Airbnb Ireland UC – Complaint Upheld (Ireland, 2024)

A data subject lodged a complaint with the Berlin DPA against Airbnb (the controller). In the process of registering on the platform, a data subject submitted his email address and phone number. When he was prompted to submit his identification information (ID), he decided to cancel his registration. He requested that the controller delete all of his personal data and ensure that none of it was transferred to third parties. The controller informed the data subject that it was not possible to delete his personal data without his ID. On 7 February 2020, the Berlin DPA transferred the complaint to the Irish DPA (DPC). The DPC informed the controller of the complaint on 25 May 2020. The controller could not locate the data subject's account, but on 1 December 2021 it responded to the DPC's notification. It stated that in 2019, ID verification was its preferred method of authenticating deletion requests and argued that this was based on its legitimate interest in verifying the authenticity of requests and ensuring appropriate deletion of accounts. The controller also noted that despite requesting the data subject's ID, it ultimately fulfilled the data subject's erasure request without requiring the documentation. With regard to sharing data with third parties, the controller stated that it does not sell user data for advertising purposes or sell messaging communications with third parties. On 8 December 2022, the DPC issued a Notice of Commencement of Inquiry to the controller. The DPC found that the controller lacked a legal basis under Article 6 GDPR for processing the complainant’s ID to delete his account. In addition, the controller violated Article 5(1)(c) GDPR’s principle of data minimisation by requiring that the complainant verify his identity with a copy of his ID in order to make an erasure request. No evidence was provided showing that the controller requested the data subject’s ID during the registration process, and thus the DPC found no GDPR violatio