Fine for the sales platform Vinted

On 2 July 2024, the Lithuanian Data Protection Authority imposed an administrative fine of more than €2.3 million on Vinted UAB, the operator of a sales platform and associated application that allows users to sell and buy second-hand clothes.

The  proceedings in the case of Vinted was  initiated by the State Data Protection Inspectorate (the Lithuanian supervisory authority) following complaints forwarded to it by the DPA in 2021 and 2022. In their complaints, users of the sales platform alleged that the company did not fulfil their requests related to the right to be forgotten (Article 17 GDPR) and the right of access to data (Article 15 GDPR).

The Polish users of the service pointed out that although registering on the site is simple, withdrawing funds collected for items sold there is already complicated and requires a lot of personal data. Among other things, the company requires a scan of an identity card. If the user did not provide those data, the funds accumulated by him/her from the sale of clothes were blocked and their withdrawal was impossible.

The Vinted company informed the persons who requested their data to be deleted that it would not take any action in their case, as the requests made by them lacked the indication of ‘specific grounds’ in accordance with the wording of Article 17 of the GDPR. The State Data Protection Inspectorate also found that the company, in its response to the complainants' requests, did not specify all the purposes for which the complainant's data, to a certain extent, were still to be processed.

When investigating the case, the Lithuanian authority also found that the company, in order to ensure the security of the platform and its users, unlawfully applied  ‘shadow blocking’, i.e. not informing the user who allegedly violated the platform's rules about the further processing of his/her personal data, despite the intention to remove him/her from the platform. In the view of the supervisory authority, this type of practice constituted a breach of the principles of fair and transparent data processing, which negatively affected other rights of the platform users and the possibility to assert them.

The company has also failed to implement adequate technical and organisational measures to comply with the requirements related to the implementation of the accountability principle in order to be able to demonstrate that it has taken or reasonably refused to take action based on a right of access request.

Given that the case also involved citizens of other member states, data protection authorities from Poland, France, the Netherlands and Spain were also involved in the decision.