DPC (Ireland) - IN-21-3-1
| DPC - IN-21-3-1 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 12 GDPR Article 15 GDPR Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 25.03.2021 |
| Decided: | 14.09.2022 |
| Published: | 16.01.2023 |
| Fine: | n/a |
| Parties: | Airbnb Ireland UC |
| National Case Number/Name: | IN-21-3-1 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | LR |
The Irish DPA found Airbnb Ireland UC’s request for photo ID, in order to process a data subject’s erasure request, to be unlawful.
English Summary
Facts
This case concerns two requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under Article 15 GDPR and an erasure request under Article 17 GDPR. Regarding the erasure request specifically, when the complainant submitted the request on 17 August 2019, they were asked to verify their identity by providing a copy of their photographic ID. After the complainant refused to provide a copy of their ID, the controller offered them the alternative option of logging into their account to verify their identity. Once the complainant had logged in to confirm their identity, Airbnb advised them that it had initiated their request and, on 24 October 2019, confirmed that the relevant data had been deleted.
The complainant raised a number of issues regarding the handling of their requests by Airbnb. Firstly, there was no lawful basis for requesting a copy of the complainant’s ID for the right to erasure request. Secondly, the complainant alleged that Airbnb failed to properly respond to the erasure request. Thirdly, the controller failed to respond to the access request.
The complaint was originally filed with the Berlin DPA, who referred the case to the Irish DPA under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.
Responding to the first issue (lawfulness of ID request), Airbnb initially noted that merely a “request” to provide ID cannot be considered “processing” within the meaning of Article 4(2) GDPR, as “receipt of or access to” the relevant personal data is required. Furthermore, Airbnb stated that its identity verification procedures are in place to protect the Airbnb platform and its users, in doing so they stressed the risk of fraudulent activity, and stated there is evidence that bad actors use GDPR requests to do harm, deceiving the platform and its users. As such, photo ID verification is a reliable form of proof of identity and a secure authentication method to combat these risks. Accordingly, the collection of this data is lawful in accordance with the “legitimate interest” basis in Article 6(1)(f) GDPR.
With regards to the handling of the erasure request itself, the second issue, Airbnb advised that the deletion of an account is a highly technical process, and it could not confirm the exact date this process was completed. However, it was later confirmed that Airbnb emailed the complainant on 24 October 2019 confirming the deletion of the complainant’s personal data.
On the third issue (the access request), Airbnb advised that a review of the documentation indicated that the request was received by Airbnb on 24 October 2019, however this was “regretfully mishandled/misinterpreted” by one of their agents. This was brought to their attention when the complainant followed up on the request on 8 November 2019, however, by this point the account had been deleted and the controller was only able to provide a “post-deletion access file” on 17 July 2020.
Holding
Following its examination and assessment of the complaint, the DPC held as follows.
Regarding the first issue (whether the controller had a lawful basis for the ID request) the DPC stated that, firstly, making photographic ID a mandatory requirement for submitting an erasure request does constitute processing for the purposes of Article 4(2) GDPR. In addition, while the processing of photo ID may be required in some circumstances, Airbnb did not demonstrate that the ID request was either proportionate or necessary in the context of an erasure request. Therefore, it could not be considered that a “legitimate interest” exists for the processing of data and so the controller had infringed Article 6(1) GDPR, in addition to violating the principle of data minimisation in Article 5(1)(c) GDPR.
Concerning the second issue of the controller’s handling of the erasure request, the DPC advised that, once the complainant verified their identity by logging into their account on 2 September 2019, the erasure of the account was commenced the same day and confirmed to have been completed on 24 October 2019. Accordingly, there was no undue delay in handling the request for erasure and the controller did not infringe upon Article 17(1) GDPR.
Finally, the DPC addressed the controller’s obligations under article 12 GDPR regarding both the handling of the erasure and access request. The DPC found no violation regarding the erasure request. However, they found that a considerable delay arose between the date in which Airbnb received the access request on 24 October 2019 and the supply of the post-deletion access file on 17 July 2020, contrary to the requirement to comply with the request within a period of one month (Article 12(3)). Accordingly, the controller infringed Article 12(3) GDPR with respect to its handling of the access request.
Regarding the exercise of corrective powers, the DPC considered the imposition of an administrative fine in accordance with the factors set out in Article 83(2) GDPR. They concluded that a fine would not be necessary, proportionate or dissuasive and that the delay in handling the access request did not arise due to a systemic set of issues but was particular to the circumstances of the case. Accordingly, the DPC did not administer a fine, and instead, made an order requiring Airbnb to bring its activities into compliance with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
An
Coimisidn
um
Chosaint
SonraiData
Protection
Commission
basis,
the
draft
decision
of
the
DPC
in
relation
to
this
complaint
was
transmitted
to
each supervisory
authority
in
the
EU
and
EEA
for
their
opinion.
Complaint
Handling
by
the
DPC
—
Timeline
and
Summary
1.
The complaint
was
initially
lodged
with the
Berlin
DPA
and thereafter
transmitted
to
the
DPC,
on 06
March
2020,
via
the
IMI
to
be
handled
by
the
DPC
in
its
role aslead
supervisory
authority.
The
complainant
alleged
that
Airbnb
failed
to
properly
respond
to
an
erasure
request
submitted
by
them,
via
email
on
17
August
2019,
pursuant
to
Article
17
of
the
GDPR.
Further,
the
complainant
stated
that
when
they
submitted
their
request
for
erasure,
Airbnb
requested
that
they
verify
their
identity
by
providing
a
photocopy
of
their
identity
document
(“ID”),
which
they
had
not
previously provided
to
Airbnb.
The
complainant
refused
to
provide
a
copy
of
their
ID
and
Airbnb
then
provided
them
with the
option
of
logging
into
their
account
to
verify
their identity.
Upon
logging
into
their
account
to
verify
their identity,
Airbnb
advised
the
complainant
that
it
had
initiated their
deletion
request
and.would
delete
all
data
to
the
extent
that
GDPR
permits
or
requires
Airbnb
to
retain
data.
On
24
October
2019,
Airbnb
confirmed
to
the
complainant
that their
personal
data had
been
deleted
pursuant
to
Airbnb’s obligations
under
the
GDPR.
2.
The
complainant
also
alleged
that
they
submitted
an
access
request
to
Airbnb,
via
email
on
02
September
2019,
pursuant
to
Article
15
of
the
GDPR,
to
which
they
received
no
response.
3.
The
DPC
notified
Airbnb
of
the
complaint
by
way
of
letter
on 08
June 2020
and
provided Airbnb
with
a
copy
of
the
complaint.
4.
Airbnb
reverted
to
the
DPC
confirming
that
the
complainant's account
had
been
deleted.
Airbnb advised
the
DPC
that the
complainant
had
requested
that their
account
be
deleted and
was asked
by
Airbnb
to
verify
their
identity
by
providing
ID,
in
accordance
with
its
identity
verification
procedures,
further details
of
which
it
advised,
are
set
out
in
its
“Help
Centre”
article.
Airbnb
stated
that the
complainant
raised
concerns
with
providing
a
copy
of
their
ID
and
so
its
community
support
agents
verified the
complainant's
identity
using
an
alternative verification
method,
namely
having
the
complainant
log
in
to
their
Airbnb account. Airbnb informed
the
DPC
that,
once
their identity
was
verified,
its
agents
notified the
complainant
that
their
deletion
request was
being
processed
and
also
that
certain data
may
be
retained:
“Airbnb
will
delete your personal
data,
except
to
the
extent
GDPR
permits
or
requires
us
to
retain that data. For example, we retain data that
is
necessary
for
An
Coimisiin
um
Chosaint
Sonrai
Data
Protection
Commission
complying with laws to which we are subject, for exercising the right of freedom of
expression and information (such as the content overviews [sic]), and for the
establishment, exercise or defence of legal claims (such as Information relating to
user disputes)”
In addition, Airbnb stated that it informed the complainant that they would not
receive any further emails from Airbnb.
Airbnb advised
the
DPC
that
subsequent
to
this,
the
complainant
emailed
Ajirbnb
on
24
October
2019
requesting
access
to
their
personal
data
retained
post-
deletion,
contrary
to
the
complainant’s
assertion
they
submitted
their
access
request
on
02
September
2019.
Airbnb advised
the
DPC
that,
regretfully,
the
complainant's
request
was
not
escalated
to
the
relevant
team.
Similarly,
when
the
complainant
emailed
Airbnb’s
community
support
team
on 08
November
2019,
the
agent
did
not
link
the
request
to
any
particular
account
as
the
complainant's
account
had
already
been
deleted.
Airbnb
advised
the
DPC
that
it
was
investigating
the
cause
of
this
oversight
and
would
like
to
offer
its
apologies
to
the
complainant
for
the
inconvenience caused
by
this
error.
Airbnb advised
the
DPC
that
it
was,
at
that
time,
processing
the
complainant's
access
request
post-deletion.
In an attempt to facilitate the amicable resolution of the complaint, the DPC
reverted to the complainant advising them that the DPC had communicated with
Airbnb on this matter. The DPC advised the complainant that Airbnb stated that
their account, and associated personal data (including phone recordings), had
been erased to the extent required by GDPR as they had verified their identity by
way of logging in to their Airbnb account, and that no further personal data wasprovided
for
this
purpose.
The DPC advised the complainant that, regarding their access request, which was
made after the erasure of their account, Airbnb informed the DPC that this request
would be processed and issued to them directly by email and that they should have
now received this correspondence. The DPC informed the complainant that Airbnb
had noted that this request was not initially processed as the account had already
been erased and that Airbnb has apologised for this and provided the below
explanation:
{RE
mailed Airbnb
on 24
October 2019 requesting access
to
her
personal
data
retained post-deletion. Regretfully,
this
request was
not
escalated
to
the
relevant
team. Similarly,
wherlfjemailed
our
community
support team
on
8
November2019,
the
agent
did not
link the
request
to
any particular
account
as{js
account
An
Coimisiun
um
Chosaint
Sonrai
Data
Protection
Commission
26.With
regard
to
its
response
to
the
complainant's
erasure
request,
Airbnb
advised
that
a
review
of
the
documentation
provided
with
the
complaint
by
the
DPC
in
June
2020
indicates
that
the
erasure
request
was
received
by
Airbnb
on
17
August
2019.
Airbnb
noted
that
the
documentation
provided
with
the
complaint
by
the
DPC
contained
a
copy
of
an
email from
Airbnb
to
the
complainant
dated
17
August
2019,
confirming
receipt
of
the
deletion
request
and
setting
out
the
required
authentication
steps
for
the
complainant.
Airbnb
stated
that the
request
was
ultimately
authenticated
by the
complainant
on
2
September
2019
(and
provided
the
below
screenshot
of
the
relevant
extract
from
its
records).
27.With
regard
to
the
DPC’s
request
for
clarification
as
to
the
date
the
complainant's
erasure request
was completed
and
all
data
was
deleted,
Airbnb advised
that the
deletion
of
an
Airbnb
account
is
a
highly
technical
process
that
involves
a
number
of
stages
/
phases.
Airbnb advised
that the
length
of
time
it
takes
to
delete
an
account
in
its
entirety
is
dependent
on
a
number
of
variables, including
the
volume
and nature
of
the
data
on
the
account
as well as
confirmations
from various
internal
teams
that
certain
additional data
is
not
required
to
be
held
for
legal
or
regulatory
reasons. Airbnb
stated
that
it
informed
the
complainant
of
this fact:
“Please
note
that the
deletion
process
itself
happens
over
a
period
of
time
acrossour
systems.
We
are not
able
to
confirm
the
exact
date
on
which
the
deletion
process
for
any
given
request
completes”28.Airbnb
stated
that,
in
the
context
of
the
complaint, Airbnb
could
not
confirm from
its
records
when
the
deletion
process was completed.
Airbnb
stated
that
separate
deletion
processes
are
in
place
for
phone
call
recordings, which
are
automatically
deleted
on
a
cyclical basis,
unless Airbnb
is
required
to
retain
these recordings
for
specific
reasons. Airbnb advised
that,
as
confirmed
by
Airbnb
in its
response
to
the
DPC
dated
22
June 2020
in
respect
of
the
underlying complaint,
all
phone
recordings
in
respect
of
the
complainant
had
been deleted
by that point
in
time.
29
30.
31.
32.
An
Coimisign
um
Chosaint
Sonrai
Data
Protection
Commission
.With regard to the complainant’s access request, Airbnb advised that a review of
the
documentation
provided
with
the
complaint
by
the
DPC
in
June
2020
indicated
that the
complainant's access
request
was
received
by
Airbnb
on 24
October
2019.
Airbnb
noted
that
the
documentation
provided
with
the
complaint
by
the
DPC
contains
a
copy
of
the
request
from
the
complainant
to
Airbnb dated
24
October
2019.
Further,
Airbnb
stated
that
a
review
of
the
documentation
provided
with
the
complaint
by
the
DPC
in
June 2020
indicated
that
one
of
Airbnb’s
agents
responded
to
the
complainant
on
24
October
2019
but
mishandled
/
misinterpreted
the
complainant's
request.
Airbnb
noted
that the
documentation
provided
with
the
complaint
by the
DPC
contained
a
copy
of
this
response
dated
24
October
2019.
Airbnb
advised
that
these issues
were
outlined
in
its
response
to
the
DPC
dated
22
June
2020
in
respect
of
the
complaint
handling process,
with the
relevant
extracts
set
out
below
for
ease
of
reference:
“Subsequently,
emailed
Airbnb
on
24
October 2019 requesting
access
to
her
personal
data
retained
post-deletion.
Regretfully,
this
request
was
not
escalated
to
the
relevant
team.
Similarly,
when
mailed
our
community
support
team
on
8
November
2019,
the
agent
did
not
link
the
request
to
any
particular
account
as
W's
account
had
already
been
deleted.
We
are
investigating
the
cause
of
this
oversight
and would
like
to
offer
our
apologies
toM—
for
the
inconvenience
caused
by
this
error.
As stated
above,
we
are
processing
is
access
post-
deletion
request
now
and
will
send
it
to
her
by
email
at
f
Airbnb
stated
that
it
provided
the
complainant
with the
post-deletion
access
file
on
17
July
2020.
However,
as the
account
had
been
deleted,
Airbnb’s investigations
into
the
issues
that
resulted
in
the
mishandling
of
the
post-deletion
access
request
have
not
yielded
further
insight
into
what
transpired.
The
DPC
received
a
response
from
the
complainant
via
the Berlin
DPA
on 19
July
2021.
In
their
response,
the
complainant confirmed
that
they
were agreeable
to
all
information
that
they had
previously provided
in
the
context
of
the
complaint
handling
process
being
used
for
the
purposes
of
the Inquiry.
In_
their
correspondence
the
complainant
informed
that
DPC
that
they
did
not
provide
a
copy
of
their
ID
to
Airbnb
for
identification
purposes. The
complainant
also
provided
a
number
of
correspondence
they had
exchanged
with
Airbnb.
The
DPC
reverted
to
Airbnb
via
email
on 24
January
2022. The
DPC
advised
Airbnb
that,
in
addition
to
the
issues previously
notified
to
Airbnb
in
its
Commencement
Notice,
the
following issue
was
also
deemed
to
form
part
of
the
Inquiry under, and
in
accordance
with,
Section 110(1)
of
the
Data Protection
Act,
2018:
10
33.
An
Coimisiin
um
Chosaint
SonraiData
Protection
Commission
d)
Whether
Airbnb
has
complied
with
its
obligations
in
accordance
with
Article
12
of
the
GDPR
with
respect
to
its
handling
of
the
complainant's erasure
request
and
access
request.
The
DPC
also
posed
a
number
of
queries
relating
to
the
issues
outlined
in
the
Scope
of
the Inquiry.
Airbnb
responded
via
letter
dated
07
February
2022.
With
regard
to
the
DPC’s
request
for
a
copy
of
Airbnb’s
Terms
of
Service,
Privacy
Policy
and
supplemental
Privacy
Policy
that
were
in
place
in
January 2018
when
the
complainant
created
their
account
where
it
notified
the
complainant
that
Airbnb
required
that
users
provide
a
copy
of
the
government
issued
ID
in
order
to
verify
their identity,
Airbnb
provided
the
DPC
with
copies
of
the
Terms
of
Service
and Privacy
policy
that
were
in
place
in
January
2018.
34.Airbnb
advised
that
Section
2
of
its
Terms
of
Service
describes
Airbnb’s
identity
35.
36.
verification
practices and
that
Section
2.3
states
that
“Airbnb
may make
the
access
to
and
use
of
the
Airbnb
Platform,
or
certain
areas
or
features
of
the
Airbnb
Platform,
subject
to
certain
conditions
or
requirements,
such
as
completing
a
verification
process”.
Further,
Airbnb
advised
that
Section
2.4
of
its
Terms
of
Service informs users
that
Airbnb
may
“ask
Members
to
provide
a
form
of
government
identification
or
other
information
or
undertake
additional
checks
designed
to
help
verify
the
identities
or
backgrounds
of
Members”.
Airbnb
stated
that
its
Privacy
Policy
also
contained
a
number
of
disclosures
around
identity
verification,
such
as
Section
1.1
which
states
“Other
Authentication-
Related
Information.
To
help
create
and maintain
a
trusted
environment,
we
may
collect
identification
(like
a
photo
of
your
government-issued
ID) or
other
authentication
information.
To
learn
more,
see
our
Help
Center
[sic]
article
about
providing
identification
on
Airbnb”. Further,
Airbnb advised
that
Section
2.2
of
its
Privacy
Policy
describes
practices
deployed
to
“Create
and Maintain
a
Trusted and
Safer
Environment”,
including steps
to
“Verify
or
authenticate information
or
identifications
provided
by
you”.
Airbnb
stated
that
these disclosures
form
part
of
a
series
of
disclosures,
throughout
the
various
iterations
of
its
Terms
and Privacy
Policies,
which
inform users about
identity verification.
In
response
to
the
DPC’s
request
that
Airbnb
clarify
how
its
records
indicate
that
the
complainant
had previously
uploaded
a
copy
of
their
|D
document
shortly after
joining
the
platform, Airbnb provided
the
DPC
with
a
redacted
extract
of
the post-
deletion
access
file.
Airobnb
advised
that the
redacted
extract
contains
a
log
entry
(Figure
2
below)
-
originally
included
at
row 73
in
the
Security Data
tab
of
the
access
file
-
which indicates
that
a
government
ID
was uploaded
to
the
11
