AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

GDPR scandal: Vinted under investigation for serious user data breaches

Transparency issues and misuse of data: Vinted in the crosshairs of European data protection authorities

Vinted was fined by the Lithuanian regulator for GDPR violations, including obstacles to data deletion, use of non-transparent "shadow bans", and poor data protection measures. The fine is 2.3 million euros. The company intends to appeal the sanction.

This pill is also available in Italian language

The popular used clothing trading platform Vinted has been fined 2.3 million euros by the Lithuanian Data Protection Authority (VDAI) for violations of the GDPR. The investigation was launched following complaints presented by the French authorities (CNIL) and the Polish authorities (UODO) in 2021 and 2022. The authorities highlighted users' difficulties in exercising the right to erasure of data, which Vinted would have failed to comply without providing adequate reasons. Furthermore, the company did not clarify why in some cases the data processing continued even after the deletion request.

Shadow ban system and violation of transparency principles

Another element underlying the sanction is the illicit use of a "shadow ban" system, a practice that limits the visibility of users' content without their consent. This covert moderation strategy meant that posts or user lists deemed non-compliant with community rules were hidden from the public, compromising interactions with potential buyers. The users involved were not informed of this data processing, in violation of the principles of legality, correctness and transparency imposed by the art. 5, par.1, letter. a) of the GDPR. This limited users' ability to exercise their rights.

Lack of technical and organizational data protection measures

The Lithuanian Guarantor also found that the platform did not adopt sufficient technical and organizational measures to guarantee compliance with the principle of accountability in the right of access to data. Specifically, Vinted refused to respond to an access request because the user had not identified a specific reason for the request. This led to the violation of the art. 5, par. 2, and art. 12, paragraphs 1 and 4 of the European Data Protection Regulation, relating to the failure to provide transparent information and conditions for the exercise of the rights of interested parties.

Consequences and reaction of Vinted

Faced with these violations, the authority imposed what represents the highest fine ever imposed in Lithuania since the introduction of the GDPR, based on the Guidelines 04/2022 of the European Data Protection Board to harmonize administrative sanctions within the 'EU. Vinted announced its intention to appeal the fine, stating that the cases cited by the Lithuanian authority are not related to account security or improper use of personal data. In Italy, Vinted had already been sanctioned in 2022 by the Antitrust with a fine of 1.5 million euros for misleading information to users.

Follow us on Google News for more pills like this

07/08/2024 15:17

Marco Verro

Last pills

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report

AT&T: data breach discovered that exposes communications of millions of usersDigital security compromised: learn how a recent AT&T data breach affected millions of users

New critical vulnerability discovered in OpenSSH: remote code execution riskFind out how a race condition in recent versions of OpenSSH puts system security at risk: details, impacts and solutions to implement immediately

Discovery of an AiTM attack campaign on Microsoft 365A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises