Lithuanian SA: fine of € 2 385 276 on Vinted, UAB (company)

Background information

  • Date of final decision: 2 July 2024
  • Cross-border case or national case: cross-border case
    One-Stop-Shop Procedure: the decision was taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (OSS)
  • LSA:    LT 
    and CSAs: FR, DE, PL, NL, ES
  • Controller: Vinted, UAB
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject),  Article 83 (General conditions for imposing administrative fines)
  • Decision: Administrative fine
  • Key words: Lawfulness of processing,   Exercise of data subject rights,  Administrative fine, Transparency,  Principles relating to processing of personal data, Accountability

 

Summary of the Decision

 

Origin of the case  

Lithuanian Supervisory Authority (SA) carried out an investigation following the applicants’ complaints (‘Vinted’ platform users) forwarded by French SA and Polish SA in 2021 and 2022, respectively, alleging that the company had not properly implemented their requests regarding the right to erasure (‘right to be forgotten’) and the right of access.


Key Findings 

Lithuanian SA found infringements with respect to the company in relation to: the actions of the company in response to requests for erasure of personal data by applicants, as well as the quality of the information provided by the company to applicants (infringements of Article 5(1)(a) GDPR (principles of fairness and transparency, Article 12(1) and (4) GDPR); processing in the context of a company’s ‘shadow blocking’ (infringements of lawfulness principle, Article 5(1)(a) GDPR and Article 6(1) GDPR); improper implementation of the principle of accountability (Article 5(2) GDPR).

Lithuanian SA found that the company, in its responses to the applicants’ requests for erasure of personal data, stated that it would not act on a specific request, because the applicant concerned did not identify a specific reason under Article 17(1) GDPR, also failed to identify all the purposes for which the applicants’ specific personal data would continue to be processed after the request was made.

The company unlawfully, in violation of the principles of fairness and transparency, processed personal data of some of the applicants in the context of ‘shadow blocking’ (i.e. the processing of personal data with the intention that a person who allegedly violates the company’s platform’s principles of operation should leave the platform without being aware of such processing of their personal data).

The company also failed to demonstrate that it had taken or refused to act in accordance with the applicant’s request for the right of access.
 

Decision 

In light of the above, the Lithuanian SA decided to impose a fine of EUR 2 385 276. 
When deciding on the amount of the fine, Lithuanian SA relied on the European Data Protection Board Guidelines 04/2022 of 24 May 2023 on the calculation of administrative fines under the GDPR and took into account, for example, the cross-border scope of the processing carried out by the company, that the infringements affected a large number of data subjects and lasted for a long period of time.


For further information: please contact the Lithuanian SA: [email protected]
 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.