DPC (Ireland) - Inquiry into Airbnb Ireland UC - 14 September 2023
| DPC - Inquiry into Airbnb Ireland UC - 14 September 2023 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(f) GDPR Article 12(4) GDPR Article 17(1) GDPR Article 17(3)(e) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 07.10.2022 |
| Decided: | 14.09.2023 |
| Published: | 11.10.2023 |
| Fine: | n/a |
| Parties: | Airbnb Ireland UC |
| National Case Number/Name: | Inquiry into Airbnb Ireland UC - 14 September 2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | co |
The DPC found that Airbnb Ireland UC lawfully retained the complainant's personal data after an erasure request, as it was necessary for the establishment, exercise or defence of legal claims under Article 17(3)(e) GDPR.
English Summary
Facts
A data subject requested Airbnb Ireland UC, the controller, to delete all personal data relating to him in 2018 and then submitted that he wished to withdraw his consent for the storing using and sharing of his personal data processed by the controller. The only response of the controller was that it would delete his personal data unless it is allowed or required to retain such data under the GDPR, and that this may take a long time. The data subject never received any further updates on his deletion request.
The data subject initially filed a complaint with the Cypriot DPA in December 2018 against the controller for failing to comply with his erasure request, for unlawfully retaining his data and for failing to comply with the principle of data minimization and transparency in relation to its obligation to provide information to the data subject. In its capacity as concerned Supervisory Authority, the Cypriot DPA transferred the case to the Irish DPC as Lead Supervisory Authority in March 2019, which decided on the case in accordance with Article 60 GDPR.
In its submissions to the DPC, the controller stated that it was aware that the complainant run eight accounts on its platform and it stated that his accounts were suspended after learning that he had assaulted a guest in November 2018, evidenced by a police record provided by the guest. The controller justified its decision not to comply with the data subject’s erasure request of December 2019 by stating that such data could potentially be used in criminal or civil proceeding on the assault involving the data subject and potentially the controller too. In the controller’s view this is allowed under Article 17(3)(b) GDPR and Article 17(3)(e) GDPR, as the information was kept for legal compliance purposes and it complies with the principles of processing of Article 5 GDPR and on the basis of Article 6(1)(f) GDPR as the controller has a legitimate interest in keeping its platform safe.
In a further submission by the complainant to the DPC, he asserted that the controller still did not comply with his erasure request and failed to provide him with updates on the status of his request. Further, he provided additional information on the assault, stating that the incident occurred in his relationship with a guest that did not book through the complainant’s Airbnb account, but through his father’s account and that the assault was being investigated by Cypriot officials. Also, following the incident the complainant did not have access to his Airbnb accounts and when trying to create a new account he was informed that he could not use the website based on data relating to him retained by the controller. After the data subject refused to seek an amicable solution with the controller, the DPC as Lead Supervisory Authority started handling the issues raised in the complaint.
Holding
After reaching a preliminary decision on the matter, the DPC sent it to all the Supervisory Authorities concerned, that is, every EU Supervisory Authorities, as the controller offers services and targets users in all EU Member States. Since no objection was raised, the DPC adopted its decision on the basis of Article 60 GDPR.
In its holding, the DPC first assessed whether the controller had a lawful basis for processing the complainant’s personal data when he had requested his data to be erased under Article 17(1) GDPR. In this respect, the DPC underlined the fact that the controller had known about the incident but never received a formal notice by the police/law enforcement asking to retain information about the data subject. It did however, been advised by a legal counsel to do so. The DPC thus assessed whether the controller had a legitimate interest under Article 6(1)(f) GDPR to retain each of the complainant’s eight accounts, including identity, financial and tax information about him, after his deletion request. In this, the DPC carried out the three-step test needed to establish the legitimacy of the interest pursued: first, the DPC held that a legitimate interest is given, as it is stated in the controller’s LIA document that it has an interest in preserving the integrity of police investigations, in protecting itself from liability and keeping the platform safe. Secondly, the DPC held, with respect to necessity, that the controller rightfully stated that, in light of Cypriot legal advice, it should retain account information until expiration of the Cypriot statutory limitation period of 6 years in order to serve the interests stated above. Last, the DPC carried out a balancing of interests between those of the controller and the fundamental rights of the data subject and it concluded that given the controller’s interest in keeping the data until expiration of the statutory limitation period, in particular given the safety concerns related to the incident, which is not overridden by the data subject’s fundamental rights and freedoms. The DPC thus held that the controller validly relied on Article 6(1)(f) GDPR as a legal basis for retaining the data subject’s personal data.
Further, the DPC considered whether the controller failed to comply with the data subject’s request of erasure of his personal data under Article 17 GDPR. The DPC held that the controller had successfully demonstrated that Article 17(1) GDPR does not apply in this case, as the processing is necessary for the establishment, exercise or defence of legal claims, as stipulated in Article 17(3)(e) GDPR. Thus the controller lawfully restricted the right of the data subject to erasure of his personal data.
Moreover, the DPC assessed the controller’s compliance with the principle of data minimization of Article 5(1)(c) GDPR. In fact, the controller retained all data relating to all accounts of the data subject on the basis of legal advice by the Cypriot lawyer that it would need to retain a broad set of evidence. The DPC found that given the serious circumstances of the incident involving the data subject, the controller did not infringe the principle of data minimization by retaining the complainant’s personal data from all his accounts.
Lastly, the DPC analysed the controller’s compliance with the principle of transparency under Article 5(1)(a) GDPR combined with the data subject’s right to information of Article 12 GDPR. The DPC noted that, as submitted by the parties, the controller failed to keep the data subject updated on the reasons for not complying with his deletion request and to inform him about his right to file a complaint or obtain a judicial remedy. In this, the DPC held, the controller infringed Article 12(4) GDPR by failing to duly inform the data subject.
In light of its findings, the DPC decided to issue a reprimand to the controller pursuant to Article 58(2)(b) GDPR .
Comment
Share your comments here!
Further Resources
Data Protection Commission: Inquiry into Airbnb Ireland UC - September 2023
Data Protection Commission: Inquiry into Airbnb Ireland UC - September 2023 - Full Decision PDF
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
