Administrative fine of EUR 2 385 276 imposed by the Lithuanian Data Protection Authority on Vinted, UAB for unlawful processing of personal data

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, informs about the administrative fine in the amount of 2 385 276 euro imposed by the Lithuanian Data Protection Authority (SA) on the controller of the online platform  Vinted, UAB for trading and exchange of second-hand clothes. The controller breached Article 5 – Principles relating to the processing of personal data, Article 6 – Lawfulness of processing, Article 12 – Transparency of information, communication and arrangements for exercising the data subject’s rights and Article 83 – General conditions for imposing administrative fines, of the GDPR.

Lithuanian SA initiated an investigation following complaints from applicants (users of the Vinted platform) submitted by French SA and Polish SA in 2021 and 2022, respectively, alleging that the company did not properly implement their requests regarding the right to erasure (“right to be forgotten”) and the right of access.

Upon investigation, the Lithuanian SA found that the company in its responses to the requests for erasure of personal data stated that it would not act on a specific request because the applicant in question did not identify a specific ground under Article 17(1) of the GDPR and did not identify all the purposes for which the applicants’ specific personal data would continue to be processed after the request was submitted.

At the same time, in order to ensure the security of the platform and its users, the company unlawfully applied “shadow blocking” (the processing of personal data with the intention that a person who is alleged to be in breach of the Vinted Platform Operating Principles would leave the platform without being aware of this processing of their personal data) in respect of some of the applicants in breach of the principles of fairness and transparency, and the improper implementation of these principles adversely affected the ability of platform users to exercise their other rights and seek redress under the GDPR.

In addition, the company did not ensure sufficient technical and organizational measures to implement the principle of accountability and to be able to demonstrate that it has taken (or reasonably refused to take) measures with respect to the right of access.

In this context, the Lithuanian SA decided to impose an administrative fine in the amount of EUR 2 385 276 on Vinted, UAB. When deciding on the amount of the fine, the Lithuanian SA relied on the European Data Protection Board’s Guidelines 04/2022 of May 24, 2023 on the calculation of administrative fines under the GDPR and took into account the cross-border scope of the processing carried out by the company, the fact that the breaches affected a large number of data subjects and lasted for a long period of time. 

As the national supervisory authority for the processing of personal data, the NCPDP emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the applicable legislation.