Results of the Inspection on the Compliance of Short-Term Vehicle Rentals with Data Protection Requirements
The data protection authorities of the Baltic States initiated a joint preventive inspection to evaluate the compliance of the short-term vehicle rental sector with the requirements of the General Data Protection Regulation (GDPR). The primary goal of the inspection was to identify and mitigate risks related to personal data processing in an industry that has experienced rapid growth in recent years.
The inspection focused primarily on businesses whose main operational base is in one of the Baltic States but offer services across the region. At the same time, each authority had the flexibility to expand the scope of the inspection to include companies operating solely in local markets.
During the inspection, violations indicating deficiencies in data protection compliance were uncovered. The most significant issues included a lack of transparency—failure to provide meaningful information to data subjects—and improper selection of legal bases. Some companies relied on inappropriate legal grounds or failed to sufficiently justify their use. Frequently, the information provided in privacy policies regarding the legal basis and scope of data processing did not align with the actual responses given to supervisory authorities. In some cases, the same legal basis was used for all data processing activities, regardless of its suitability for the specific processing.
Problems were also identified regarding the scope of requested personal data. Although companies requested a variety of information, the scope often seemed similar. Some avoided asking for sensitive data, such as social security numbers or dates of birth, but these were often obtained indirectly by requesting, for example, copies of driver’s licenses.
Additionally, deficiencies in determining data retention periods were identified. While most retention periods complied with GDPR requirements, some were ambiguously stated using phrases like “as long as necessary” or “in accordance with legal provisions.” In some cases, customer data was not deleted in accordance with established criteria, revealing technical non-compliance.
The processing of biometric data was another aspect analyzed. While most companies did not process such data, in some cases, facial images were used for client identification based on the consent of data subjects. However, none of the companies’ policies offered an alternative for those unwilling to consent to the use of biometric data.
Based on the inspection results, supervisory authorities developed best practice recommendations for short-term vehicle rental companies to promote responsible and transparent data processing. This initiative reflects the shared commitment of the Baltic States to ensure a high level of personal data protection and compliance with GDPR requirements.
With the growing popularity of short-term vehicle rentals, responsible data processing is becoming increasingly important. This inspection underscored the significance of data protection and will help ensure that the privacy of individuals is adequately safeguarded while supporting innovative and in-demand services.
The Baltic supervisory authorities will continue their close cooperation to strengthen personal data protection and improve compliance with data protection requirements across the region.