TISAX Data Protection vs. GDPR

TISAX Data Protection: More Than Just GDPR

TISAX includes its own data protection module that goes beyond general GDPR requirements. While the GDPR sets the legal framework, TISAX imposes automotive-specific data protection requirements that particularly concern commissioned data processing for OEMs, the handling of special categories of personal data, and technical safeguards in the automotive context.

There are two data protection labels: "Data Protection" at AL2 for standard commissioned processing, and "Data Protection Special Categories" at AL3 for sensitive personal data. The choice depends on the type of personal data you process for OEMs.

Similarities Between TISAX and GDPR

Both frameworks require fundamental data protection measures. If you are already GDPR-compliant, you have a solid foundation:

• Technical and Organizational Measures (TOMs): Both require documented TOMs to protect personal data — encryption, access controls, pseudonymization, backup strategies
• Records of processing activities: Both require an overview of all processing activities with purpose, legal basis, recipients, and deletion periods
• Commissioned processing: Both require contracts with data processors (DPA) pursuant to GDPR Art. 28
• Data subject rights: Both require processes for access, deletion, and data portability
• Data Protection Impact Assessment: Both require a risk assessment for particularly high-risk processing activities

Differences: What TISAX Additionally Requires

Data Protection Assessment Objective: What Exactly Is Assessed

The TISAX data protection module assesses beyond the GDPR fundamentals:

• Maturity level of implementation: Not only whether TOMs exist, but whether they are standardized, measured, and improved at maturity level 3
• Automotive-specific data flows: How is OEM personnel data processed? Which systems are involved? What is the data classification?
• Subcontractor chain: TISAX assesses whether subcontractors with access to OEM personnel data have also implemented appropriate safeguards
• International data transfers: Special attention to data transfers to third countries, particularly with cloud services

Commissioned Processing (DPA) in the TISAX Context

Commissioned processing is particularly relevant in the TISAX context, as you typically process personal data on behalf of an OEM. TISAX assesses beyond the GDPR-compliant DPA:

• Whether the DPA addresses the OEM's specific requirements (many OEMs have their own DPA templates with additional clauses)
• Whether you have documented sub-processors and reported them to the OEM
• Whether you demonstrably implement the OEM's instructions regarding data processing
• Whether deletion and return processes for OEM personal data are defined for when the contract ends

Special Categories of Personal Data

The "Data Protection Special Categories" (AL3) label applies to the processing of particularly sensitive data under GDPR Art. 9:

• Health data: Occupational health examinations, sick notes, certificates of incapacity for work
• Biometric data: Fingerprints or facial recognition for access systems
• Union membership: HR management systems containing such information
• Ethnic origin: Diversity data in HR systems

AL3 requires an on-site audit, as the auditor must verify the physical security of systems that process special categories. The TOM requirements are significantly higher than for standard data protection.

TOMs: TISAX-Specific Requirements

TISAX assesses technical and organizational measures not only for existence but for maturity, completeness, and automotive relevance:

AL2 vs. AL3 for Data Protection Labels

The choice between data protection labels depends on the type of data being processed:

• "Data Protection" (AL2): Standard commissioned processing — customer data, OEM employee data (name, contact details, position), contract data. Remote audit sufficient.
• "Data Protection Special Categories" (AL3): Processing of health data, biometric data, or other special categories under GDPR Art. 9. On-site audit mandatory.

Check carefully which data you process on behalf of the OEM. If, for example, you operate time-tracking systems with health data or manage biometric access systems, you need the AL3 label. The complete label overview is available on our TISAX labels page.

Practical Tips for Data Protection in the TISAX Assessment

• Update records of processing activities: Ensure that all processing activities on behalf of OEMs are documented — including subcontractors and international data transfers.
• Align DPA with OEM templates: Many OEMs have their own DPA templates with additional clauses. Verify that your DPA meets all OEM-specific requirements.
• Document and measure TOMs: For TISAX, "we encrypt our data" is not enough. Document which encryption, where, to which standard, and when last reviewed.
• Involve the Data Protection Officer: The DPO should be involved in the TISAX project from the start to efficiently cover data protection assessment objectives.

More on scope definition and special requirements for IT service providers can be found on our TISAX for service providers page. The complete TISAX requirements are available on the corresponding overview page.