On July 2, 2024, the Lithuanian Supervisory Authority (SA) issued a decision to fine Vinted, UAB, €2,385,276 for multiple violations of the General Data Protection Regulation (GDPR). This decision followed an investigation initiated by complaints from Vinted platform users in France and Poland, forwarded by their respective national SAs in 2021 and 2022.
The decision was based on the European Data Protection Board’s Guidelines 04/2022 on the calculation of administrative fines under the GDPR. Factors influencing the fine amount included the cross-border nature of Vinted’s data processing activities, the large number of affected data subjects, and the prolonged duration of the infringements.
The Lithuanian SA identified several GDPR infringements by Vinted:
Right to Erasure: Vinted inadequately responded to data erasure requests, refusing action unless users cited a specific reason under Article 17(1) GDPR and failing to specify all purposes for continued data processing.
Right of Access: Vinted did not properly address users’ requests for access to their personal data, violating fairness and transparency principles.
Shadow Blocking: Vinted unlawfully processed data through “shadow blocking,” forcing users to leave the platform without their knowledge, violating Article 6(1) GDPR.
Accountability: Vinted failed to implement the accountability principle required by Article 5(2) GDPR, showing deficiencies in its internal data protection measures.