VINTED fined €2.3 million for not complying with erasure requests, applying "shadow blocking", and poor accountability practices

On July 2, the State Data Protection Inspectorate (SDPI) of Lithuania, as the lead supervisory authority, fined Vinted, an online platform for trading and exchanging second-hand clothing, 2,385,276 euros, following the EDPB Guidelines on the calculation of administrative fines under the GDPR, considering the number of affected data subjects, the duration, and the cross-border scope of the violations.

In 2020, complaints against Vinted were filed with supervisory authorities in France, Germany, the Netherlands, and Poland. Following investigations, it was concluded that Vinted had: (i) failed to process the applicant's request for data deletion fairly and transparently. Vinted could not refuse such requests solely because the applicant did not specify a reason for erasure and also did not provide all the reasons for its refusal to delete the data; (ii) unlawfully applying "shadow blocking," which making a user invisible without their knowledge to encourage them to leave the platform. Although this method is not inherently forbidden, in Vinted's case, it negatively impacted users' GDPR rights; and (iii) violated its accountability obligations by failing to demonstrate it had correctly responded to users' access requests.

Authors: Nicolas Quoy (Partner); Antoine Boullet (Senior Associate); Anne Wecxsteen (Trainee Solicitor)