VDAI (Lithuania) - Vinted UAB

From GDPRhub
Revision as of 15:59, 8 July 2024 by Fb (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoLT.png |DPA_Abbrevation=ADA |DPA_With_Country=ADA (Lithuania) |Case_Number_Name=Vinted UAB |ECLI= |Original_Source_Name_1=VDAI |Original_Source_Link_1=https://vdai.lrv.lt/en/news/a-company-operating-an-online-second-hand-clothing-trading-and-exchange-platform-is-fined-under-the-general-data-protection-regulation/ |Original_Source_Language_1=English |Original_Source_Language__...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ADA - Vinted UAB
LogoLT.png
Authority: ADA (Lithuania)
Jurisdiction: Lithuania
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(4) GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 02.07.2024
Published:
Fine: 2,385,276 EUR
Parties: Vinted UAB
National Case Number/Name: Vinted UAB
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: VDAI (in EN)
Initial Contributor: fb

The DPA fined Vinted UAB €2,385,276 after it failed in lawfully processing erasure requests and access requests. Moreover, the DPA found that Vinted’s shadow banning practices violated the principles of transparency and fairness.

English Summary

Facts

In 2021 and 2022 two data subjects filed complaints with the French and the Polish DPA against the controller, a famous second-hand clothes online shop. Since the main establishment of the controller is located in Lithuania, the complaints were forwarded to the Lithuanian DPA, which acted as lead DPA in this case.

The complainants argued that the controller had not properly dealt with their requests regarding their right to erasure under Article 17 GDPR and their right to access under Article 15 GDPR.

The controller argued that it had not acted on requests regarding the right to erasure since the data subject did not identify in their request a “specific ground” under Article 17(1) GDPR.

Holding

Firstly, the DPA noted that the controller did not act on requests for erasure of data. The DPA rejected the controller’s argument and held that it could not refuse the data subjects’ erasure requests just because they did not specifically mention one of the grounds foreseen by Article 17(1) GDPR.

Moreover, even if the controller had been right in refusing the request, it would have needed to provide the data subjects with the reasons for its inaction, telling them the purposes for which their data would continue to be processed after the request was made.

Secondly, the DPA held that the controller was applying “shadow blocking” practices. These practices consist in excluding a user from the platform without the user being informed of this exclusion. According to the DPA, this type of practice violated the principles of fair and transparent data processing.

Thirdly, the DPA found that the controller did not take sufficient technical and organisational measures to ensure the implementation of the principle of accountability and to be able to demonstrate that it had taken (or reasonably refused to take) action with regard to the right of access.

On these grounds, the DPA found a violation of Articles 5(1)(a), 5(2), 12(1) and 12(4) GDPR and issued a fine of €2,385,276.

Comment

The full decision about this case is not currently available. Therefore, this summary is based on the press releases of the Lithuanian DPA (Lead DPA) and of the French, Dutch and Polish DPA (Concerned DPAs).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

On 2 July 2024, Lithuanian data protection supervisory authority – State Data Protection Inspectorate (SDPI), decided to impose an administrative fine of EUR 2 385 276 on Vinted, UAB (the company), the operator of the online second-hand clothing trading and exchange platform “Vinted”. The fine was imposed by the SDPI following the examination of the applicants’ complaints forwarded by the French and Polish supervisory authorities and finding the infringements of Article 5(1)(a) of the General Data Protection Regulation (GDPR) (the principles of lawfulness, fairness and transparency), Article 5(2) of the GDPR (the principle of accountability), and Articles 12(1) and 12(4) of the GDPR (transparent information, communication and conditions for the exercise of the data subject’s rights).

The SDPI carried out an investigation following the applicants’ complaints forwarded by the French and Polish supervisory authorities in 2021 and 2022, respectively, alleging that the company had not properly implemented their requests regarding the right to erasure (‘right to be forgotten’) and the right of access.

During the examination of the complaints it was established that the company, in its response to the applicants’ requests, indicated that it would not act on a specific request for deletion of data, because the applicant concerned did not identify in their request the ‘specific grounds’ under Article 17 of the GDPR, i.e. they did not identify a specific reason corresponding to Article 17(1) of the GDPR, and the company did not provide all the reasons for inaction, i.e. the purposes for which the applicants’ data of a specific scope would continue to be processed after the request was made.

The examination of the complaints also revealed that the company, in order to ensure the security of the platform and its users, unlawfully applied ‘shadow blocking’ (the processing of personal data with the intention that a person who allegedly violates the “Vinted” platform’s principles of operation should leave the platform without being aware of such processing of their personal data) in respect of some of the applicants, in violation of the principles of fairness and transparency. It should be noted that the improper implementation of the above-mentioned principles has negatively affected the ability of users of the platform to exercise other rights and seek remedies under the GDPR.

In addition, the company did not take sufficient technical and organisational measures to ensure the implementation of the principle of accountability and to be able to demonstrate that it had taken (or reasonably refused to take) action with regard to right of access.

When deciding on the amount of the fine, the SDPI relied on the European Data Protection Board’s Guidelines 04/2022 of 24 May 2023 on the calculation of administrative fines under the GDPR, taking into account, for example, the cross-border scope of the processing carried out by the company, the infringements affected a large number of data subjects and lasted for a long period of time.

The case concerning the imposition of an administrative fine by the SDPI was heard orally in a closed session, in the presence of representatives of the SDPI and of representatives of the company. Given that the complaints also concerned personal data of citizens of other Member States of the European Union, in accordance with the GDPR, the decision taken was also coordinated with the personal data protection supervisory authorities of those Member States, applying the ‘one-stop shop’ principle. The supervisory authorities of Germany, France, Poland, the Netherlands and Spain identified themselves as the concerned supervisory authorities.

The decision of the SDPI may be appealed to the Administrative Court of the Regions within one month from the date of delivery of the decision in accordance with the procedure laid down by the Republic of Lithuania Law on Administrative Proceedings.

Last updated: 03-07-2024