Lithuanian Data Protection Authority Fines Vinted €2.4 Million for GDPR Violations

On July 2, 2024, the State Data Protection Inspectorate (SDPI) of Lithuania imposed a substantial fine of €2,385,276 on Vinted, UAB, the company behind the popular online second-hand clothing trading platform "Vinted". The penalty comes after an investigation into complaints forwarded by French and Polish supervisory authorities in 2021 and 2022.

The SDPI found Vinted in violation of several key provisions of the General Data Protection Regulation (GDPR). Specifically, the company was found to have infringed Article 5(1)(a) (principles of lawfulness, fairness, and transparency), Article 5(2) (principle of accountability), and Articles 12(1) and 12(4) (transparent information, communication, and conditions for exercising data subject rights).

The investigation revealed that Vinted had improperly handled user requests regarding the right to erasure ('right to be forgotten') and the right of access. The company was found to have rejected deletion requests when users failed to cite specific grounds under Article 17 of the GDPR, without providing full explanations for continued data processing.

Moreover, Vinted was discovered to be employing a practice called 'shadow blocking', where it processed personal data of users suspected of violating platform rules without their knowledge, intending to make them leave the platform. This practice was deemed to violate principles of fairness and transparency.

The SDPI also noted that Vinted failed to implement sufficient technical and organizational measures to demonstrate compliance with the principle of accountability, particularly in relation to handling right of access requests.

In determining the fine, the SDPI followed the European Data Protection Board's Guidelines on calculating administrative fines under the GDPR. Factors considered included the cross-border nature of Vinted's data processing, the large number of affected data subjects, and the extended duration of the infringements.

The decision was reached after a closed hearing with representatives from both the SDPI and Vinted present. Given the international nature of the complaints, the decision was coordinated with data protection authorities from Germany, France, Poland, the Netherlands, and Spain under the GDPR's 'one-stop shop' principle.

Vinted has the right to appeal the decision to the Administrative Court of the Regions within one month of receiving the decision.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.