GDPR scandal: Vinted under investigation for serious user data breaches
Transparency issues and misuse of data: Vinted in the crosshairs of European data protection authorities
Vinted was fined by the Lithuanian regulator for GDPR violations, including obstacles to data deletion, use of non-transparent "shadow bans", and poor data protection measures. The fine is 2.3 million euros. The company intends to appeal the sanction.
The popular used clothing trading platform Vinted has been fined 2.3 million euros by the Lithuanian Data Protection Authority (VDAI) for violations of the GDPR. The investigation was launched following complaints presented by the French authorities (CNIL) and the Polish authorities (UODO) in 2021 and 2022. The authorities highlighted users' difficulties in exercising the right to erasure of data, which Vinted would have failed to comply without providing adequate reasons. Furthermore, the company did not clarify why in some cases the data processing continued even after the deletion request.
Shadow ban system and violation of transparency principles
Another element underlying the sanction is the illicit use of a "shadow ban" system, a practice that limits the visibility of users' content without their consent. This covert moderation strategy meant that posts or user lists deemed non-compliant with community rules were hidden from the public, compromising interactions with potential buyers. The users involved were not informed of this data processing, in violation of the principles of legality, correctness and transparency imposed by the art. 5, par.1, letter. a) of the GDPR. This limited users' ability to exercise their rights.
Lack of technical and organizational data protection measures
The Lithuanian Guarantor also found that the platform did not adopt sufficient technical and organizational measures to guarantee compliance with the principle of accountability in the right of access to data. Specifically, Vinted refused to respond to an access request because the user had not identified a specific reason for the request. This led to the violation of the art. 5, par. 2, and art. 12, paragraphs 1 and 4 of the European Data Protection Regulation, relating to the failure to provide transparent information and conditions for the exercise of the rights of interested parties.
Consequences and reaction of Vinted
Faced with these violations, the authority imposed what represents the highest fine ever imposed in Lithuania since the introduction of the GDPR, based on the Guidelines 04/2022 of the European Data Protection Board to harmonize administrative sanctions within the 'EU. Vinted announced its intention to appeal the fine, stating that the cases cited by the Lithuanian authority are not related to account security or improper use of personal data. In Italy, Vinted had already been sanctioned in 2022 by the Antitrust with a fine of 1.5 million euros for misleading information to users.
Follow us on WhatsApp for more pills like this07/08/2024 15:17
Marco Verro