Airbnb Ireland UC – Complaint Upheld (Ireland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Ireland's Data Protection Commission upheld a complaint against Airbnb for not properly handling a user's request to delete their personal data. The company initially required ID verification to process the deletion request, which the DPC found unnecessary. This case shows that companies must respect users' requests for data deletion without imposing unnecessary barriers.
What happened
Airbnb required a user to provide ID verification to delete their account, which the DPC found was not legally justified.
Who was affected
A user who wanted to delete their personal data from Airbnb's platform was affected.
What the authority found
The DPC ruled that Airbnb lacked a valid legal basis for requiring ID verification to process the user's deletion request, violating data protection principles.
Why this matters
This decision highlights the importance of data minimization and user rights in data protection. Companies should streamline their processes for handling deletion requests to avoid unnecessary complications.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject lodged a complaint with the Berlin DPA against Airbnb (the controller). In the process of registering on the platform, a data subject submitted his email address and phone number. When he was prompted to submit his identification information (ID), he decided to cancel his registration. He requested that the controller delete all of his personal data and ensure that none of it was transferred to third parties. The controller informed the data subject that it was not possible to delete his personal data without his ID. On 7 February 2020, the Berlin DPA transferred the complaint to the Irish DPA (DPC). The DPC informed the controller of the complaint on 25 May 2020. The controller could not locate the data subject's account, but on 1 December 2021 it responded to the DPC's notification. It stated that in 2019, ID verification was its preferred method of authenticating deletion requests and argued that this was based on its legitimate interest in verifying the authenticity of requests and ensuring appropriate deletion of accounts. The controller also noted that despite requesting the data subject's ID, it ultimately fulfilled the data subject's erasure request without requiring the documentation. With regard to sharing data with third parties, the controller stated that it does not sell user data for advertising purposes or sell messaging communications with third parties. On 8 December 2022, the DPC issued a Notice of Commencement of Inquiry to the controller. The DPC found that the controller lacked a legal basis under Article 6 GDPR for processing the complainant’s ID to delete his account. In addition, the controller violated Article 5(1)(c) GDPR’s principle of data minimisation by requiring that the complainant verify his identity with a copy of his ID in order to make an erasure request. No evidence was provided showing that the controller requested the data subject’s ID during the registration process, and thus the DPC found no GDPR violatio
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (2)
Other enforcement actions involving Airbnb Ireland UC in IE
Complaint Upheld
Details
About this data
Cite as: Cookie Fines. Airbnb Ireland UC - Ireland (2024). Retrieved from cookiefines.eu
Last updated: