Airbnb – Violation Found (Ireland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Airbnb faced a complaint for not properly handling a user's requests to delete their data. The company failed to acknowledge two previous requests from the user, which is important for respecting people's privacy rights. Although no fine was imposed, the case emphasizes the need for companies to respond promptly to data requests.
What happened
Airbnb did not comply with a user's requests to erase their personal data.
Who was affected
The user who requested the deletion of their personal data from Airbnb.
What the authority found
The Irish data protection authority found that Airbnb did not adequately respond to the user's erasure requests.
Why this matters
This ruling highlights the importance of timely and proper responses to user data requests. Companies should ensure they have clear processes in place to handle such requests effectively.
GDPR Articles Cited
A complaint was initially submitted against Airbnb to a German DPA on 6 July 2018. In the complaint the data subject claimed that Airbnb had failed to comply with two erasure requests he had made on 18 September 2015 and 12 October 2015. The Complainant discovered that his erasure requests had not been complied with when, on 9 June 2018, he found that his account was still active. The complainant submitted an access request to Airbnb (the controller) on 6 July 2018, asking Airbnb to provide information regarding: a) What data they had stored about him, b) Where they obtained the data from, c) What legal basis was used for processing the data, d) To which other parties the data has been transferred to. In this access request, the data subject expressly objected to a transfer to third parties and asked why his previous erasure requests from 2015 had not been carried out. In this email, he also resubmitted an access request. On 6 July 2018, Airbnb acknowledged receipt of his email and responded on 17 July 2018 via email, requesting further information from the data subject in order to verify his identity to facilitate the access and erasure requests. In this email, Airbnb asked for a copy of the data subjects’ identification documents. On 18 July 2018, the data subject responded, refusing to provide a copy of his ID. Airbnb responded to this email on 19 July 2018, asking to verify the data subject’s identity via telephone call instead, the data subject agreed. On 31 July 2018, Airbnb conducted a telephone call with the data subject to authenticate his requests. On 30 August 2018, Airbnb responded to the data subject’s access request by email and provided a copy of the data but did not acknowledge the erasure request. The data subject’s access request was made in German, and all other communications with Airbnb were also made in German. However, the email attaching his personal data was in English and contained unsorted table columns with incomprehensible column hea
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Airbnb in IE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Airbnb - Ireland (2023). Retrieved from cookiefines.eu
Last updated: