GDPR unified and clarified all the different directions and laws active in EU member states before. So while most of those indeed were illegal before in one or more member states, all of them are illegal now in all member states. As such, GDPR does not really extend privacy protection de jure but merely helps enforcement by unifying protections de jure and hence allowing for a more efficient enforcement de facto.
Depending on the circumstances (I didn't actually look into it) the rental car tracking could have been done in ways that were at least arguably legal under EU law (though at least several member states had legislation that would have covered that).