Vinted UAB – Complaint Upheld (Lithuania, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Lithuanian DPA found that Vinted UAB failed to respond properly to a user's requests about their account. The user claimed their account was wrongly suspended, and Vinted didn't handle their requests for access and correction correctly. This case serves as a reminder for companies to manage user requests carefully to comply with privacy laws.
What happened
Vinted UAB did not respond appropriately to a user's requests for access and rectification of their personal data.
Who was affected
A user whose account was suspended and whose personal data was mishandled was affected.
What the authority found
The DPA ruled that Vinted violated GDPR by not properly addressing the user's requests for access and correction.
Why this matters
This ruling highlights the importance of timely and accurate responses to user data requests. Businesses should ensure they have clear processes in place to handle such requests to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Vinted (the controller) suspended the account of a user (the data subject) on grounds that they allegedly violated the controller’s terms of use by controlling multiple accounts on the platform, including accounts involved in the sale of counterfeit goods. The data subject claimed that the controller’s allegations were false. They filed an access request and a request for the rectification of their personal data. Due to a human error, the controller accidentally misunderstood the requests as a request for erasure and dismissed them. The data subject then filed the same requests again and received no response. The data subject later filed a complaint with the Spanish DPA, claiming that the controller violated the right of access, the right to rectification, and the principle of accuracy. The Spanish DPA forwarded the case to the Lithuania DPA (the lead supervisory authority for the case). The controller only responded to the data subject’s request after the Lithuanian DPA notified it of the investigation. In its response, the controller stated that it had deleted the account because its general data retention time for inactive accounts (3 months) had expired in the meantime. Therefore, the controller was unable to grant access to the data or to rectify them. Likewise, the controller informed the DPA that it no longer controlled the data and, therefore, could not grant the data subject's requests. The DPA held that the controller violated Articles 12(3), 15 and 16 GDPR by failing to understand the content of the data subject’s request the first time they were filed, and by failing to reply the second time they were filed. Due to the erasure of the data, the controller could not examine the data subject's claim that their data were processed inaccuratelyWith regards to the violation of the accuracy principle, the Lithuanian DPA referred the decision back to the Spanish DPA, in order for the Spanish DPA to dismiss the claim. The referral to the Spanish DPA is due to a
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (1)
Other enforcement actions involving Vinted UAB in LT
Details
Decision Date
1 August 2025
Authority
Valstybine duomenu apsaugos inspekcija
About this data
Cite as: Cookie Fines. Vinted UAB - Lithuania (2025). Retrieved from cookiefines.eu
Last updated: