Lithuania
Vinted
GDPR enforcement action by Lithuanian Data Protection Authority (VDAI) on 2024-07-02.
Case details
- Authority
- Lithuanian Data Protection Authority (VDAI)
- Date
- 2024-07-02
- Controller / Processor
- Vinted
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 12 (1), (4) GDPR
- Type of violation
- Insufficient fulfilment of data subjects rights
Summary
The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store "Vinted". The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using "shadow blocking" to remove users from the platform without their knowledge, which violated the principles of fairness and transparency. This also impaired users' ability to exercise their rights under the GDPR. In addition, the DPA found that the company had not taken sufficient technical and organizational measures to ensure compliance with the principle of accountability and to be able to demonstrate that it had taken appropriate measures regarding the right of access.
---UPDATE---
The Regional Administrative Court has rejected a complaint filed by the controller under the Administrative case No. eI3-1348-428/2025.
Related fines