GOLDCAR SPAIN, S.L. – €100,000 Fine (Spain, 2025)

GOLDCAR SPAIN, S.L. (the controller) is a car rental company. A data subject made a reservation on the controller’s website to rent a car, and was later denied due to an entry in the controller’s database for a previous rental contract signed three years earlier. According to the controller, the data subject gave the keys to a third person, and as a result, the car disappeared and was later found in Poland. The data subject brought a complaint to the DPA on the grounds that the controller linked their data from a previous incident through an alert system without their consent. This also prevented the data subject from accessing the controller’s services. The controller therefore processed data without a legal basis. The controller argued that it complied with data protection laws at the time, as the incident occurred before the GDPR came into force. According to the controller, it did not need to inform the data subject of the legal basis. In addition, the controller argued that processing data in the alert system was based on its legitimate interest, and necessary to offset the risk of fraud and damages to the rental cars. The DPA found a violation of Article 6(1) GDPR, as the controller processed data without a legal basis. The DPA stated that the controller could not rely on legitimate interest (Article 6(1)(f) GDPR) or contract (Article 6(1)(b) GDPR) to process the data. The controller could not rely on contractual necessity to process data in relation to blacklists, according to the Working Party 29.Working Party 29, Working Document on Blacklists, 3 October 2002. Available here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2002/wp65_en.pdf In terms of legitimate interest, the DPA stated that fraud prevention could be a valid legitimate interest. However, the DPA considered that the rights and freedoms of data subjects prevail in this case. The DPA also noted that the controller had not carried out a balance test of