DPC (Ireland) - 20.07.2023 (case number redacted)

From GDPRhub
DPC - 20.07.2023 (case number redacted)
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(c) GDPR
Article 6 GDPR
Article 12 GDPR
Article 15 GDPR
Article 17 GDPR
Type: Investigation
Outcome: Violation Found
Started: 06.07.2018
Decided: 20.07.2023
Published:
Fine: n/a
Parties: Airbnb
National Case Number/Name: 20.07.2023 (case number redacted)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: n/a

The Irish DPC found that Airbnb was in violation of Articles 5, 12, 15 and 17 GDPR for an incomplete response to an access request and delays in addressing an erasure request. No fine was issued.

English Summary

Facts

A complaint was initially submitted against Airbnb to a German DPA on 6 July 2018. In the complaint the data subject claimed that Airbnb had failed to comply with two erasure requests he had made on 18 September 2015 and 12 October 2015. The Complainant discovered that his erasure requests had not been complied with when, on 9 June 2018, he found that his account was still active. The complainant submitted an access request to Airbnb (the controller) on 6 July 2018, asking Airbnb to provide information regarding: a) What data they had stored about him, b) Where they obtained the data from, c) What legal basis was used for processing the data, d) To which other parties the data has been transferred to.

In this access request, the data subject expressly objected to a transfer to third parties and asked why his previous erasure requests from 2015 had not been carried out. In this email, he also resubmitted an access request.

On 6 July 2018, Airbnb acknowledged receipt of his email and responded on 17 July 2018 via email, requesting further information from the data subject in order to verify his identity to facilitate the access and erasure requests. In this email, Airbnb asked for a copy of the data subjects’ identification documents.

On 18 July 2018, the data subject responded, refusing to provide a copy of his ID. Airbnb responded to this email on 19 July 2018, asking to verify the data subject’s identity via telephone call instead, the data subject agreed. On 31 July 2018, Airbnb conducted a telephone call with the data subject to authenticate his requests.

On 30 August 2018, Airbnb responded to the data subject’s access request by email and provided a copy of the data but did not acknowledge the erasure request. The data subject’s access request was made in German, and all other communications with Airbnb were also made in German. However, the email attaching his personal data was in English and contained unsorted table columns with incomprehensible column headings.

On 11 September 2018, the data subject responded to Airbnb’s previous communication, claiming that their response to his access request was incomplete. On 13 September 2018, Airbnb acknowledged receipt of the data subject’s email but made no further communications with the data subject.

The original complaint which was submitted on 6 July 2018 was then transferred to the Berlin DPA on 1 January 2019, as Airbnb’s German offices were based in Berlin. On 7 February 2020, the Berlin DPA transferred the complaint to the Irish DPA (DPC) in its capacity as the lead supervisory authority, as Airbnb’s main establishment is in Ireland (Articles 56 and 60 GDPR). However, all communications between the DPC and the data subject were still made through the Berlin DPA. On 13 May 2020, the DPC notified Airbnb of the complaint.

On 27 May Airbnb responded to the DPC, noting that the 2015-pre GDPR erasure requests had not been upheld because their systems registered them as spam-mail. Moreover, in relation to the access and erasure requests made by the data subject on 6 July 2018, Airbnb stated that the file was provided on 28 August following the confirmation of the data subject’s identity and that the data subject’s erasure request was “commenced on 29 August 2018.” In addition, as to Airbnb’s incomplete access request response, Airbnb noted that it had referred the data subject to sections 2,3,4 and 7 of its Privacy Policy, which Airbnb argued addressed the questions on “which data? From where? On what legal basis? Transferred to whom?”

The data subject was dissatisfied by Airbnb’s response of 27 May 2020 and communicated this to the Berlin DPA on 3 August 2020, which was then passed on to the DPC on 14 October 2020. In this, the data subject did not accept that Airbnb had erased his data and questioned why Airbnb erased his data immediately after his access request before he could review their response to it.

The DPC notified Airbnb of the data subject’s complaint from 3 August 2020 and requested a further response from Airbnb. On 9 December 2020, Airbnb responded mainly reiterating its submissions made on 27 May 2020. The DPC communicated this response from Airbnb to the data subject via the Berlin DPA on 24 March 2021. On 13 July 2021, the data subject reiterated his dissatisfaction with Airbnb’s response of 9 December 2020.

On 22 December 2022, acting in its capacity as the lead supervisory authority the DPC commenced an inquiry into the matter on the following issues:

  • Issue 1: Whether Airbnb’s provision of the personal data and information concerning the processing of that personal data in response to the Complainant’s [data subject’s] access request was compliant with the GDPR and the Act [the Data Protection Act 2018].
  • Issue 2: Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR and the Act insofar as the information provided to the Complainant was in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
  • Issue 3: Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR and the Act.
  • Issue 4(a): Whether Airbnb’s obligation to provide information on action taken in response to the access and erasure requests without undue delay pursuant to Article 12(3) GDPR was suspended until after the verification of the Complainant’s identity by phone call on 31 July 2018.
  • Issue 4(b): Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s ID, and upon the Complainant’s refusal to provide same, whether Airbnb had a lawful basis to thereafter request a telephone call in order to verify the Complainant’s identity in circumstances where he had submitted a request for access and erasure pursuant to Articles 15 and 17 GDPR.

The DPC did not consider the two erasure requests made in 2015 as they were made prior to the application of the GDPR. The DPC came to a decision on the above issues on 20 July 2023.

Holding

Issue 1: Whether Airbnb’s provision of the personal data and information concerning the processing of that personal data in response to the Complainant’s access request was compliant with the GDPR.

Article 15 GDPR confers a right of access upon the data subject. This right provides that a data subject has the right to obtain a copy of the personal data undergoing processing from the controller. The DPC noted that certain information was withheld form the data subject, such as the sources form where his data had been obtained and the legal bases to processing. Only following the DPC’s intervention did Airbnb provide the Complainant with the additional information. The DPC found that Airbnb’s incomplete response to the data subject’s access request constituted a violation of Article 15(1) GDPR.

Issue 2: Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR insofar as the information provided to the Complainant was in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Article 12(1) GDPR obliges controllers communicating information to data subjects under Articles 13 – 22 GDPR to convey it in a “concise, transparent, intelligible and easily accessible form using clear and plain language.”

Some of the information provided to the data subject by Airbnb, in response to his access request, was in English even though the original request was made in German. Moreover, the email responding to the access request contained unsorted table columns with incomprehensible column headings. The DPC held that this response was an infringement of Article 12(1) GDPR, as the data provided was not conveyed in a transparent manner. The presentation of the data was difficult to understand and provided in a different language to that of the original request.

Issue 3: Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR.

Article 17 GDPR establishes the right to the erasure of a data subject’s personal data. The DPC found that the data subject submitted a valid request for erasure on 6 July 2018, but that only 22 months later did Airbnb address the erasure requests (email of 27 May 2020). The DPC reaches no conclusion as to Article 17 GDPR, but considers the delay to the response in issue 4(a) below.

Issue 4(a): Whether Airbnb’s obligation to provide information on action taken in response to the access and erasure requests without undue delay pursuant to Article 12(3) GDPR was suspended until after the verification of the Complainant’s identity by phone call on 31 July 2018.

Article12(3) GDPR provides that requests made to controllers under Articles 15-22 GDPR must be responded to within a month. The data subject submitted both his access and erasure requests on 6 July 2018, the erasure request was undertaken by Airbnb on 29 August 2018, but it was only communicated to the data subject on 27 May 2020. A period of over 22 months had elapsed between the lodging of the erasure request and the date on which Airbnb communicated information to the data subject on the action it had taken in relation to it.

In relation to this, the DPC asked whether Airbnb’s obligation to provide information without undue delay pursuant to Article 12(3) GDPR was suspended for the purposes of Article 12(3) GDPR until after the verification of the Complainant’s identity by phone call on 31 July 2018. The DPC in response to the above question, adopted the EDPB’s position on the matter (EDPB Guidelines 01/2022 on data subject rights – Right of access). These guidelines state that the time limit under Article 12(3) starts once the controller has received a request under Article 15 GDPR, but if the controller is uncertain whether the person making the request is the data subject, there is a suspension in the Article 12(3) GDPR time limit until the controller has verified the identity of the person making the request, “provided the controller has asked for additional information without undue delay…” Consequently, the request for further information is subject to the Article 12(3) GDPR time limitations.

The DPC found that the suspension of the Article 12(3) GDPR was applicable in this instance. Nonetheless, Airbnb was in breach of Article 12(3) GDPR regardless, because even after having verified the identity of the data subject, it still surpassed the time limit in communicating the outcome of the data subject’s erasure request.

Issue 4(b): Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s ID, and upon the Complainant’s refusal to provide same, whether Airbnb had a lawful basis to thereafter request a telephone call in order to verify the Complainant’s identity in circumstances where he had submitted a request for access and erasure pursuant to Articles 15 and 17 GDPR.

Article 5(1)(c) GDPR establishes the principle of data minimisation, meaning that data processing must be limited to what is necessary in relation to the purposes of processing. The DPC found that the initial request to verify the data subject’s identity with a copy of his ID was an infringement of Article 5(1)(c) GDPR, as less invasive means of identity verification (ie., telephone call) were available to Airbnb.

The DPC found therefore, that there was no lawful basis for requesting a copy of the data subject’s ID, but found that the telephone call “was a proportionate and appropriate form of contact … to verify the authenticity of the access and erasure requests.”

Remedial Actions Taken

Despite the numerous GDPR infringements, the DPC found that issuing an administrative fine “would not be necessary, proportionate or dissuasive,” and instead issued a reprimand to Airbnb pursuant to Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.