With the increase in automation of vehicles and the rise of driver monitoring systems in those vehicles, data protection becomes more relevant for the automotive sector. Monitoring systems could contribute to road safety by, for instance, warning the driver if he is dozing off. However, keeping such a close eye on the user of the vehicle has legal implications. Within the European Union, the data gathered through the monitoring system, and the automated vehicle as a whole, will have to be collected and processed in conformity with the General Data Protection Regulation. By means of a use case, the different types of data collected by the automated vehicle, including health data, and the different requirements applicable to the collecting and processing of those types of data are explored. A three-step approach to ensuring data protection in automated vehicles is discussed. In addition, the possibilities to ensure data protection at a European level via the (type-) approval requirements will be explored.