Ireland: Issued DPC ruling in Investigation into Airbnb regarding alleged violation of the GDPR

On 14 September 2023, the Irish Data Protection Commission (DPC) issued a decision concerning a complaint filed against Airbnb Ireland UC (Airbnb) regarding allegations against Airbnb's breach of GDPR obligations. The concerns focused on Airbnb's failure to adequately fulfil an erasure request, the improper retention of personal data, non-compliance with the data minimisation principle, and a violation of transparency and information provision principles. The DPC determined that Airbnb appropriately relied on Article 6(1)(f) as the lawful basis for retaining the complainant’s personal data and validly relied on Article 17(1)(e), finding no infringement when restricting the complainant’s right of erasure. However, the DPC identified a breach of Article 12(4) of the GDPR concerning Airbnb's handling of the erasure request. Airbnb failed to promptly inform the complainant of the reasons for not taking action within one month and neglected to highlight the option to lodge a complaint or seek judicial remedies. Consequently, the DPC issued a reprimand to Airbnb Ireland UC, in accordance with Article 58(2)(b) of the GDPR.