The Estonian Data Protection Authority (DPA) has conducted an inquiry into General Data Protection Regulation (GDPR) compliance among car rental services.
Among the car rental service providers questioned by the Estonian DPA, there were three common GDPR issues in the areas of lawfulness, transparency, and data retention.
This article explores the DPA’s report – which provides lessons that extend far beyond the car rental sector.
Estonian DPA’s investigation
The Estonian DPA’s investigation began in July 2022 and targeted three car rental service providers.
The regulator’s aim was to identify common GDPR compliance issues among car rental services and draw up recommendations to improve data protection in the sector.
In practice, this involved sending questionnaires to the car rental services and analyzing the results.
What the Estonian DPA found
The Estonian DPA’s findings can be categorized into three broad issues: lawfulness (or “legal basis”), transparency, and data retention.
The main issue found by the Estonian DPA related to the “legal basis for processing” identified by car rental services.
The car rental services relied on Article 6(1)(b) GDPR (“contract”) for most processing activities. Under this provision, a controller can process personal data:
- Where necessary for the controller to perform its obligations under a contract with the data subject, or
- Where necessary to take steps to enter into a contract with the data subject.
Note the “necessary” qualifier. Controllers may not process personal data under the “contract” legal basis unless necessary to provide core services under the contract (or enter into a contract).
This GDPR provision has come up in multiple DPA decisions. For example, the decision against Meta by the Irish DPA in January 2023.
Meta argued that running behavioral advertising campaigns was “necessary” to perform its contractual obligations to users because its business model depended on it. However the European Data Protection Board (EDPB) had a stricter interpretation of “necessity” in this context.
Like with Meta, the Estonian DPA says the car rental services interpreted “necessity” too broadly.
The DPA also noted that there was some uncertainty regarding the legal basis for certain activities – and that some providers had failed to carry out a “legitimate interests assessment” when required to do so.
Under Article 12 of the GDPR, any information about data processing must be presented in a clear, straightforward, and accessible way. The car rental service in question had allegedly failed to meet this requirement.
In its main rental contract, the car rental service had asked data subjects to review data processing information contained in a separate document. However, the service provider failed to make that document available to data subjects.
The Estonian DPA found several issues with how the car rental services retained personal data.
First, the DPA found that the explanation of retention periods in some car rental services’ privacy notices was vague and unclear.
For example, the DPA criticized ambiguous statements such as “Personal data is retained for as long as is required or permitted by law” or “…for as long as is necessary to achieve the relevant purposes”.
The processes for deleting personal data differed among car rental services:
- Two service providers deleted personal data following the end of the relevant retention period.
- One service provider merely pseudonymized personal data following the end of the relevant retention period.
The DPA said that the latter practice was not compliant with the GDPR’s requirements around the deletion of personal data.
The Estonian DPA’s investigation into the car rental service sector found three common data protection issues:
- Reliance on an unclear or incorrect legal basis.
- Unclear or inaccessible privacy information.
- Ambiguous data retention periods.
These GDPR bottlenecks are relatively common among all types of organizations. As such, the Estonian DPA’s findings apply to organizations in every sector.