GDPR for Transfer Companies — What You Need to Know
If you operate a transfer or chauffeur company in Europe, GDPR is not optional. You collect personal data every time a passenger books a ride. Here is a practical guide to staying compliant without drowning in paperwork.
1. Why GDPR Matters for Transfer Companies
The General Data Protection Regulation (GDPR) applies to every company that processes personal data of individuals in the EU — regardless of where the company is based. Transfer companies are particularly affected because they handle sensitive data daily: passenger names, phone numbers, flight details, hotel addresses, payment information, and GPS routes.
Non-compliance is not just a theoretical risk. Fines can reach up to €20 million or 4% of annual revenue, whichever is higher. But beyond fines, data breaches destroy client trust — and in the VIP transfer business, trust is everything. Corporate clients and luxury hotels will not work with operators who cannot guarantee data security.
2. What Data You Collect
Most transfer companies do not realize how much personal data they process. Here is a typical breakdown:
| Data Category | Examples | Sensitivity |
|---|---|---|
| Passenger data | Name, phone, email, flight number, hotel address | High |
| Client / booker data | Company name, billing address, contact persons, VAT number | Medium |
| Driver data | Name, phone, license number, location tracking, work hours | High |
| Route data | Pickup/dropoff addresses, GPS tracks, travel times | Medium |
| Payment data | Credit card details, invoices, transaction history | Very high |
| Communication logs | Emails, SMS, WhatsApp messages with passengers | Medium |
3. Consent and Legal Basis
Under GDPR, you need a lawful basis for processing every type of personal data. For transfer companies, three bases are most relevant:
- Contract performance (Article 6(1)(b)) — You need the passenger's name, phone, and pickup address to fulfill the transfer booking. This is your primary legal basis for most order-related data. No separate consent is needed.
- Legitimate interest (Article 6(1)(f)) — You can argue legitimate interest for things like driver GPS tracking during active rides (safety), storing client history for better service, and basic analytics. Document your reasoning.
- Consent (Article 6(1)(a)) — Required for marketing emails, sharing data with third parties, and storing data beyond what is needed for the contract. Consent must be freely given, specific, and easy to withdraw.
The key takeaway: you do not need to ask passengers for consent to process their booking data. But you do need consent for marketing, and you need to document your legal basis for everything else.
4. Data Storage and Security
GDPR requires you to implement “appropriate technical and organizational measures” to protect personal data. For transfer companies, this means:
- 1 EU-based servers — Store all personal data within the EU. Transferring data outside the EU requires additional safeguards (Standard Contractual Clauses or adequacy decisions).
- 2 Encryption — Use HTTPS for all data in transit and encrypt sensitive data at rest. This includes your database, backups, and any exported files.
- 3 Access controls — Not everyone in your company needs access to all data. Drivers should see only their assigned orders. Dispatchers should not access financial records. Use role-based permissions.
- 4 Data retention policy — Define how long you keep data. Order data is typically retained for 5–7 years (tax obligations). Passenger phone numbers and emails should be deleted when no longer needed.
- 5 Breach notification — If personal data is compromised, you must notify your supervisory authority within 72 hours and affected individuals without undue delay.
5. Data Subject Rights
Under GDPR, your passengers, clients, and drivers have specific rights regarding their data. You must be prepared to handle these requests:
Right of access
Individuals can request a copy of all personal data you hold about them. You have 30 days to respond.
Right to rectification
If data is incorrect, they can ask you to fix it. Update it across all your systems promptly.
Right to erasure
The “right to be forgotten.” Individuals can ask you to delete their data, unless you have a legal obligation to retain it.
Right to portability
They can request their data in a machine-readable format (CSV, JSON) to transfer to another provider.
In practice, most transfer companies receive very few data subject requests. But you must have a process in place. Your CRM should make it easy to export, update, or delete a passenger's data when requested.
6. Choosing GDPR-Compliant Software
Your CRM and dispatch software is where most personal data lives. Choosing a GDPR-compliant solution is one of the most impactful decisions you can make. Here is what to look for:
- EU data hosting — Your data should be stored on EU-based servers. Most US-based CRMs store data in the US, which creates compliance complexity.
- Role-based access — The software should let you control who sees what. Drivers see only their orders. Dispatchers see operations. Admins see everything.
- Data export and deletion — You need to be able to export a client's data (for portability requests) and delete it (for erasure requests) directly from the software.
- Audit logging — Every data access and modification should be logged. This helps you demonstrate compliance and investigate any issues.
- Encryption and 2FA — The software should encrypt data at rest and in transit, and support two-factor authentication for all user accounts.
- Data Processing Agreement — Your software vendor is a “data processor” under GDPR. They should offer a signed DPA that outlines their obligations.
TransferCRM is built for European operators with GDPR compliance at its core: EU-based infrastructure, role-based permissions, audit logs, data export, 2FA, and a signed Data Processing Agreement included on all plans.
TransferCRM is GDPR compliant by design
EU hosting, role-based access, audit logs, 2FA. Start your 14-day free trial.
Start free trial