Mobility as a Service (MaaS) is a new transport paradigm that integrates existing and new mobility services into one single digital platform, providing customised door-to-door transport and offering personalised trip planning and payment options. The development of MaaS relies heavily on access to user’s data, open APIs of transport providers and interoperability of the systems. Since data are the key factor of MaaS, establishing clear and fair rules for the control of information is crucial. MaaS is a location-based service (LBS) navigation which uses real-time geo-data from a mobile device to provide user’s location and other information. Under Article 4 of the GDPR, location data is expressly mentioned as a factor by reference to which a person may be directly or indirectly identified, thus is recognised as an ‘identifier’ of personal data. The aim of this chapter is to overview and analyse the privacy vulnerabilities of location data which may become sensitive data on MaaS in combination with other information. Further, this paper will analyse the guarantees provided by GDPR, either strictly legal (i.e. consent of the data subject) or technological (i.e. DPIA) and their reliability to protect user’s identity.

Navigation apps, Location Based Services, Data Location, MaaS, DPIA