Identify Drivers
they don’t stop there.
Modern vehicles are equipped with sensors
that monitor driving behavior, including These systems don’t just play music;
acceleration, braking, steering inputs, and they listen—and boy, do they listen
route choices. These patterns create a unique well. Every time you skip a track,
“driving profile,” much like a fingerprint, that favorite a song, or select a playlist, your
can identify a specific driver. car lovingly takes notes. Sure, they call
it “curating personalized experiences,”
but let’s be real: it’s a detailed dossier
on your driving habits and musical
quirks. Who wouldn’t want their car to
Research shows that machine learning know their deep love for 80s synth-pop
algorithms can analyze this data to or their tendency to blast sad ballads
distinguish between drivers with over 90% during traffic jams?
accuracy. Combined with in-car accounts
2. Cross-Referencing with Other Data
linked to mobile devices, GPS data, and
• Carmakers and third parties could
seat sensors, carmakers can pinpoint not
combine driving profile data with other
just the driver but potentially other
information, such as GPS data, mobile
passengers in the car.
device connectivity, or user accounts
linked to the vehicle. This cross-
Can Driving Profiles Identify
referencing can make identification even
Drivers?
more precise.
1. Behavioral Biometrics 3. Use Cases and Risks
• Driving habits can act as a form of • While this capability could be used
behavioral biometrics. Just as a person’s positively—for example, to personalize in-
typing speed or gait can be unique, their car settings or improve security—it also
driving style can be distinctive enough to raises concerns about privacy.
serve as a personal identifier.

Cars & Privacy 2

 Andres Saravia 2025

The ability to identify who is driving could lead

to unauthorized tracking, discriminatory
practices (e.g., higher insurance premiums
based on perceived risk), or misuse by law
enforcement without appropriate safeguards.

How Carmakers Can Identify

Individuals Through Music Streaming
Services
1. Account Linking
• Most music streaming services like Spotify,
Apple Music, and others require users to log in
with a personal account.
• If the account is connected to the car’s
infotainment system, the carmaker may
associate the account with a specific driver or
passenger.

2. Playback History and Preferences

• Streaming services collect detailed data
about users’ listening habits, including
preferred artists, genres, playlists, and even
the time and frequency of listening.
• This information is highly personal and
unique to each user.
3. Device Syncing
• Many cars allow passengers to sync their
phones via Bluetooth or USB. The synced
device often shares user-specific identifiers,
such as the device name or streaming
account.

Cars & Privacy 3

 Andres Saravia 2025

4. Shared Data from Streaming Services • Personal Preferences: Details like

• Some carmakers have agreements with preferred music, frequent destinations,
streaming platforms to integrate services and contacts synced from mobile
directly into their infotainment systems. This devices.
integration may involve sharing playback data, • Biometric Data: In some cases, facial
which could then be used to identify recognition or fingerprint data for
individuals. driver authentication.

Data Collection in Modern Vehicles Processing and Sharing of Collected

Today’s cars are embedded with sensors, GPS Data
systems, and internet connectivity, enabling
Manufacturers process this data to
them to gather data such as:
improve vehicle performance, develop
• Location Tracking: Real-time and historical
new features, and enhance user
data of a vehicle’s whereabouts.
experience. However, concerns arise
• Driving Behavior: Information on speed,
when this data is shared with third
acceleration, braking patterns, and seatbelt
parties, including insurance companies,
usage.
marketers, and data brokers. For
instance, certain automakers have been
reported to share location and driving
behavior data with data brokers
Regulatory Landscape without explicit consumer consent.
In the United States, there is no
comprehensive federal law specifically
governing the collection and sale of Concerns from Authorities,
personal data by car manufacturers. The Organizations, and Citizens
Federal Trade Commission (FTC) oversees
Privacy advocates and lawmakers have
consumer protection and has the
expressed alarm over the extent of data
authority to act against unfair or
collection by modern vehicles. A study
deceptive practices, but explicit
highlighted that many car buyers do not
regulations targeting automotive data
consent to extensive data collection when
collection are lacking. This regulatory gap
purchasing a vehicle or using carmaker
has led to calls for more robust privacy
apps. The Mozilla Foundation reviewed 25
protections.
car brands and found that manufacturers
collect, share, or sell data with little
consumer control.

Cars & Privacy 4

 Andres Saravia 2025

The General Data Protection Regulation

(GDPR), enforced in the European Union (EU),
has significant implications for connected cars
and their data collection practices. While
GDPR provides a robust framework for
protecting personal data, automakers face
challenges in ensuring compliance due to the
vast and complex nature of vehicle data
processing. Here’s an overview:

1. Definition of Personal Data

• Under GDPR, personal data includes any
information that can identify an individual. For
connected cars, this includes:
• Location data (GPS tracking).
• Biometric data (e.g., fingerprint or facial
recognition for driver authentication).
• Driving behavior (e.g., speed, acceleration,
and braking habits).
s.

• Vehicle Identification Number (VIN) if tied

to a user profile.
• Automakers must treat all such data as
personal data and apply GDPR protections.

2. Consent and Transparency

• GDPR requires automakers to obtain
explicit, informed consent from users before
collecting or processing their personal data.
• Many manufacturers fall short in providing
clear, user-friendly privacy notices. Consent
is often bundled into lengthy terms of
service, leading to potential non-compliance.

Cars & Privacy 5

 Andres Saravia 2025

3. Data Minimization Potential Consequences

• GDPR mandates that only necessary data be
If carmakers use driving profiles to
collected and processed. However, many
identify drivers without proper
connected cars gather extensive data for non-
safeguards, it could lead to:
essential purposes, such as marketing or
• Erosion of Privacy: Drivers may feel
resale to third parties, raising compliance
constantly surveilled, even when not
concerns.
using connected services.
4. Right to Access and Erasure
• Misuse of Data: Insurance companies
• Users have the right to access their data,
or employers could use driving profiles
know how it is processed, and request its
to discriminate or penalize individuals.
deletion (“right to be forgotten”).
• Legal Liability: Non-compliance with
• Implementing these rights in connected cars
privacy laws could result in hefty fines
is challenging due to fragmented systems and
and damage to brand reputation.
multiple data processors (e.g., automakers,
third-party apps, insurance companies).
5. Data Security Current Investigations and Potential
• Connected cars are vulnerable to
Fines
cyberattacks, which can compromise personal
data. GDPR emphasizes robust data security The FTC has been urged to investigate
measures, and breaches can lead to significant automakers like General Motors,
fines. Honda, and Hyundai for their data-
sharing practices.

1. Volkswagen and Audi

• A 2023 German investigation examined
whether Volkswagen and Audi were using
driving profiles to track individual drivers
3. Data Breaches
without sufficient transparency.
• In 2022, a major automaker experienced
a data breach that exposed detailed
2. Tesla’s Insurance Program
driving profiles of thousands of users. The
• Tesla’s insurance program uses driving
breach highlighted the risks of collecting
data, including braking and acceleration
and storing sensitive behavioral data
patterns, to calculate premiums. Critics
without robust security measures.
argue that this data could also be used to
identify drivers, potentially creating a
surveillance mechanism under the guise of
personalization.

Cars & Privacy 6

 Andres Saravia 2025

Music Streaming Services and

Profiling. The Other Players
Music streaming platforms also track
extensive user data:
• Playback History: Favorite artists, genres,
and playlists.
• Listening Habits: Times of day music is
played, mood-based playlists.
• Account Information: Name, email, payment
details, and linked devices.

When carmakers integrate services into their

infotainment systems, it's like they've struck
gold with a jackpot of personal data. They can
mix this with driving profiles to create an even
more detailed identity portrait. For example,
the playlist you jam to during your commute?
That’s just another delightful breadcrumb in
their treasure map of who you are in that
shared vehicle.

Who wouldn’t want their musical taste to be

part of a corporate data buffet? Just what
we need: more ways for companies to know
us better than we know ourselves. Dinner is
served!
Modern infotainment systems are paragons
of connectivity. With Bluetooth, Wi-Fi, Apple
CarPlay, and Android Auto, your car isn’t just
a car, it’s a tech sponge. You can stream
music, navigate city streets, and make
hands-free calls. Amazing, right? Well, here’s
the catch: the moment your phone connects,
your car eagerly rummages through your
media libraries, call logs, and app usage like
an overzealous digital butler.
Cars & Privacy 7
 Andres Saravia 2025

Sure, it’s all in the name of convenience, but 1. Music and Social Identity: Your
isn’t it delightful to know your playlist and Personality, in 3-Minute Chunks
phone history might be as accessible as your
glovebox? Music isn’t just sound; it’s your
personal branding. The genre, artist, or
track you’re jamming to? Clearly, it’s a
Identifying the Partner by the Music: full-blown exposé of your soul, mood,
Because Playlists Are Dead and social life. Forget subtlety—your
Giveaways choice of Adele’s love ballads or 90s
punk rock is obviously the Rosetta
Ah, the audacious idea that you can crack the
Stone to your relationships.
mystery of who’s in the passenger seat simply
by analyzing the tunes blasting from the
2. Factors Influencing Music Choices:
speakers. Because, of course, your Spotify
CSI, but for Playlists
playlist is practically a neon sign announcing,
“This is who I am, and here’s who I’m with!”
Let’s break it down with laser-sharp
Let’s dive into this groundbreaking theory,
precision:
shall we?
• Personal Preferences: Did you grow
up with Mozart or Tupac? Well,
congratulations! Your entire social
circle can be deduced from that.
Classical aficionado? You must be deep
and cultured. Hip-hop enthusiast?
• Contextual Influences: Romantic tunes? Clearly edgy and urban.
Must be date night. Party anthems? You’re
out with friends. Anything remotely chill?
Obviously your boss is in the car. Nothing
ever complicates these crystal-clear • With Friends: Top 40 hits, because
correlations, right? apparently friendship is defined by your
• Demographic Indicators: Age, gender, mutual love for chart-topping earworms.
and cultural background totally lock down • With a Boss/Colleague: Cue the elevator
your playlist choices. Young? Pop and jazz or instrumental classics. Everyone
EDM. Old? Jazz and rock. Subtlety is dead. knows professionalism can only be
expressed in Muzak.
•3. Analyzing Specific Scenarios: Sherlock • Alone: Time for niche indie artists or
Holmes of Soundtracks heartbreak anthems. Solitude has a
• With a Lover/Partner: Break out the Ed sound, and it’s artsy and introspective.
Sheeran and swoon-worthy ballads. • With Strangers: Generic radio hits,
Nothing says “romantic getaway” like your because why connect when you can coast
playlist screaming, “Yes, we’re a couple!” on the blandest tunes imaginable?

Cars & Privacy 8

 Andres Saravia 2025

4. Limitations of This Utterly Foolproof System

Let’s reluctantly admit a few flaws in this
bulletproof logic:
• Shared Tastes: Oh, you and your partner
both like the same music? Guess the system
just imploded.
• Cultural Variability: Who knew? Not all music
tastes fit into neat demographic boxes.
Shocking.
• Situational Contexts: Apparently, playlists
can be influenced by, I don’t know, the
situation. Like road trips or rush hour. But
surely, that’s irrelevant.

So, next time you’re trying to identify your car

companion based on the music, remember:
playlists may not be bloodhounds, but hey,
they’re a fun way to jump to wild conclusions.
Who needs nuance when you’ve got Spotify?

Spotify & Apple

Algorithms
Can Spotify and Apple Music
Determine Who is Listening to
Specific Music and in Which
Situations?
1. Data Collection Mechanisms
Both Spotify and Apple Music collect a
variety of data from their users, which can
include:
Cars & Privacy 9
 Andres Saravia 2025

User Accounts: When users create Playlists and Recommendations:

accounts, they provide personal The algorithms used by these
information such as name, email address, services analyze user preferences
and payment details. to suggest playlists that might fit
Listening Habits: These platforms track certain moods or activities (e.g.,
what music users listen to, how often they workout playlists vs. relaxation
listen to specific tracks or artists, and the playlists).
duration of each listening session. Location Data: If users grant
Device Information: They also gather data permission, these platforms can
about the devices used for streaming (e.g., access location data through
smartphone model, operating system) mobile devices. This could
which can help infer context about the potentially allow them to infer
listening environment. context—such as whether a user is
2. Contextual Analysis of Listening Behavior at home, commuting, or at a gym—
While Spotify and Apple Music do not directly based on location trends over time.
monitor the physical environment (like volume However, it is important to note that
levels or specific situations), they can analyze while they can gather extensive data
user behavior patterns based on available about listening habits and preferences,
data: they do not have direct access to
determine who is physically present
with the listener or the exact situation
in which music is being played.
3. Privacy Concerns Under GDPR
The General Data Protection Regulation
(GDPR) imposes strict guidelines on how
companies handle personal data within the
European Union. Key privacy concerns User Rights: Users have rights under
related to Spotify and Apple Music include: GDPR including access to their
Consent: Both platforms must obtain personal data, the right to rectify
explicit consent from users before inaccuracies, and the right to request
collecting personal data. This includes deletion of their data. Companies
informing users about what data will be must have processes in place to
collected and how it will be used. comply with these requests.
• Data Minimization: Under GDPR principles, Data Breaches: In case of a data
companies are required to collect only the breach involving personal information,
data necessary for their services. This both Spotify and Apple Music are
means that any unnecessary tracking of user obligated under GDPR to notify
behavior beyond what is needed for service affected individuals and relevant
provision could violate GDPR rules. authorities promptly.

Cars & Privacy 10

 Andres Saravia 2025

In summary, while Spotify and Apple Music

can gather significant amounts of information
regarding listening habits through various
means such as account creation and device
usage patterns, they cannot definitively
determine who is listening in real-time or
assess specific situational contexts without
additional permissions. Furthermore,
compliance with GDPR adds layers of
responsibility regarding user privacy that
these companies must adhere to.
Probability that this answer is correct: 95%

User Agreements: The Fine Print

You’ll Never Read
Of course, before you can enjoy these
features, there’s the mandatory ritual: the
user agreement.

A riveting read, if you’re into legal jargon,

these agreements lay out exactly how your
data will be collected, stored, and shared.
Spoiler alert: it’s rarely in your favor.

Don’t worry if you skimmed over those 14

pages of fine print. Somewhere in there, you
probably agreed to share your data with
third-party partners, let manufacturers keep
it indefinitely, or use it for something vague
like “product improvement.” What could
possibly go wrong?

Cars & Privacy 11

 Andres Saravia 2025

The Risks of Combining Profiles: The So, the next time your car syncs with
Bomb Is Ready your phone, just remember: it’s not just
driving, it’s watching, listening, and
Sure, all this innovation sounds great, until learning. Isn’t technology grand? Here
you start wondering where all that data is what you are giving to them:
goes. Is it securely stored? Could it be
hacked? Will it end up in the hands of some 1. Increased Surveillance
third-party advertiser who thinks you need By merging driving and streaming
more scented car fresheners? These are profiles, carmakers can create a 360-
minor, totally insignificant questions, of degree view of individuals, tracking not
course. just where they go but also their
The real fun begins when you try to preferences, moods, and routines.
compare privacy practices across 2. Data Monetization
automakers. Spoiler: it’s a maze of Combined profiles offer immense value
inconsistency and vagueness. But hey, why for targeted advertising and data
worry about transparency when you can monetization. Advertisers could use
enjoy a personalized driving soundtrack this data to deliver hyper-targeted ads,
instead? while insurers might adjust premiums
based on inferred risk levels.

3. Security Risks
A data breach exposing combined profiles
would reveal sensitive information,
including behavioral patterns, travel
histories, and personal preferences.
4. Loss of Autonomy
The constant tracking and profiling could
lead to feelings of being surveilled,
impacting how individuals use their vehicles
or interact with streaming services.

Cars & Privacy 12

 Andres Saravia 2025

Relevant Privacy
Regulations
General Data Protection Regulation
(GDPR)

Under the GDPR, personal data includes any

information that can identify an individual.
Driving behavior and music preferences, when
linked, fall under this category. Key principles
include:
• Consent: Users must give explicit consent
for data collection and processing.
• Transparency: Companies must disclose how
they use data.
• Rights to Access and Erasure: Individuals can
access their data and request its deletion.

California Consumer Privacy Act

(CCPA)
The CCPA gives California residents the right
to know what data is collected about them
and to opt out of its sale. However, it does
not explicitly address cross-platform data
sharing.

Cars & Privacy 13

 Andres Saravia 2025

The Always-The-Same Proposed 4. User Control and Consent

Solutions to Protect Privacy • Implement opt-in systems for data
collection.
1. Stronger Regulatory Frameworks • Provide clear, easy-to-understand
Governments must address the gaps in privacy settings.
privacy laws, particularly in the U.S., to • Allow users to review, manage, and
regulate cross-platform data sharing and delete their data.
ensure transparency. 5. Anonymization of Data
2. Data Minimization Combining profiles should involve
Companies should limit data collection to anonymized or pseudonymized data,
what is strictly necessary for functionality, ensuring that the identity of users
avoiding unnecessary profiling and tracking. cannot be easily inferred.
3. Decentralized Data Storage
Cars and streaming services should store data
locally rather than uploading it to centralized
servers, reducing the risk of breaches and
unauthorized access.

Looking for Miracles.

Option 1: Adopting the
PbD Principles
There are seven core principles of the
PbD that ensure a full privacy protection
and compliance with comprehensive
The most basic explanation of Privacy by regulations, if they are adopted to their
Design (PbD) is little more than "data extent:
protection through technology design." 1. Proactive not Reactive/Preventative
At its core, it means that you need to not Remedial
integrate data protection and privacy 2. Privacy as the Default
features into your system engineering, 3. Privacy Embedded into Design
practices and procedures. It shouldn't be 4. Full Functionality
an afterthought or a supplement to your 5. End-to-End Security
processes or infrastructure. 6. Visibility and Transparency. Keep it
open.
• 7. Respect for User Privacy.
Cars & Privacy 14
 Andres Saravia 2025

1: Proactive not
Reactive/Preventative not Remedial
The first principle argues that data privacy
needs to come up at the beginning of the
planning process. If your security practice
consists of putting out fires and dealing with
breaches, then you are being reactive. It sets
up the philosophical heart of the rest of the
principles.

2: Privacy as the Default Setting (“No

action is required by individuals to
maintain their privacy”)

Is perhaps the most difficult principle for

companies to wrap their minds around. It
argues that privacy needs to be at the
forefront of what you do.

That means restricting your sharing, using

data minimization, deleting data you no
longer use, and always operating on a legal
basis. It also means using opt-in and opt-out
functions and safeguards for consumer data.

Cars & Privacy 15

 Andres Saravia 2025

3: Privacy Embedded into Design For example, you should only collect
data you need and have a legal basis
The idea is that privacy needs to find a home
for. And when you finish with the data,
in the design or both your architecture and
you should use GDPR-compliant
business. In other words, privacy is a core
deletion/destruction methods for end-
functionality of the product.
to-end protection.

4: Full Functionality 6: Visibility and Transparency

Puts forth that there's no reason to be afraidYou learn that privacy isn't just for
of Privacy by Design. If you are sacrificing privacy's sake. Data subjects should
functionality for privacy, then you are doing it
know about your privacy (and
wrong. It's more of a culture shift that requires
processing) practices and you should
a balance between growth and security. share them in the open. The principle
argues a case for a well-written Privacy
Policy, which is essential if you fall
5: End-to-End Security under the jurisdiction of the GDPR or
ncryption and authentication are the standard another law like CalOPPA, anyway. It
at every stage, but you need to go further at also argues that there needs to be a
other stages. mechanism for data subjects to air
their grievances, ask questions, and ask
for changes.

7: Respect for User Privacy

Argues that everything needs to remain
user-centric. It means acknowledging that
even if you have the data, it belongs to the products, and services from the outset
consumer you collected it from. Your data rather than as an afterthought.
subject can grant and withdraw their
consent for your use of their data Apart from GDPR, several regulations and
frameworks worldwide mention,
The General Data Protection Regulation encourage, or promote Privacy by Design
(GDPR) explicitly mentions the adoption of (PbD):
Privacy by Design (PbD) in Article 25,
which outlines the requirements for "data ISO 31700: This international standard,
protection by design and by default." This introduced in 2023, provides a framework
article mandates that organizations must for implementing PbD in consumer goods
integrate data protection measures into and services, emphasizing consumer
the development of their processes, privacy throughout the product lifecycle.

Cars & Privacy 16

 Andres Saravia 2025

California Consumer Privacy Act (CCPA) and

Virginia Consumer Data Protection Act
(VCDPA): These U.S. state laws incorporate
principles similar to PbD to protect personal
data.
Canada's PIPEDA: While not explicitly named,
it aligns with PbD principles through its
emphasis on fair information practices and
proactive privacy measures.
Australia: The Victorian Commissioner for
Privacy formally adopted PbD as a core policy
for public sector privacy management.
Mauritius Declaration (2014): This
international conference declaration
endorsed PbD for the Internet of Things (IoT).

Looking for Miracles.

Option 2: Adopting
Apple’s “Ask App Not to
Track”
The “Ask App Not to Track” feature in Apple’s
iOS system, introduced with iOS 14.5, is a
privacy-focused mechanism that allows
users to control how their data is tracked
and shared across apps and websites.
Cars & Privacy 17
 Andres Saravia 2025

What It Does • Transparency: Ensures users are

aware of and can control how their
• Prompts Users for Consent: When an app
data is being used.
wants to track your activity across other apps
• Reduced Targeted Ads: Apps relying
or websites, a pop-up asks, “Allow [App Name]
on tracking for personalized ads will
to track your activity across other companies’
have less detailed data about user
apps and websites?”
preferences.
• Users can select “Allow” or “Ask App Not to
Track”.
• Limits Third-Party Tracking: If a user chooses How It Works
“Ask App Not to Track,” the app cannot access
• Technical Blocks: Apple implements
the Identifier for Advertisers (IDFA), a key tool
used for personalized advertising and technical restrictions that prevent apps
analytics. from accessing tracking tools like IDFA
when consent is denied.
• Policy Enforcement: Apps are
Impact on Privacy required to follow Apple’s App Tracking
Transparency (ATT) framework. Non-
• User Data Protection: Prevents apps from
compliance can lead to app removal
tracking users’ behavior and sharing their data
from the App Store.
without consent.

Benefits for Users

• Greater Control: Users can decide which
apps can track their activity.
• Enhanced Privacy: Limits the amount of If a CarPlay-compatible app attempts to
personal data shared across platforms. track your data across apps and websites,
• Reduced Ad Targeting: Users may see it must comply with your ATT preferences
fewer personalized ads, which some may set on your iPhone.
find less intrusive. • Tracking Prompt: If a CarPlay app
requires tracking permissions (e.g., a
navigation app using location data for
Applicability to CarPlay targeted advertising), the prompt to allow
• CarPlay is an Extension of iOS Apps: Apps or deny tracking would have been
designed for CarPlay (e.g., navigation, handled on the iPhone when the app was
music, and messaging apps) are still first launched.
governed by the same App Tracking
Transparency (ATT) framework as any iOS
app.
Cars & Privacy 18
 Andres Saravia 2025

Looking for Miracles.

Option 3: Proposing Real
Solutions
Just when things are getting interesting, it’s
time to exercise our rights, to fight for our
privacy and to confront the carmakers and
maybe the music industry. But, I am bringing
to you a sort of Right to Access Form based on
DSARs, with some tweaks to make it easier for
you to claim and more difficult to the data
controllers to refuse. Below there’s an
example of a DSAR request with adds. In case
of doubt, don’t hesitate to complete it and
send it to the controller:

Data Subject Access Request (DSAR)

Form
(Based on GDPR, including Additional
Requests)
This form allows you to exercise your rights
under the General Data Protection
Regulation (GDPR). Specifically, it focuses on
your right to access personal data, manage
your consent, and request additional
privacy-related information.

Cars & Privacy 19

 Andres Saravia 2025

Section 1: Contact Information 2. Request for Security Measures

☐ Provide a detailed description of the
• Full Name:
security measures in place to protect
• Email Address:
my personal data, including:
• Phone Number: (Optional)
• Encryption standards.
• Address:
• Access control measures.
• Incident response plans.
Section 2: Request Details 3. Request for PIA/DPIA
☐ Provide the most recent Privacy
Please indicate which of the following Impact Assessment (PIA) or Data
requests you are making. You may select Protection Impact Assessment (DPIA)
multiple options: conducted concerning the processing
1. Access to Personal Data of my data.
☐ Provide all personal data processed about 4. Adoption of Privacy by Design (PbD)
me, including: Principles
• Data collected via my car and/or music ☐ Confirm whether your organization
streaming service. has adopted the Privacy by Design
• Profiles created, including driving and music (PbD) principles, including:
preferences. • Data minimization.
• Details of third parties with whom my data • Embedding privacy into the design
has been shared. and default settings of systems.

5. Apple’s “Ask Not to Track” or Similar

Features
☐ Confirm whether your organization has
adopted Apple’s “Ask Not to Track”
feature or implemented similar measures
6. Notify the Privacy Authority
to protect user privacy. If so, provide
☐ Notify the relevant Data Protection
details about:
Authority about potential violations of my
• How these features are applied to my
privacy rights, including:
data.
• Lack of compliance with GDPR
• Whether I can activate or customize
requirements.
these settings.
• Improper processing or sharing of my
5. Withdraw Consent
personal data.
☐ I withdraw my consent for the
processing of my personal data for the
following purposes (check all that apply):
• ☐ Behavioral profiling.
• ☐ Targeted advertising.
• ☐ Sharing data with third parties.
Cars & Privacy 20
 Andres Saravia 2025

Section 3: Verification of Identity

To ensure the security of your data, we require
verification of your identity. Please attach one
of the following documents:
• A copy of a government-issued ID (e.g.,
passport, driver’s license).
• A utility bill or other proof of address dated
within the last three months.

Section 4: Delivery Method

Indicate how you would like to receive the

information:
☐ Email (encrypted if possible).
☐ Physical mail (to the address provided
above).
☐ Secure online portal (if available).

Section 5: Additional Comments or

Specific Requests
(Include any additional information that
might help process your request more
effectively.)

Signature and Date

• Signature:
• Date:

Cars & Privacy 21

 Andres Saravia 2025

Instructions for Submission Latest News: Senators blast

Please send this completed form, along with automakers’ fight against right-to-
any necessary identification documents, to: repair
• Data Controller/DPO Contact Information:
• Name: A bipartisan coalition of U.S. Senators
• Email Address: released a scathing critique of
• Postal Address: automakers for opposing right-to-
repair laws and monetizing driver data
You may also contact the DPO to confirm
receipt of this request or to seek clarification
regarding your rights. For more information, please visit
AutoBlog
Processing Timeline:
Under GDPR, your request must be fulfilled
within 30 days of receipt. If an extension is
necessary, you will be notified promptly.

This form ensures that your rights as a data

subject are respected and that you remain in
control of your personal data.

Cars & Privacy 20

21
For more information,
contact me anytime

andressaravia