GDPR Compliance for Car Rentals: 2026 Operator Guide

TL;DR:

• GDPR compliance in car rentals involves lawful collection, processing, and deletion of personal and vehicle data under EU regulations. Operators must implement category-specific retention schedules, conduct DPIAs for telematics and video systems, and establish workflows for data subject access requests. The upcoming EU Data Act reinforces renter rights by mandating machine-readable data exports from connected vehicles starting September 2025.

GDPR compliance for car rentals is defined as the legal obligation to collect, process, store, and delete all personal data gathered from renters and connected vehicles in accordance with Regulation (EU) 2016/679. Car rental operators process an unusually wide range of personal data, from passport scans and payment details to real-time GPS routes and driving behavior captured by telematics systems. The EU Data Act (Regulation (EU) 2023/2854), which enforces renter rights for connected vehicle data access starting September 2025, adds a second compliance layer that most operators are still unprepared for. This guide gives you a clear, practical framework covering lawful bases, data subject rights, DPIAs, and the new data portability obligations.

What personal data do car rental companies process under GDPR?

Car rental operators are data controllers for a broader set of personal data than most industries their size. Understanding the full scope is the first step toward building a defensible compliance program.

The categories you process typically include:

• Customer identity and contact data: Full name, date of birth, driver's license number, passport or national ID, email address, and phone number collected at booking or check-in.
• Rental contract and payment data: Booking records, signed agreements, credit card details, transaction history, and any damage deposits processed through payment gateways.
• Telematics and GPS location data: Route history, mileage, speed, fuel consumption, and driving style scores. Vehicle telematics data is personal data under GDPR wherever it can be linked to an identifiable individual, which in a rental context means virtually always, since the operator knows exactly who drove the vehicle during each rental period.
• Video telematics and dashcam footage: In-cabin or forward-facing video captured by systems like Lytx or Samsara. This data carries the highest privacy risk because it records behavior and potentially third parties outside the vehicle.
• Incident and insurance records: Accident reports, damage photographs, and correspondence with insurers that may contain sensitive personal details.

The practical implication is significant. A single rental generates data across at least five separate systems: a reservation platform, a payment processor, a telematics provider, a contract management tool, and possibly a CCTV or dashcam system. Each system creates independent GDPR obligations, and each must be addressed in your Records of Processing Activities (ROPA). Article 30 GDPR requires most car rental operators to maintain written processing records even if they employ fewer than 250 people, because rental data processing is both non-occasional and involves location data that qualifies as sensitive in practice.

What are the lawful bases for processing renter data?

GDPR Article 6 provides six lawful bases for processing personal data. Car rental operators rely primarily on two, and getting the mapping right protects you from enforcement action.

1. Contract performance (Art. 6(1)(b)): Processing is lawful when it is necessary to perform a contract with the data subject. For car rentals, this covers booking confirmation, identity verification, rental agreement execution, payment processing, and vehicle handover. You do not need separate consent for these activities because they are operationally inseparable from delivering the rental service.

2. Legitimate interests (Art. 6(1)(f)): This basis applies where your interests or a third party's interests override the data subject's privacy rights, provided a balancing test is documented. Fraud prevention, fleet security monitoring, and post-rental damage assessment all qualify under legitimate interests. Contract performance and legitimate interests are the primary lawful bases for car rental data processing, but each requires documented justification, not assumption.

3. Legal obligation (Art. 6(1)(c)): Retaining records for tax, insurance, or road traffic law purposes falls here. This basis is non-negotiable and overrides deletion requests.

4. Consent (Art. 6(1)(a)): Consent is appropriate for optional marketing communications, but it is a weak basis for operational data because renters can withdraw it at any time. Avoid using consent as the basis for processing data you actually need to run the rental.

Pro Tip: Map every processing activity in your ROPA to a specific lawful basis before your next regulatory audit. A table with columns for data category, purpose, lawful basis, and retention period takes a few hours to build and eliminates the most common compliance gap inspectors find.

Document your legitimate interests assessments in writing. Regulators expect to see a three-part test: the purpose pursued, the necessity of the processing, and the balancing of your interests against the renter's rights. Oral justifications do not satisfy Article 6(1)(f).

How to implement data subject rights in your rental operations

Renters hold eight rights under GDPR, and the most operationally demanding is the right of access. Controllers must respond to Subject Access Requests within one calendar month, extendable by two months for complex cases, with written notification to the data subject if an extension is needed.

The challenge for car rental operators is that a single SAR requires you to locate data across multiple disconnected systems. A practical workflow looks like this:

• Reservation system: Pull all booking records, correspondence, and customer profile data.
• Payment processor: Retrieve transaction records, refund history, and any stored card data.
• Telematics platform: Export GPS routes, mileage logs, and driving behavior data linked to the rental period.
• Contract management: Locate signed agreements, damage reports, and incident records.
• CCTV or dashcam system: Identify and extract any footage in which the data subject appears.

SAR workflows must integrate all of these data sources and produce exports that fulfill GDPR transparency requirements without delay. Manual searches across five platforms within 30 days are achievable only if you have pre-built the workflow before a request arrives.

Data type	Recommended retention	Deletion trigger
Rental contracts	7 years	End of legal retention period
Payment records	5 years	Regulatory minimum met
Telematics/GPS data	30 to 90 days	Rental period end plus buffer
CCTV/dashcam footage	30 days	No incident reported
Incident evidence	Duration of claim	Claim resolution

Operational failures often occur when operators apply a single retention date across all personal data categories. Each data type carries a different privacy risk profile and a different legal retention requirement, so category-specific schedules are not optional.

Pro Tip: Automate vehicle data deletion at the end of each rental period using your telematics platform's API. Documented, repeatable cleansing processes reduce regulator risk far more effectively than manual deletion policies that depend on staff remembering to act.

The right to erasure (Art. 17) does not override legal retention obligations. When a renter requests deletion, you must delete what you are not legally required to keep and document why you retained the rest. That documentation is your defense in any subsequent complaint.

Why DPIAs are essential for telematics and video systems

A Data Protection Impact Assessment (DPIA) is a formal risk analysis required under GDPR Article 35 before deploying any processing that is likely to result in high risk to individuals' rights and freedoms. For car rental operators, telematics and video systems almost always meet this threshold.

DPIAs are commonly required for telematics and video systems in car rentals due to the potential for high risk through location and movement profiling. A renter's GPS route over a two-week period reveals home address, workplace, medical appointments, religious attendance, and personal relationships. That level of inference from location data alone places telematics firmly in the high-risk category.

Conducting a DPIA for your telematics or dashcam deployment involves four documented steps:

1. Describe the processing: What data is collected, by which system (e.g., Geotab, Samsara, Lytx), for what purpose, and who has access.
2. Assess necessity and proportionality: Confirm that the tracking serves a legitimate purpose and that less privacy-invasive alternatives were considered and rejected.
3. Identify and assess risks: Document specific risks to renters, including unauthorized access, data breach, function creep, and re-identification from aggregated data.
4. Document mitigation measures: Technical controls (encryption, access restrictions, automatic deletion), contractual safeguards with the telematics provider, and staff training protocols.

Security and governance of telematics data must integrate technical and legal risk management, making DPIAs not just a checkbox but a compliance cornerstone. A completed DPIA also serves as evidence of due diligence during a regulatory audit, which can significantly reduce enforcement penalties if a breach occurs.

How the EU Data Act 2025 changes connected car rental compliance

The EU Data Act introduces a compliance obligation that sits alongside GDPR rather than replacing it. Understanding the distinction is critical for operators running connected fleets.

Requirement	GDPR	EU Data Act (from Sept 2025)
Legal basis for processing	Required (Art. 6)	Not applicable (data access right)
Renter data access	Subject access request	Direct machine-readable export
Data portability	Art. 20 (structured format)	Mandatory for connected vehicle data
Retention limits	Storage limitation principle	Must align with GDPR retention rules
Scope	All personal data	Connected vehicle generated data

The EU Data Act enforces renter rights for connected vehicle data access starting September 2025, requiring rental companies to provide machine-readable data exports while keeping GDPR protections intact. In practice, this means a renter can request an export of all data their rental vehicle generated during their booking period, including fuel consumption, route data, and vehicle diagnostics, in a format they can take to another service provider.

For operators, the operational challenge is building an export pipeline that pulls connected vehicle data from your telematics provider, strips out data belonging to other renters, and delivers a clean, structured file within a reasonable timeframe. Mapping controller versus processor roles precisely across telematics providers, franchise dealers, and payment processors is the prerequisite for making this work without creating new GDPR violations in the process.

Key takeaways

GDPR compliance for car rentals requires category-specific retention schedules, documented lawful bases, formal DPIAs for telematics systems, and SAR workflows that span every data platform in your operation.

Point	Details
Map all data categories	Identify every system holding personal data before building any compliance workflow.
Document lawful bases	Assign a specific Article 6 basis to each processing activity and record it in your ROPA.
Conduct DPIAs for telematics	Formally assess risk before deploying GPS or video systems, and keep the documentation on file.
Build category-specific retention	Apply separate deletion timelines to contracts, telematics, payment, and incident data.
Prepare for the EU Data Act	Build machine-readable export pipelines for connected vehicle data before September 2025 obligations trigger enforcement.

The compliance gap most operators still ignore

Working with car rental operators across Europe, the single most consistent compliance gap I see is not in privacy notices or consent forms. It is in controller and processor delineation. Most operators sign telematics provider contracts without ever establishing in writing who controls the data and who merely processes it on their behalf. Under Article 26 GDPR, joint controllership responsibilities must be transparently allocated, and data subject rights must be communicated clearly across all parties. When a renter submits a deletion request, "our telematics provider still has the data" is not a compliant answer.

The second gap is retention. I have reviewed ROPA documents where a single 24-month retention period covers everything from booking confirmations to dashcam footage. That is not a retention policy. It is a liability. Dashcam footage of a renter who had no incident should be gone within 30 days. A contract supporting a tax filing needs to stay for seven years. Treating them identically exposes you to enforcement from two directions simultaneously.

The operators who handle GDPR well treat it as an operational discipline, not a legal formality. They build deletion into their vehicle tracking workflows, they test their SAR process quarterly, and they review their DPIAs whenever they add a new telematics feature. That discipline pays off not just in regulatory safety but in renter trust, which is increasingly a competitive differentiator in the European rental market.

— Dizzy

How Nomora supports GDPR-compliant car rental operations

Nomora is built with data protection requirements at its core, giving car rental operators the tools to manage customer data, contracts, and payments within a single auditable platform. The system handles digital rental agreements with structured data fields that map directly to GDPR processing categories, making ROPA documentation straightforward rather than a manual exercise. Nomora's integrations with GPS and telematics providers support the data export and deletion workflows that both GDPR and the EU Data Act require. For operators who need a platform that treats compliance as a built-in feature rather than an afterthought, Nomora's rental software use cases cover everything from independent operators to franchise networks managing connected fleets at scale.

FAQ

What is GDPR compliance in car rentals?

GDPR compliance in car rentals means lawfully collecting, processing, storing, and deleting all personal data from renters and connected vehicles under Regulation (EU) 2016/679. It covers customer identity data, payment records, telematics, and video footage.

What lawful basis applies to rental booking data?

Contract performance under Article 6(1)(b) is the primary lawful basis for processing booking, identity, and payment data. Legitimate interests under Article 6(1)(f) covers fraud prevention and fleet security monitoring.

When is a DPIA required for car rental telematics?

A DPIA is required before deploying any telematics or video system that profiles renter location or driving behavior, as these activities carry high risk to individuals' rights under GDPR Article 35.

How long should car rental companies retain telematics data?

Telematics and GPS data should be retained for 30 to 90 days after the rental period ends, absent any incident. Incident-related data must be kept for the duration of the associated claim or legal proceeding.

What does the EU Data Act mean for rental operators?

The EU Data Act gives renters the right to receive machine-readable exports of all connected vehicle data generated during their rental. Operators must build compliant export pipelines while maintaining GDPR protections on that data.

Recommended

• Car Rental Software Blog & Guides | Nomora
• Rental vehicle inspection guide: reduce risk and protect your fleet | Nomora
• Digital rental agreements: streamline your vehicle rentals | Nomora
• How to Automate Rental Bookings for Car Rentals in 2026 | Nomora