Vinted – €2,385,276 Fine (Lithuania, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Vinted, a second-hand online store, was fined over 2.3 million euros for mishandling user deletion requests. The Lithuanian data protection authority found that Vinted used 'shadow blocking' to remove users without their knowledge, which is unfair and goes against transparency rules. This case highlights the importance of respecting user rights and being clear about how companies handle personal data.
What happened
Vinted failed to properly process user deletion requests and used 'shadow blocking' to remove users without informing them.
Who was affected
Users of Vinted who requested to have their accounts deleted but were not properly informed about the process.
What the authority found
The authority ruled that Vinted did not comply with GDPR requirements for transparency and user rights.
Why this matters
This ruling emphasizes that companies must be transparent and fair in handling user requests. Other online businesses should review their practices to ensure they respect user rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store 'Vinted'. The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using 'shadow blocking' to remove users from the platform without their knowledge, which violated the principles of fairness and transparency. This also impaired users' ability to exercise their rights under the GDPR. In addition, the DPA found that the company had not taken sufficient technical and organizational measures to ensure compliance with the principle of accountability and to be able to demonstrate that it had taken appropriate measures regarding the right of access. ---UPDATE--- The Regional Administrative Court has rejected a complaint filed by the controller under the Administrative case No. eI3-1348-428/2025.
Related Enforcement Actions (0)
No other enforcement actions found for Vinted in LT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 July 2024
Authority
Valstybine duomenu apsaugos inspekcija
Fine Amount
€2,385,276
Enforcement Tracker ID
ETid-2398
About this data
Cite as: Cookie Fines. Vinted - Lithuania (2024). Retrieved from cookiefines.eu
Last updated: