Airbnb Ireland UC – Complaint Upheld (Ireland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Airbnb Ireland UC faced a complaint for not deleting a user's personal data as requested. The company failed to keep the user informed about their erasure request, which is crucial for user trust. This case highlights the need for companies to respect user requests regarding their data.
What happened
A user requested Airbnb to delete their personal data but received no updates on the request.
Who was affected
The affected person was a user of Airbnb who wanted their personal data removed from the platform.
What the authority found
The Irish data protection authority upheld the complaint, indicating that Airbnb did not comply with the user's request for data deletion.
Why this matters
This case shows that companies must take user data requests seriously and communicate effectively. It reminds businesses to have clear processes for handling data deletion requests.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject requested Airbnb Ireland UC, the controller, to delete all personal data relating to him in 2018 and then submitted that he wished to withdraw his consent for the storing using and sharing of his personal data processed by the controller. The only response of the controller was that it would delete his personal data unless it is allowed or required to retain such data under the GDPR, and that this may take a long time. The data subject never received any further updates on his deletion request. The data subject initially filed a complaint with the Cypriot DPA in December 2018 against the controller for failing to comply with his erasure request, for unlawfully retaining his data and for failing to comply with the principle of data minimization and transparency in relation to its obligation to provide information to the data subject. In its capacity as concerned Supervisory Authority, the Cypriot DPA transferred the case to the Irish DPC as Lead Supervisory Authority in March 2019, which decided on the case in accordance with Article 60 GDPR. In its submissions to the DPC, the controller stated that it was aware that the complainant run eight accounts on its platform and it stated that his accounts were suspended after learning that he had assaulted a guest in November 2018, evidenced by a police record provided by the guest. The controller justified its decision not to comply with the data subject’s erasure request of December 2019 by stating that such data could potentially be used in criminal or civil proceeding on the assault involving the data subject and potentially the controller too. In the controller’s view this is allowed under Article 17(3)(b) GDPR and Article 17(3)(e) GDPR, as the information was kept for legal compliance purposes and it complies with the principles of processing of Article 5 GDPR and on the basis of Article 6(1)(f) GDPR as the controller has a legitimate interest in keeping its platform safe. In a further submission by th
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (2)
Other enforcement actions involving Airbnb Ireland UC in IE
Complaint Upheld
Details
About this data
Cite as: Cookie Fines. Airbnb Ireland UC - Ireland (2023). Retrieved from cookiefines.eu
Last updated: