Vinted UAB – €2,385,276 Fine (Lithuania, 2024)

In 2021 and 2022 two data subjects filed complaints with the French and the Polish DPA against the controller, a famous online shop for second-hand clothes. Since the main establishment of the controller is located in Lithuania, the complaints were forwarded to the Lithuanian DPA, which acted as lead DPA in this case according to the one-stop-shop mechanism. The complainants argued that the controller had not properly dealt with their requests regarding their right to erasure under Article 17 GDPR and their right to access under Article 15 GDPR. The controller argued that it had not acted on requests regarding the right to erasure since the data subject did not identify in their request a “specific ground” under Article 17(1) GDPR. Firstly, the DPA noted that the controller did not act on requests for erasure of data. The DPA rejected the controller’s argument and held that it could not refuse the data subjects’ erasure requests just because they did not specifically mention one of the grounds foreseen by Article 17(1) GDPR. Moreover, even if the controller had been right in refusing the request, it would have needed to provide the data subjects with the reasons for its inaction, telling them the purposes for which their data would continue to be processed after the request was made. Secondly, the DPA held that the controller was applying “shadow blocking” practices. These practices consist in excluding a user from the platform without the user being informed of this exclusion. According to the DPA, this type of practice violated the principles of fair and transparent data processing. Thirdly, the DPA found that the controller did not take sufficient technical and organisational measures to ensure the implementation of the principle of accountability and to be able to demonstrate that it had taken (or reasonably refused to take) action with regard to the right of access. On these grounds, the DPA found a violation of Articles 5(1)(a), 5(2), 12(1) and 12(4) GDPR