Ireland: Issues DPC investigation into Airbnb for unlawful data collection

On 21 June 2023, the Irish Data Protection Commission (DPC) issued a ruling following its investigation into Airbnb following a complaint that the company had illicitly requested a copy of the complainant's identification (ID) to validate their identity. The DPC found that Airbnb’s retention infringed the principles of data minimisation and the principle of storage limitation of the GDPR. The DPC ordered Airbnb to delete from all of its systems and records the complainant’s identity documents that the complainant attempted to upload and that the complainant uploaded. It also ordered the company to revise its internal policies and procedures concerning user identity verification.