Lithuania’s data protection authority has imposed a fine of more than €2.3 million on Vinted UAB, the operator of a popular used clothing sales platform. The decision is the result of proceedings initiated by complaints forwarded by Poland’s data protection authority in 2021-22.
The main violations found by the Lithuanian supervisory authority included:
-
improper exercise of the right of access to data (Article 15 of the GDPR) and the right to erasure (Article 17 of the GDPR);
-
excessive requirements for personal data when withdrawing funds from sales, including a request for a scan of an ID card;
-
unlawful use of the practice of “shadow blocking,” which involves secretly blocking users without informing them of further data processing;
-
failure to implement appropriate technical and organizational measures in line with the principle of accountability.
It is worth noting that data protection authorities from Poland, France, the Netherlands and Spain were also involved in issuing the decision, demonstrating the international nature of the case.