Skip to content
Contact us
  • There are no suggestions because the search field is empty.

AGD Connect and GDPR

This article addresses concerns around the GDPR implications of using AGD Connect


AGD Connect has been designed using the principle of data minimisation and collects only the information necessary to authenticate users and manage access permissions to AGD devices. Typically, this information is limited to a user's first name, surname and email address, which would normally be an organisation-issued business email address.

Data Minimisation

In accordance with Article 5(1)(c) of the UK GDPR and EU GDPR, AGD Connect limits the collection of personal data to the minimum required to provide the service. No unnecessary personal information is collected or stored, and user records are maintained solely for the purposes of authentication, authorisation and auditability of access to AGD devices.

Purpose Limitation

Personal information held within AGD Connect is used exclusively for:

  • User authentication and login management.
  • Administration of user permissions and access rights.
  • Assignment of users to authorised organisations and user groups.
  • Audit and security records relating to device access and configuration activities.

Personal data is not used for marketing purposes, profiling, behavioural analysis or any purpose unrelated to the operation and security of AGD Connect.

Restricted Visibility of Personal Information

Access to personal information within AGD Connect is strictly controlled.

Users with administrator privileges may view the details of users belonging to their own organisation where this is necessary to manage accounts, permissions and access rights. These administrators are typically authorised personnel with legitimate business reasons for accessing such information.

Importantly, when a Highway Authority grants access to its devices to users from external organisations, access is granted to a User Group rather than to named individuals. This means that:

  • The Highway Authority does not have visibility of the personal details of users within that external organisation.
  • Individual names and email addresses are not shared between organisations.
  • Access permissions can be managed without exposing personal information to third parties.

This approach significantly reduces the sharing of personal data and supports compliance with the GDPR principle of data minimisation.

Privacy by Design

AGD Connect has been designed to separate device ownership and access permissions from individual user information wherever possible. Organisations manage access through User Groups, allowing permissions to be assigned and maintained without requiring visibility of personal user records outside the user's own organisation.

This supports the GDPR requirement for "Data Protection by Design and by Default" under Article 25.

Security and Access Control

AGD Connect uses authenticated user accounts and role-based permissions to ensure that only authorised individuals can access supported AGD devices and associated configuration tools. User information is only accessible to those individuals who require it to perform legitimate administrative functions.

By limiting both the volume of personal information collected and the audience that can access it, AGD Connect helps organisations meet their obligations under GDPR while maintaining secure management of connected roadside assets.

Summary

AGD Connect supports GDPR compliance through:

  • Collection of only minimal personal information.
  • Use of personal data solely for authentication and access management.
  • Restricting visibility of personal information to authorised administrators within the same organisation.
  • Use of User Groups to grant cross-organisational access without exposing individual user details.
  • Role-based access controls and authenticated access mechanisms.
  • Privacy-by-design principles that minimise the sharing and exposure of personal data.

As a result, personal information relating to AGD Connect users is only accessible to a limited number of authorised personnel who require it for legitimate business purposes, and is not routinely shared between organisations that use the platform.

Note: AGD Connect is designed to support compliance with UK GDPR and EU GDPR requirements. However, each organisation remains responsible for ensuring that its use of the platform complies with its own internal data protection policies and legal obligations as a data controller.