Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Ireland: DPC imposes reprimand and corrective measures on Airbnb for unlawfully processing ID documents
On September 28, 2023, the Data Protection Commission (DPC) published a summary of its decision in which it imposed a reprimand and corrective measures on Airbnb Ireland UC for violations of the General Data Protection Regulation (GDPR), following the receipt of a complaint.
Background to the decision
The DPC reported that, according to the complaint, Airbnb had requested a copy of the complainant's ID to verify their identity in order to complete a booking. In this regard, the complainant raised concerns in relation to identity theft given the volume of personal data that they were required to submit in order to complete the accommodation booking. Thereafter, in a further submission to the DPC, the complainant stated that Airbnb had initially wrongly understood that the complainant wanted to erase their Airbnb account. As a result, the complainant lodged a complaint regarding ID verification and also requested Airbnb to delete both the redacted and unredacted versions of their ID card.
Findings of the DPC
At the end of its investigation, the DPC found that Airbnb infringed Articles 5(1)(c), 5(1)(e), and 6(1)(f) of the GDPR. Specifically, according to the DPC, Airbnb did not validly rely on the legal basis of legitimate interest for processing the complainant's photographic ID and supplemental photographs and infringed the principle of data minimization when it required the complainant to verify their identity by submitting a complete and unredacted copy of their photographic ID. Moreover, by retaining a copy of the complainant's un-redacted ID documents and supplemental images after the identity verification process was successfully completed, Airbnb was found in breach of the data minimization and storage limitation principles. Likewise, Airbnb was found to have violated the same principles by retaining identity documents that it had deemed inadequate or insufficient to verify the identity of the complainant.
Outcomes
As a result, the DPC issued a reprimand against Airbnb and ordered the same to:
delete from all of its systems and records the supplemental photographs that the complainant provided, keeping only a record that such documentation was submitted and the date of submission; and
revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate, and in accordance with the GDPR.
You can read a summary of the decision here.