Vinted UAB – Complaint Upheld (Lithuania, 2025)

The case relates to a complaint over Vinted’s use of a user’s phone number for verification purposes. A user (the data subject) created an account with Vinted (the controller), an e-commerce platform for buying and selling second-hand items. During account creation, the data subject was not required to provide a phone number. However, the controller later required the data subject to provide their phone number. The stated purpose for the collection was combating fraud and ensuring the safety of the Vinted platform and its users. The data subject considered the controller’s request unjustified but provided their phone number anyway because they were otherwise unable to access their account. The data subject later filed a complaint with a German DPAThe decision does not clarify whether the complaint was forwarded by a State DPA or by the Federal DPA of Germany., challenging the lawfulness of the collection of their phone number. The German DPA, in turn, held that the Lithuanian DPA was the lead supervisory authority for the case and forwarded the complaint. In its defense, the controller pointed out that the Vinted Terms of Service explicitly listed the collection of the user’s phone number as one of several methods of account verification, for the purpose of ensuring account security and combating fraud. On these grounds, the controller claimed that the collection of the phone number for account verification was lawful under the legal grounds of the performance of a contract (Article 6(1)(b)). Furthermore, the controller argued that ensuring the security of users' accounts, constituted an integral part of its contract with end users. Finally, the controller claimed that the collection of personal data for the purpose of account verification, fit the expectation of end users. The DPA held that verifying users' accounts and ensuring the security of the platform was not an essential aspect of the contract between the controller and the data subject. For this reason,