The data protection authorities of the Baltic States conducted a joint preventive inspection to assess the compliance of the short-term vehicle rental industry with the requirements of the Data Regulation. The primary purpose of the inspection was to timely identify and eliminate personal data processing risks in the industry, which has experienced rapid development in recent years.
Mainly the attention was focused on merchants whose main place of business is in one of the Baltic states and who provide services throughout the region. At the same time, each institution had the opportunity to expand the scope of the examination by evaluating companies operating only on the domestic market.
In the course of the inspection, violations were found that indicate gaps in compliance with data protection requirements. The main problems were the lack of transparency – companies were unable to provide data subjects with clear and understandable information, as well as the inappropriate use of the legal basis. Some companies chose an inappropriate legal basis or were unable to sufficiently justify its adequacy. Often, the information provided in the privacy policies about the legal basis and the amount of data to be processed did not match the answers actually given to the supervisory authorities. In some cases, the same legal basis was used for all data processing activities – regardless of whether it is appropriate in the particular situation.
Problems with the amount of personal data requested were also found. Although companies requested different information, the amount was often similar. Some companies avoided asking for data such as social security numbers or dates of birth, but often obtained this data indirectly by asking for copies of driver’s licenses, for example.
In addition, deficiencies in determining the data storage terms were identified. Although in most cases the retention periods were in line with the requirements of the Data Regulation, in some cases the terms were vague, using wording such as “as long as necessary” or “in accordance with the law”. In some cases, customer data was not deleted according to the established criteria, which indicated technical inconsistencies.
Biometric data processing was another aspect analyzed. Although most companies did not use such data, in some cases facial images were processed for customer identification based on the data subjects’ consent. However, no company policy offered an alternative option to opt out of the use of biometric data.
Based on the results of the inspection, the supervisory authorities developed recommendations for short-term vehicle rental companies to promote responsible and transparent data processing. This initiative reflects the common commitment of the Baltic States to ensure a high level of personal data protection and promote compliance with the requirements of the Data Regulation.
Due to the rapidly growing popularity of short-term vehicle rentals, responsible data processing is becoming increasingly important. This review highlighted the importance of data protection and will help ensure that citizens’ privacy is adequately protected while supporting innovative and in-demand services.
Baltic supervisory authorities will continue to work closely together to strengthen personal data protection and improve compliance with data protection requirements across the region.