Author: Sean Treacy – 1st July 2026
Modern vehicles are no longer simply machines that transport us from one place to another—they are sophisticated connected computers on wheels. At the heart of this connectivity is the Telematic Control Unit (TCU), a built-in communication system that continuously records, processes and transmits data about both the vehicle and its driver.
From GPS locations and driving behaviour to diagnostic fault codes and remote vehicle commands, the TCU generates a detailed digital record of how a vehicle is used. As connected vehicles become increasingly common, an important question arises: Who owns this data, and can drivers in Ireland obtain a copy of it?
The answer is yes—but the legal position is shaped by two separate pieces of European legislation: the General Data Protection Regulation (GDPR) and the EU Data Act.
Please note the information contained in this article is for informational purposes and cannot be construed as professional technical or mechanical
What Does a Telematic Control Unit Record?
A TCU acts as the vehicle’s communications hub, allowing it to exchange information with manufacturers, dealerships, roadside assistance services, insurance providers and smartphone applications. Depending on the vehicle, it may record:
- GPS location and journey history
- Speed, acceleration and braking patterns
- Driving behaviour and safety scores
- Vehicle diagnostics and fault codes
- Fuel or battery performance
- Maintenance information
- Remote lock and unlock events
- Charging history for electric vehicles
- Infotainment and connected account activity
- Emergency call (eCall) data where activated
Much of this information is linked directly to the vehicle’s Vehicle Identification Number (VIN), making it possible for the manufacturer to associate the data with an identifiable owner or driver.
Your Rights Under the GDPR
https://www.dataprotection.ie/en/individuals/know-your-rights/right-access-information
In Ireland, the GDPR applies whenever information collected by the vehicle qualifies as personal data. Since manufacturers and connected service providers can usually identify the registered owner through the VIN, much of the data generated by a TCU falls within the scope of data protection law.
One of the most important rights available to drivers is the Right of Access under Article 15 of the GDPR.
This allows an individual to submit a Subject Access Request (SAR) to the vehicle manufacturer or connected services provider and ask whether their personal data is being processed.
If it is, they are entitled to receive:
- Confirmation that their data is being processed.
- A copy of the personal data held about them.
- The purposes for which the data is processed.
- The categories of personal data collected.
- Details of organisations with whom the data has been shared.
- How long the data will be retained.
- The source of the data if it was not collected directly from them.
- Information about any automated decision-making or profiling.
Importantly, the GDPR entitles the individual to receive the personal data itself, not merely a summary or description.
For many connected vehicles, this could include detailed journey histories, location records, diagnostic information linked to the owner, and driving behaviour data transmitted from the TCU to the manufacturer’s servers.
Does That Mean You Can Obtain Everything?
Not necessarily.
The GDPR only applies to personal data.
Manufacturers are not generally required to disclose information that cannot reasonably be linked to an identifiable individual, such as anonymous engineering statistics, generic firmware logs or aggregated performance data.
However, the definition of personal data under European law is intentionally broad. If the information can reasonably identify or be linked to a particular driver or registered owner, it is likely to be covered by the GDPR.
The EU Data Act Changes the Picture
https://www.europarl.europa.eu/RegData/etudes/ATAG/2025/775915/EPRS_ATA(2025)775915_EN.pdf
While the GDPR focuses on protecting personal information, the EU Data Act is designed to ensure that users of connected products—including connected vehicles—can access the data generated by those products.
This is a significant development.
Unlike the GDPR, the Data Act is not limited solely to personal data. Instead, it gives users a right to access much of the data generated through their use of the connected product.
For vehicle owners, this may include:
- Sensor readings
- Engine performance data
- Battery health information
- Diagnostic fault codes
- Maintenance records
- Vehicle usage statistics
- Certain telematics information
Manufacturers are generally required to make this information available in an accessible format, subject to limited exceptions relating to trade secrets, cybersecurity and the protection of other individuals’ personal data.
In practice, this means that many drivers will be able to obtain a wider range of vehicle-generated information than was previously available under the GDPR alone.
Other Rights Available to Drivers
The GDPR provides several additional rights that may be relevant to connected vehicle users.
Drivers may request that inaccurate information be corrected, ask for personal data to be erased in certain circumstances, restrict how their information is processed, object to certain forms of processing, and in some situations receive their data in a structured, machine-readable format so that it can be transferred to another service provider.
Individuals also have important rights where decisions are made solely through automated processing that significantly affect them.
Are There Any Limits?
Yes.
Neither the GDPR nor the EU Data Act requires manufacturers to disclose proprietary software, source code or confidential algorithms. They may also refuse access to information where disclosure would compromise cybersecurity, reveal protected trade secrets, or disclose another person’s personal data.
However, manufacturers cannot simply refuse access because the information is stored within a proprietary telematics platform or because extracting it would be inconvenient.
What If a Manufacturer Refuses?
If a manufacturer fails to respond appropriately to a Subject Access Request or refuses access without lawful justification, drivers in Ireland may lodge a complaint with the Data Protection Commission, the national authority responsible for enforcing the GDPR.
Where appropriate, individuals may also pursue legal remedies through the courts.
A New Era of Data Transparency
Today’s connected vehicles generate an extraordinary volume of information, much of which tells a detailed story about how, when and where a vehicle is driven.
For Irish motorists, the combination of the GDPR and the EU Data Act represents a significant shift in control over that information. The GDPR provides strong rights to access personal data collected through a vehicle’s Telematic Control Unit, while the EU Data Act expands those rights by requiring manufacturers to make a broader range of vehicle-generated data available to users.
As vehicles become increasingly connected and software-driven, these legal protections ensure that drivers are no longer passive sources of data, they are recognised as individuals with meaningful rights to understand, access and, in many cases, control the information their vehicles generate.
What a TCU does
A TCU collects data from the vehicle and sends it to external systems using cellular networks (4G/5G), GPS, and onboard vehicle networks (like CAN bus).
Typical functions include:
- 📍 GPS tracking & location services
- 📊 Vehicle data monitoring (fuel level, speed, engine status, etc.)
- 📡 Internet connectivity (eSIM / modem)
- ☁️ Cloud communication (OEM backend systems)
- 🔧 Remote diagnostics
- 🔄 Over-the-air (OTA) software updates
- 🚨 Emergency call systems (eCall)
How it works (simple view)
- Reads data from car systems (engine, brakes, sensors) via CAN bus
- Adds GPS position from satellite receiver
- Sends data through built-in cellular modem
- Communicates with manufacturer cloud or fleet platform
- Receives commands back (e.g., unlock car, update software)
🔌 Where it is found
- Usually built into modern connected vehicles (OEM-installed)
- Often located behind dashboard, glove box, or boot area
- Connected permanently to vehicle power and antennas
⚠️ TCU vs similar terms (common confusion)
- TCU (Telematics Control Unit) → connectivity, tracking, data, cloud services
- Transmission Control Unit (also TCU/TCM) → controls automatic gearbox shifting (totally different system)
🚙 Why it matters
The TCU is what enables “smart car” features like:
- smartphone apps for your car
- remote start/lock
- fleet tracking systems
- predictive maintenance
- emergency crash alerts
🚗 OEM vs Aftermarket Telematics Units (TCUs)
🏭 1. OEM Telematics (Factory-installed TCU)
These are built directly into the vehicle by the manufacturer.
Key traits
- 🔧 Installed at factory (fully integrated design)
- 🧠 Deep integration with vehicle electronics (CAN, ECU, airbags, ABS, etc.)
- 📡 Uses built-in eSIM + OEM cloud platform
- 🔐 Highly secure, manufacturer-controlled ecosystem
What they enable
- Remote unlock/start via OEM app
- Built-in navigation + live traffic
- Emergency call (eCall)
- OTA firmware updates for vehicle systems
- Predictive maintenance alerts
Advantages
- Very reliable and stable
- Strong cybersecurity and encryption
- Full access to vehicle data
- Long-term support by OEM
Limitations
- Locked to manufacturer ecosystem
- Limited customization for fleet operators
- Expensive (built into vehicle price)
- Data access often restricted to OEM
🔌 2. Aftermarket Telematics Boxes
These are third-party devices installed after purchase (plug-in OBD-II, hardwired units, or asset trackers).
Key traits
- 🧩 Installed via OBD-II port or hardwired to power/CAN
- 🌐 Uses its own SIM card + external cloud platform
- 🔓 Works across multiple vehicle brands
- ⚙️ Focused on fleet tracking and analytics
What they enable
- Real-time GPS tracking
- Driver behavior monitoring (speeding, braking, idling)
- Fuel usage analytics
- Geofencing alerts
- Maintenance scheduling
- Asset tracking (trailers, machinery, etc.)
Advantages
- Works with almost any vehicle
- Quick to install/remove
- Lower cost per vehicle
- Highly customizable dashboards & APIs
- Ideal for fleet operators
Limitations
- Limited vehicle system access (no deep ECU control)
- Less secure than OEM integration (varies by vendor)
- Depends on external hardware installation quality
- Can be disabled if unplugged (OBD units)
⚖️ Key Differences Summary
| Feature | OEM TCU | Aftermarket Telematics |
|---|---|---|
| Installation | Factory-built | Retrofit (OBD / wired) |
| Vehicle integration | Deep (ECU-level) | Limited (data-level) |
| Ecosystem | Locked to OEM | Cross-brand |
| Customization | Low | High |
| Fleet use | Limited | Excellent |
| Security | Very high | Medium–high (varies) |
| Cost model | Built into vehicle | Subscription + hardware |
Simple way to think about it
- OEM TCU = “native brain of the car”
- Aftermarket box = “add-on tracking + analytics device”
______________________________________
Did you know your vehicle had a tracking device installed when you bought it?
I bought a van in 2012 and had no idea it was fitted with one. No one mentioned it at the time, and I certainly wasn’t aware my vehicle’s movements could be tracked.
I’m now writing to the dealership to find out what information they have, why I wasn’t told about it, and what the device was being used for.
Has anyone else discovered this after buying their vehicle?
Disclaimer: The information provided in this article is intended for general informational purposes only and should not be considered professional technical, mechanical, or engineering advice. While the content is based on publicly available information, no representations or warranties are made regarding its accuracy, completeness, or suitability for any specific purpose.
Readers should consult a qualified professional before relying on or acting upon any technical information contained in this article. Any links referencing GDPR have been reviewed and are considered accurate.



