Airbnb has breached the GDPR and DPC has issued a reprimand and requires remedial action.
The Irish Data Protection Commission has adopted its decision in an inquiry concerning Airbnb Ireland UC.
The DPC started the investigation on 4 March 2022, following a complaint that Airbnb had unlawfully requested a copy of the complainant's ID to verify their identity which had not been previously requested by Airbnb. The complainant argued that this also breached the principles of data minimisation and that Airbnb had also failed to comply with the principles of transparency and provision of information. Initial attempts by the complainant to verify their identity had been rejected by Airbnb as the ID provided did not meet their criteria. Ultimately the complainant verified their identity.
The inquiry considered if Airbnb:
As the processing was cross-border, the DPC's decision was subject to the cooperation and consistency mechanism in Article 60 of the GDPR. Under Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinions. The DPC received no objection.
The DPC found that Airbnb's retention of a copy of the complainant's identity verification process infringed the principles of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e). Furthermore, the DPC found that the continued processing and retention of partially redacted and out-of-date identity documents that had been deemed inadequate or insufficient to verify the identity of the complainant infringed the principles of data minimisation and storage limitation.
The DPC issued a reprimand to Airbnb under Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb under Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements: