AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

GDPR scandal: Vinted under investigation for serious user data breaches

Transparency issues and misuse of data: Vinted in the crosshairs of European data protection authorities

Vinted was fined by the Lithuanian regulator for GDPR violations, including obstacles to data deletion, use of non-transparent "shadow bans", and poor data protection measures. The fine is 2.3 million euros. The company intends to appeal the sanction.

This pill is also available in Italian language

The popular used clothing trading platform Vinted has been fined 2.3 million euros by the Lithuanian Data Protection Authority (VDAI) for violations of the GDPR. The investigation was launched following complaints presented by the French authorities (CNIL) and the Polish authorities (UODO) in 2021 and 2022. The authorities highlighted users' difficulties in exercising the right to erasure of data, which Vinted would have failed to comply without providing adequate reasons. Furthermore, the company did not clarify why in some cases the data processing continued even after the deletion request.

Shadow ban system and violation of transparency principles

Another element underlying the sanction is the illicit use of a "shadow ban" system, a practice that limits the visibility of users' content without their consent. This covert moderation strategy meant that posts or user lists deemed non-compliant with community rules were hidden from the public, compromising interactions with potential buyers. The users involved were not informed of this data processing, in violation of the principles of legality, correctness and transparency imposed by the art. 5, par.1, letter. a) of the GDPR. This limited users' ability to exercise their rights.

Lack of technical and organizational data protection measures

The Lithuanian Guarantor also found that the platform did not adopt sufficient technical and organizational measures to guarantee compliance with the principle of accountability in the right of access to data. Specifically, Vinted refused to respond to an access request because the user had not identified a specific reason for the request. This led to the violation of the art. 5, par. 2, and art. 12, paragraphs 1 and 4 of the European Data Protection Regulation, relating to the failure to provide transparent information and conditions for the exercise of the rights of interested parties.

Consequences and reaction of Vinted

Faced with these violations, the authority imposed what represents the highest fine ever imposed in Lithuania since the introduction of the GDPR, based on the Guidelines 04/2022 of the European Data Protection Board to harmonize administrative sanctions within the 'EU. Vinted announced its intention to appeal the fine, stating that the cases cited by the Lithuanian authority are not related to account security or improper use of personal data. In Italy, Vinted had already been sanctioned in 2022 by the Antitrust with a fine of 1.5 million euros for misleading information to users.

Follow us on Threads for more pills like this

07/08/2024 15:17

Marco Verro

Last pills

Italy's success in cybersecurityHow Italy achieved excellence in global cybersecurity: strategies, collaborations, and international successes

IntelBroker alleged breach of Deloitte systemsServer exposed: how Deloitte's security may have been compromised by a cyber attack

Vo1d infections on Android TV boxes: how to protect your devicesLearn the essential measures to protect your Android TV boxes from the dreaded Vo1d malware and keep your devices safe from cyber threats

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon