Vinted UAB – Complaint Upheld (Lithuania, 2025)

Vinted (the controller) suspended the account of a user (the data subject) on grounds that they allegedly violated the controller’s terms of use by controlling multiple accounts on the platform, including accounts involved in the sale of counterfeit goods. The data subject claimed that the controller’s allegations were false. They filed an access request and a request for the rectification of their personal data. Due to a human error, the controller accidentally misunderstood the requests as a request for erasure and dismissed them. The data subject then filed the same requests again and received no response. The data subject later filed a complaint with the Spanish DPA, claiming that the controller violated the right of access, the right to rectification, and the principle of accuracy. The Spanish DPA forwarded the case to the Lithuania DPA (the lead supervisory authority for the case). The controller only responded to the data subject’s request after the Lithuanian DPA notified it of the investigation. In its response, the controller stated that it had deleted the account because its general data retention time for inactive accounts (3 months) had expired in the meantime. Therefore, the controller was unable to grant access to the data or to rectify them. Likewise, the controller informed the DPA that it no longer controlled the data and, therefore, could not grant the data subject's requests. The DPA held that the controller violated Articles 12(3), 15 and 16 GDPR by failing to understand the content of the data subject’s request the first time they were filed, and by failing to reply the second time they were filed. Due to the erasure of the data, the controller could not examine the data subject's claim that their data were processed inaccuratelyWith regards to the violation of the accuracy principle, the Lithuanian DPA referred the decision back to the Spanish DPA, in order for the Spanish DPA to dismiss the claim. The referral to the Spanish DPA is due to a