AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

GDPR scandal: Vinted under investigation for serious user data breaches

Transparency issues and misuse of data: Vinted in the crosshairs of European data protection authorities

Vinted was fined by the Lithuanian regulator for GDPR violations, including obstacles to data deletion, use of non-transparent "shadow bans", and poor data protection measures. The fine is 2.3 million euros. The company intends to appeal the sanction.

This pill is also available in Italian language

The popular used clothing trading platform Vinted has been fined 2.3 million euros by the Lithuanian Data Protection Authority (VDAI) for violations of the GDPR. The investigation was launched following complaints presented by the French authorities (CNIL) and the Polish authorities (UODO) in 2021 and 2022. The authorities highlighted users' difficulties in exercising the right to erasure of data, which Vinted would have failed to comply without providing adequate reasons. Furthermore, the company did not clarify why in some cases the data processing continued even after the deletion request.

Shadow ban system and violation of transparency principles

Another element underlying the sanction is the illicit use of a "shadow ban" system, a practice that limits the visibility of users' content without their consent. This covert moderation strategy meant that posts or user lists deemed non-compliant with community rules were hidden from the public, compromising interactions with potential buyers. The users involved were not informed of this data processing, in violation of the principles of legality, correctness and transparency imposed by the art. 5, par.1, letter. a) of the GDPR. This limited users' ability to exercise their rights.

Lack of technical and organizational data protection measures

The Lithuanian Guarantor also found that the platform did not adopt sufficient technical and organizational measures to guarantee compliance with the principle of accountability in the right of access to data. Specifically, Vinted refused to respond to an access request because the user had not identified a specific reason for the request. This led to the violation of the art. 5, par. 2, and art. 12, paragraphs 1 and 4 of the European Data Protection Regulation, relating to the failure to provide transparent information and conditions for the exercise of the rights of interested parties.

Consequences and reaction of Vinted

Faced with these violations, the authority imposed what represents the highest fine ever imposed in Lithuania since the introduction of the GDPR, based on the Guidelines 04/2022 of the European Data Protection Board to harmonize administrative sanctions within the 'EU. Vinted announced its intention to appeal the fine, stating that the cases cited by the Lithuanian authority are not related to account security or improper use of personal data. In Italy, Vinted had already been sanctioned in 2022 by the Antitrust with a fine of 1.5 million euros for misleading information to users.

Follow us on WhatsApp for more pills like this

07/08/2024 15:17

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity