In late July 2023 the Irish Data Protection Commission (Irish DPC) published the results of its inquiry into Airbnb Ireland’s (Airbnb) handling of a data subject access and erasure request. This was a cross border matter and so was considered by other regulators, however, unlike a few recent decisions, this reprimand was agreed by all concerned.
The Irish DPC found that Airbnb had failed to comply with its obligations under a number of GDPR provisions when dealing with the data subject rights request, stating that:
- Asking for an ID document (to identify the requestor, in circumstances where, prior to this no such document had been submitted to Airbnb) was a breach of the data minimisation principle. The Irish DPC stated that there were “less data-driven solutions” for the identification of the individual and Airbnb did not have a legitimate interest in requesting the ID.
- Airbnb breached right of access provisions by failing to provide access to all of the individual’s data.
- Airbnb breached transparency obligations by failing to provide an “access file that was of a concise, transparent, intelligible and easily accessible form.”
- Airbnb failed to meet the timelines set out for responding to data subject rights requests set out in the GDPR.
Airbnb were not issued with a fine in this instance, but the reputational damage from a published reprimand should not be underestimated, particularly in the case of a high-profile consumer organisation.
When reading the decision, it is clear that there was a communication/customer relations issue. This issue started in 2015 and there were arguably points at which Airbnb might have been able to turn it around and perhaps avoid a doubtless expensive and time-consuming inquiry and consequential reprimand, as well as the potential accompanying reputational damage.
It seems the initial request was caught by a spam filter as the request was only in the subject line of the email (with no text in the body of the email). Airbnb failed to communicate in relation to the erasure request (although it appears they did take steps to fulfil it), they did not provide a full set of data and what they did provide had a cover letter in English (the data subject was German) and contained “unsorted table columns with incomprehensible column titles”. This reinforces the importance of clear communication and ensuring that complaints/frustrations expressed in relation to data subject rights requests are given due time and attention to help prevent escalation of the issues in question.
If you would like to review your data subject rights request procedures, please get in touch with your usual contact or email the team on firstname.lastname@example.org