Data protection & security
The truck toll system is a sovereign task for which the Federal Republic of Germany, represented by the Federal Logistics and Mobility Office (BALM), is responsible. As the operator of the toll system, Toll Collect is a contractor of the BALM. In this legally defined role, Toll Collect implements the requirements set out in the German Federal Trunk Road Toll Act (BFStrMG) and the German Truck Toll Regulations (LKW-MautV) as well as the Federal Data Protection Act. As the contracting authority, the BALM must define requirements for implementation and can issue instructions.
Within this framework, a data protection and security concept was already developed as part of the invitation to tender, which has since been updated and concretised with the development of the system. This data protection concept is continuously coordinated with the BALM and the Federal Commissioner for Data Protection as the responsible supervisory authority. It is the basis for implementing data protection requirements in operations.
Permission to process data for the toll system is primarily derived from the BFStrMG and the LKW-MautV. However, the regulations not only permit data processing, but also stipulate strict purpose limitation and short deletion periods for the operator. Toll Collect processes data for the purpose of operating the toll system only within the scope of this legal permission. Only the data listed by law in Section 4 (3), Section 7 (2) and Section 8 BFStrMG and in the LKW-MautV are collected. This data is processed by the operator as a sovereign authorised party on behalf of the BALM strictly and in accordance with the data protection requirements exclusively for the legally intended purposes of toll collection.
The recording of vehicles at the enforcement gantry is carried out exactly within the framework of the requirements of the legislator. The BFStrMG permits, according to § 7 para. 2, among other things, taking of pictures of the vehicle and collecting the licence plate number for the purpose of monitoring the provisions of the Toll Act. Pursuant to Section 9 (5) BFStrMG, this data must be deleted immediately after the monitoring process if the vehicle is not subject to the toll requirement. Toll Collect processes vehicle images and licence plate numbers only within the scope of the specified legal purpose and the deletion regulations. The drivers are not recognisable in the images. In addition, in the case of toll-exempt vehicles, for which it has been determined that the toll requirement does not exist as a result of the measurement, the image created is not evaluated with regard to the licence plate number, but is deleted within fractions of a second.
Only the registered customer receives information from Toll Collect with the invoice about which route the truck drove on at what time and what toll amount the customer has to pay. It is not possible for third parties to create movement profiles, as only the BALM and Toll Collect GmbH have access to the invoicing data. Only the starting time of each billed route is listed on the statement. On this basis, no legally usable average speed can be determined. The on-board unit does not record data on the speed and load of the truck.
Toll Collect GmbH has developed a comprehensive and integral data protection and security concept for the toll system. The technical measures correspond to the state of the art in security technology and are continuously being further developed.
A protection requirements analysis was carried out for all components in accordance with the IT-Grundschutz (IT baseline protection manual) of the German Federal Office for Information Security (BSI), which took into account the risks to availability, integrity and confidentiality. The data to be processed must be classified according to their sensitivity and the technical and organisational precautions corresponding to the classification scheme must be taken.
On the basis of this security concept, security measures are implemented for personal data that prevent these data from being used for unauthorised purposes or coming to the knowledge of unauthorised persons.
Personal data will only be transmitted in such messages and to such an extent as is necessary to fulfil the tasks of the toll system as defined by law or by contract with the toll customer. The security concept takes into account that communication (SMS or GPRS) takes place via public networks. To protect against unauthorised access by third parties, the messages from the OBU to the Toll Collect control centre are therefore encrypted using a special encryption process. Furthermore, the communication partners are authenticated. A closed security chain (end to end) with cryptographic functions is used to prevent the manipulation of data and to exclude the possibility of "listening in" to information.
It is not possible to read data from the OBU by making a call. Modified SIM cards are used exclusively for data communication. Voice communication is not possible. Only authorised service workshops can service the devices. Access codes are required to read out the data from the OBU, which are not disclosed to third parties. If an attempt is made to tamper with a vehicle device or if it is stolen and then re-installed, this will be detected by the control technology.
A data protection and security organisation with data protection and security coordinators in specific operational areas has been established. Protection requirements analyses and measures are documented in a database and made available to the responsible staff in the data protection and security organisation.
The truck toll system is operated at a high security standard with a security organisation that can react quickly to security incidents. The areas of data protection and data security work closely together here.
The processing of journey-related data under the terms of the German Federal Trunk Road Toll Act (BFStrMG) does not constitute order processing within the meaning of the General Data Protection Regulation (GDPR). Toll Collect processes the toll customer's data relating to journeys within the framework of toll collection as an independent responsible party in accordance with the applicable data protection regulations. The legal basis for the processing of data results from § 4 para. 3 sentence 3 German Federal Trunk Road Toll Act (BFStrMG). This provision allows the operator to process the trip-related data for the purpose of operating the toll collection system.