Data protection and customer blacklist management in the car rental sector

1. Main grounds for the Resolution

Case PS/00215/2024 was initiated following a complaint from a customer whose vehicle reservation was denied by GOLDCAR SPAIN, S.L. in 2021, based on an internal note classified as a "serious incident".

This note stemmed from an incident that occurred three years earlier (2018), when the vehicle rented by the complainant was reported stolen. Although the car was subsequently recovered and no negligence or breach of contract on the part of the customer was proven, the company maintained a risk flag in its internal system ("Sigger System") which, without having been reviewed or cancelled, was used as grounds for refusing to allow him to hire a new rental car years later.

After analysing the documentation provided, the AEPD determined that this practice constitutes autonomous and independent processing of personal data, unrelated to the initial purpose of managing the rental contract. Consequently, it must have a specific legal basis and adequate information for the data subject, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, "GDPR").

Based on the preliminary proceedings, the Agency considers the following points to be proven, the legal assessment of which is decisive:

a) Lack of assessment of weighting or documentary justification

GOLDCAR did not provide any document proving that it had carried out a weighting assessment or prior proportionality analysis with regard to the use of customer data to prevent possible fraud. Although it is true that GOLDCAR provided a document weighing up these interests, the AEPD considers that, as it is not dated, it was not carried out prior to the data processing and is therefore not applicable to this specific case.

This requirement of timeliness, although not formally listed in the GDPR, derives from the proactive responsibility established in Article 5.2 and constitutes the embodiment of the principle of "accountability". Thus, any processing covered by legitimate interest (Art. 6.1.f) requires internal documentation demonstrating:

• The existence of a real and specific interest on the part of the controller.
• The necessity of the processing to achieve this interest.
• The balancing of that interest against the rights and freedoms of the data subject.

In the absence of this documentation, the processing cannot be considered legitimate, as the balancing of interests cannot be presumed but must be proven.

The Agency considers this omission to be particularly serious, as it seems to indicate, according to its interpretation, that the processing was carried out without a prior analysis of the risk to the rights of the data subject.

b) Lack of prior information to the data subject

The AEPD's investigation confirmed that the complainant was not informed that the personal data provided during the hiring of the first rental car could be stored and reused for a different purpose — the prevention of risks or exclusion of customers from hiring — nor was he informed at any time of the existence of internal alert or blocking systems for incidents similar to the present case.

In this regard, the AEPD points out in its decision that compliance with the obligations of information and legitimacy is assessed at the time of processing, not retroactively. Therefore, the privacy policy updated in 2024 — provided by GOLDCAR to justify the processing — was not applicable to the facts analysed, given that the processing took place between 2018 and 2021.

Thus, even though subsequent versions of the policy introduced references to "fraud prevention" or "fleet protection", this ex post facto information is not sufficient to remedy a pre-existing lack of legal basis.

This reasoning is based on the fact that a controller cannot retrospectively correct a defect in information or legitimacy once the processing has already had an effect on the rights of the data subject, such as refusing to hire a car.

c) No objective or real risk of fraud

Another key element of the Resolution is the finding that there was no objective or proven risk of fraud that would justify the inclusion of the complainant in an internal exclusion register. Thus, the entry in the "Sigger System" was based on an initial unconfirmed suspicion based on an objective incident, not on proven malicious or negligent conduct on the part of the complainant.

The AEPD considers that this preventive use of personal data does not satisfy the principle of necessity and proportionality, nor can it be automatically justified on the grounds of legitimate interest, as might be the case with "blacklists" that have their origin in legal authorisations directly derived from the law. In this regard, the AEPD's reference to a report by its Legal Department (0201/2010) is particularly important:

"As this report clearly indicates, a clear example of these lists are credit information systems, whose regulation expressly establishes the objective factual circumstances that determine the recording of personal data in such systems, as well as the need, as a determining requirement for the lawfulness of data processing, to give prior notice of the possibility of recording the data if the factual circumstances determining the recording objectively exist."

In other words, the conclusion that can be drawn from the AEPD's interpretation is that GOLDCAR, in this case, would not, de facto, have sufficient legitimacy to maintain these blacklists. However, this interpretation, in the case of a financial institution or an entity subject, among others, to anti-money laundering regulations, could vary as there is a legal framework enabling this type of processing, reinforcing the legitimacy for doing so.

As things stand, according to the AEPD, the processing was based on a subjective risk assessment, without sufficient grounds and, moreover, prolonged for more than three years. In this regard, the Agency emphasises that generic fraud prevention is not sufficient to legitimise the processing: the controller must demonstrate that the processing is strictly necessary to prevent a certain, current and relevant risk, and not a mere abstract possibility.

Otherwise, according to the AEPD, legitimate interest becomes an empty concept that distorts the balance that the GDPR seeks to guarantee between data protection and business interests.

2. Is it possible to use legitimate interest for the creation of "blacklists"?

Resolution PS/00215/2024 does not establish an express or general prohibition on the use of legitimate interest as a legal basis for the creation or maintenance of internal commercial exclusion lists. However, it does propose a restrictive interpretation of the requirements necessary for this basis to be valid in contexts where the processing of personal data may have adverse effects on the rights of the data subject.

a) Applicable requirements

Article 6.1.f of the GDPR allows data processing when "it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party," provided that the interests or fundamental rights and freedoms of the data subject do not prevail.

Likewise, the European Data Protection Board (EDPB) has developed a methodological framework in the form of a three-part test that requires verification of:

• The existence of a legitimate interest (lawful, specific and real).
• The necessity of the processing to achieve it.
• That the rights and freedoms of the data subject do not override that interest (balancing of interests).

b) The position of the AEPD 

From a practical and preventive approach, it is worth highlighting the key aspects pointed out by this Agency with regard to the use of this basis for legitimacy:

Specifically, the Agency requires:

• A prior and duly documented balancing assessment, which cannot be carried out after the processing. The legitimate interest must be justified in a balancing report that anticipates the impact on the rights of the data subject and documents mitigation measures.
• Clear and specific information to the data subject, at the time of data collection, about the possibility that their data may be processed for commercial exclusion purposes.
• Review of the processing. Furthermore, any risk annotation must have a defined retention period, linked to the purpose that gave rise to it, and be subject to review.
• Proof of an objective, current and sufficiently substantiated risk, ruling out that a mere suspicion or antecedent not attributable to the data subject can justify their inclusion in a restrictive list.
• Effective proactive responsibility: compliance must be demonstrated with documentary evidence. The absence of assessment records, policies applicable at the time of processing or traceability of decisions may imply the risk of entities facing heavy penalties.

These conditions, although aligned with the principles of the GDPR, could be interpreted as raising the legal standard beyond what is required by the GDPR itself, especially with regard to the need to demonstrate in advance and exhaustively the proportionality of the processing in scenarios where, by definition, the risk is uncertain or preventive.

3. Conclusions 

Resolution PS/00215/2024 of the AEPD seems to provide a particularly demanding interpretative criterion in relation to the use of legitimate interest as a legal basis for internal commercial exclusion systems, consolidating a restrictive doctrine on the processing of personal data with adverse legal effects for data subjects.

By establishing such a high standard of compliance — close to that of processing based on express legal authorisation — the Agency could have an inhibitory effect on business practices for contractual risk management, particularly in sectors such as the one analysed, where there are no specific sectoral regulations for this type of processing.

In short, although the AEPD provides guidance in its Resolution on the level of diligence required for processing based on legitimate interest, it also reveals a certain interpretative ambiguity, in that it does not deny the general lawfulness of this type of processing (creation of blacklists), but seems to make it conditional on the existence of an enabling regulation, which is a requirement not contemplated in data protection regulations and whose enforceability is debatable, provided that the existence of an overriding legitimate interest can be duly substantiated.

Information note prepared by the Data Protection Department of ECIJA Madrid.