DPC (Ireland) - Inquiry into Airbnb Ireland UC - January 2024

Summary

The Irish Data Protection Commission (DPC) has concluded an inquiry into Airbnb Ireland UC, finding that the company violated GDPR. Airbnb lacked a legal basis to require a data subject's ID to process an erasure request, thus breaching data minimization principles. While Airbnb ultimately fulfilled the request without the ID, the initial requirement was deemed a violation.

Full text

Help DPC (Ireland) - Inquiry into Airbnb Ireland UC - January 2024: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:50, 24 April 2024 view sourceLm (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators364 editsmTag: Visual edit← Older edit Latest revision as of 08:16, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators118 edits (2 intermediate revisions by the same user not shown)Line 10: Line 10: |ECLI=|ECLI= |Original_Source_Name_1=|Original_Source_Name_1=DPC |Original_Source_Link_1=|Original_Source_Link_1=https://www.dataprotection.ie/en/dpc-guidance/decisions/inquiry-airbnb-ireland-uc-january-2024 |Original_Source_Language_1=|Original_Source_Language_1= English |Original_Source_Language__Code_1=|Original_Source_Language__Code_1= Latest revision as of 08:16, 24 June 2026 DPC - Inquiry into Airbnb Ireland UC - January 2024 Authority: DPC (Ireland) Jurisdiction: Ireland Relevant Law: Article 5(1)(c) GDPR Article 6 GDPR Type: Complaint Outcome: Partly Upheld Started: 08.12.2022 Decided: 31.01.2024 Published: Fine: n/a Parties: Airbnb Ireland UC National Case Number/Name: Inquiry into Airbnb Ireland UC - January 2024 European Case Law Identifier: n/a Appeal: Not appealed Original Language(s): English Original Source: DPC (in ) Initial Contributor: lm The DPA found that Airbnb lacked a legal basis for requiring a data subject’s ID in order to fulfill his erasure request, and thus violated data minimisation obligations in requesting the ID. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject lodged a complaint with the Berlin DPA against Airbnb (the controller). In the process of registering on the platform, a data subject submitted his email address and phone number. When he was prompted to submit his identification information (ID), he decided to cancel his registration. He requested that the controller delete all of his personal data and ensure that none of it was transferred to third parties. The controller informed the data subject that it was not possible to delete his personal data without his ID. On 7 February 2020, the Berlin DPA transferred the complaint to the Irish DPA (DPC). The DPC informed the controller of the complaint on 25 May 2020. The controller could not locate the data subject's account, but on 1 December 2021 it responded to the DPC's notification. It stated that in 2019, ID verification was its preferred method of authenticating deletion requests and argued that this was based on its legitimate interest in verifying the authenticity of requests and ensuring appropriate deletion of accounts. The controller also noted that despite requesting the data subject's ID, it ultimately fulfilled the data subject's erasure request without requiring the documentation. With regard to sharing data with third parties, the controller stated that it does not sell user data for advertising purposes or sell messaging communications with third parties. On 8 December 2022, the DPC issued a Notice of Commencement of Inquiry to the controller. Holding The DPC found that the controller lacked a legal basis under Article 6 GDPR for processing the complainant’s ID to delete his account. In addition, the controller violated Article 5(1)(c) GDPR’s principle of data minimisation by requiring that the complainant verify his identity with a copy of his ID in order to make an erasure request. No evidence was provided showing that the controller requested the data subject’s ID during the registration process, and thus the DPC found no GDPR violation for this action. However, there was evidence that the controller requested the data subject’s ID in order to fulfill his erasure request. Even though the controller ultimately fulfilled the data subject’s erasure request without ID documentation, the DPC considered that the ID requirement to exercise Article 17 GDPR erasure rights constituted a collection of personal data. It rejected the controller’s argument that legitimate interest was a proper legal basis. While the DPC acknowledged that the controller had a legitimate interest in ensuring that it does not delete personal data in an illegitimate or inappropriate circumstance, it did not demonstrate that the request for ID was necessary or proportionate in this instance given that the data subject could confirm his identity through other means such as logging in to his account. Thus, there was no legal basis under Article 6 GDPR. In addition, the DPC found that the controller violated the principle of data minimization when it requested a copy of the data subject’s ID It noted that the controller lacked ‘reasonable doubt’ concerning the data subject’s identity and thus did not have a basis under Article 12(6) to request additional information. The controller also failed to demonstrate that it first attempted to use other tools it already possessed, such as authentication by login. In light of the violations, the DPC issued a reprimand pursuant to Article 58(2)(b) GDPR. In deciding not to issue a fine, it considered that Airbnb had discontinued the practice of requesting a copy of IDs to verify erasure requests. Comment In several decisions last year, the Irish DPC already reprimanded Airbnb for different GDPR violations relating to its processing activities, and in particular concerning its identity verification procedure (see DPC (Ireland) - IN-21-3-1; DPC (Ireland) - Inquiry into Airbnb Ireland UC - 28 September 2023). What is striking here is that the corrective measure adopted is always a reprimand and never a fine, even though the DPC recognises that it should "select a measure that is effective, proportionate and dissuasive in response to the particular infringements". As stated in Article 83(2)(e) GDPR, when considering the imposition of an administrative fine, due regard shall be given to relevant previous infringements by the controller. Further, under letter (i) of the same Article, due regard shall be given to the compliance with measures already imposed under Article 58(2) GDPR, which includes reprimands. This suggests that the conditions for imposing a fine were given in this case, but the DPC intentionally decided to, once again, opt for a less dissuasive reprimand. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the original. Please refer to the original for more details. Inquiry into Airbnb Ireland UC - January 2024 Date of decision: 31 January 2024 On 31 January 2024, following an inquiry concerning a complaint received against Airbnb Ireland UC (Airbnb), the Data Protection Commission (the DPC) adopted a decision. The DPC had commenced this inquiry on 8 December 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the complainant’s ID (ID) in order to verify their identity in order to carry out an erasure request when he decided to discontinue with the registration process. The complainant alleged that during the course of his registration with the platform, Airbnb sought a copy of his identity to complete the registration process. The complainant had entered his email address and phone number. He had also ticked a box to be excluded from advertising emails. The complainant stated that once he was asked to submit his ID documentation, he decided to abort his registration process. He provided his email address and created a password to access an internal area within the platform and within this area he asked Airbnb to delete all of his personal data and ensure that none of his data was transferred to third parties. The complainant stated that he was told that it was not possible to delete his data without his ID. He stated that he did not consider

Entities