Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the purpose (‘data minimisation’). It’s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.
Your company/organisation offers car-sharing services to individuals. For those services it may require the name, address and credit card number of your customers and potentially even information on whether the person has a disability (so health data), but not their racial origin.
- Article 5(1)(c) and Recital (39) of the GDPR