Vinted, a leading platform for second-hand sales, has been fined €2,385,276 ($2,582,730) by the Lithuanian Data Protection Office (VDAI) for breaching the EU’s General Data Protection Regulation (GDPR). This fine, issued on July 2, 2024, comes in response to complaints about Vinted’s failure to properly handle personal data deletion requests. The complaints, primarily from France, began in 2020 and highlighted significant issues with how individuals could exercise their right to data erasure.
The French data protection authority, CNIL, criticized Vinted for not processing data deletion requests transparently and fairly. Additionally, Vinted’s practice of implementing a “stealth ban” system—making a user’s activity invisible without their knowledge to encourage them to leave—was deemed an excessive infringement on users’ rights. This system was found to undermine users’ control over their personal data and privacy.
The investigation, led by the VDAI in collaboration with French, Polish, Dutch, and German authorities, revealed that Vinted had also failed to adequately respond to customer requests for access to their personal data. The company’s inability to demonstrate compliance with data protection requests was a key factor in the hefty fine.
In response, Vinted has expressed its intention to appeal the decision, arguing that the fine lacks legal basis and sets a precedent that goes beyond current legislation and industry standards. The company maintains that the decision is unjust and does not align with established data protection practices.
