Inquiry into Airbnb Ireland UC - September 2022
Date of Decision: 14 September 2022
On 14 September 2022, following an inquiry the Data Protection Commission (the DPC) adopted a decision to exercise corrective powers on Airbnb Ireland UC (Airbnb).
The DPC commenced this inquiry on 25 March 2021, on foot of a complaint that Airbnb failed to comply with an erasure request and a subsequent access request the Complainant had submitted to it within the statutory timeframe and further that when the Complainant submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their identity document (ID) which they had not previously provided to Airbnb.
The scope of the inquiry concerned an examination and assessment of the following:
- Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s I.D. in order to verify their identity in circumstances where they had submitted a request for erasure pursuant to Article 17;
- Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR and the Act; and
- Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR and the Act.
As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.
The decision, which was adopted on Wednesday, 14 September 2022, records findings of infringement as follows:
- Article 5(1)(c) of the GDPR
The DPC finds that Airbnb’s requirement that the Complainant verify their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb.
- Article 6(1) of the GDPR
The DPC finds that, in the specific circumstances of this complaint, the legitimate interest pursued by the controller does not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the Complainant’s photographic ID in order to process their erasure request.
- Article 12(3) of the GDPR
The DPC finds that Airbnb infringed Article 12(3) of the GDPR with respect to its handling of the Complainant’s access request. This infringement occurred when Airbnb failed to provide the Complainant with information on the action taken on their request within one month of the receipt of the access request.
For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - September 2022 (PDF, 5.5mb).