The Lithuanian privacy watchdog, State Data Protection Inspectorate (SDPI), has imposed a substantial fine of €2.4 million on the online clothing platform Vinted. The penalty addresses multiple breaches of the General Data Protection Regulation (GDPR), including inadequate user information, improper handling of data access and deletion requests, and the controversial practice of ‘shadow banning.’
Numerous complaints from across Europe sparked the investigation into Vinted, with significant input from privacy authorities in the Netherlands, France, Poland, Germany, and Spain. The Dutch Data Protection Authority (AP) was notably involved, frequently forwarding complaints to the SDPI, as Vinted’s European headquarters are based in Lithuania.
The SDPI’s investigation revealed several critical GDPR violations by Vinted. Users were not adequately informed about how their personal data was being processed, which directly breaches GDPR principles. Additionally, Vinted failed to respond appropriately to user requests for accessing or deleting their data.
The platform notably required users to specify a reason for data deletion requests, a practice that the SDPI found unjustified. Furthermore, Vinted did not provide clear explanations when such requests were denied, leaving users in the dark about the fate of their personal information.
‘Shadow Banning’ Practices
One of the most alarming findings was Vinted’s use of ‘shadow banning.’ This practice involves blocking users from a platform without their knowledge, effectively silencing them while giving the impression that they are still active. The SDPI noted that this measure was applied to users accused of violating Vinted’s code of conduct; however, how it was implemented hindered users from exercising their GDPR rights, such as the right to be informed and access their data.
“This happened after a user allegedly violated Vinted’s code of conduct. The way in which Vinted applied this measure wrongly hindered users from using their privacy rights under the GDPR,” the AP explained in a statement.
The SDPI’s decision was reached through close cooperation with other European privacy regulators, reflecting the cross-border nature of the complaints. The European Data Protection Board’s guidelines were instrumental in calculating the fine, considering factors like the extensive scope of Vinted’s data processing activities and the prolonged impact on a large number of users.
The SDPI held a closed session to deliberate on the fine, which included representatives from both the authority and Vinted. Due to the involvement of multiple EU member states, the decision was coordinated under the GDPR’s ‘one-stop shop‘ mechanism, ensuring compliance and uniformity across the board.
Vinted can appeal the decision within one month. The company has not yet issued a public statement regarding the fine or the SDPI’s findings.
