On July 2, 2024, the Lithuanian State Data Protection Inspectorate (SDPI) imposed a fine of €2,385,276 on Vinted UAB for violating the General Data Protection Regulation (GDPR) following data subject complaints. Vinted is a popular online second-hand clothing trading platform, operating in many European countries.
Background to the decision
The Lithuanian watchdog SDPI examined complaints it received from the French data protection authority (CNIL) and the Polish data protection authority (UODO) in 2021 and 2022, accordingly. The complaints alleged that Vinted possibly violated data processing principles concerning data erasure (the right to be forgotten) and data access requests.
In October 2023, Vinted revealed that it was in the process of litigation in Poland and Italy over millions of euros in fines.
In May 2023, a Polish court decreased the Office of Competition and Consumer Protection’s 1.14 million euro fine imposed on Vinted more than four times, but the ruling was appealed and is pending.
In France, a consumer group also filed a class action lawsuit on over-compensation of Vinted for fees for platform users since 2016. The case is still pending before a Paris civil court.
Findings of the SDPI
The SDPI has found Vinted violated several key provisions of the GDPR. Vinted was found to have infringed Article 5(1)(a) (principles of lawfulness, fairness, and transparency), Article 5(2) (principle of accountability), and Articles 12(1) and 12(4) (transparent information, communication, and conditions for exercising data subject rights).
It was revealed that Vinted refused to delete the data subjects’ data when users failed to cite specific grounds set out in the GDPR and continued processing the users’ personal data without specifying the purposes for this activity. The SDPI found that Vinted did not provide sufficient detailed information when denying right-to-be-forgotten requests from blocked users.
Moreover, Vinted was found to be employing a practice called shadow blocking, where it processed the personal data of users suspected of violating platform rules without their knowledge, with the aim of making them leave the platform. This practice violates the principles of fairness and transparency of the GDPR.
In addition, the SDPI found that at least in one case Vinted did not take sufficient technical and organizational measures to implement the principle of accountability to demonstrate that it had acted regarding the right of access.
The Lithuanian watchdog stated that it took the European Data Protection Board's (EDPB) Guidelines 04/2022 on the calculation of administrative fines into account. Factors considered for the fine included the cross-border nature of the company’s data processing, the large number of affected users, and the prolonged duration of the infringements.
The decision was coordinated with data protection authorities from Germany, France, Poland, the Netherlands, and Spain under the GDPR's so called ‘one-stop shop’ principle.
Outcomes
After the investigation, Vinted was fined €2,385,276 for the above-mentioned violations of the GDPR.
The full decision can be found here.
The decision can be appealed to the Regional Administrative Court within one month.
Use CookieScript Consent Management Platform to comply with the GDPR and other privacy laws and avoid fines.
Frequently Asked Questions
What is shadow blocking?
Shadow blocking, also called shadow banning, hell banning, or ghost banning, is the practice of totally or partially blocking a user or their content in an online community or e-commerce in such a way that the blocking is not readily visible to the user. For example, if a user places an item on the e-commerce platform, it would be visible to the user, but not to other users of the platform. The reason for using shadow blocking is the hope that the problematic or otherwise unwanted users will become unsatisfied, bored, or frustrated and leave the site.
What amount of fine did Vinted receive for the violation of the GDPR?
On July 2, 2024, the Lithuanian State Data Protection Inspectorate (SDPI) imposed a fine of €2,385,276 on Vinted UAB for violating the General Data Protection Regulation (GDPR) following data subject complaints. The decision can be appealed to the Regional Administrative Court within one month.