On 3 July 2024, the Lithuanian State Data Protection Inspectorate (SDPI) issued a ruling concerning its investigation into Vinted over violating the General Data Protection Regulation (GDPR) and imposed a fine of EUR 2'385'276. The fine followed complaints from French and Polish authorities regarding the company's handling of the right to erasure and right of access requests. The investigation found Vinted guilty of unlawful, unfair, and non-transparent data processing practices, including “shadow blocking”, which impeded users' ability to exercise their GDPR rights. Furthermore, the SDPI noted Vinted's insufficient technical and organisational measures to ensure accountability. The fine amount considered the cross-border nature of Vinted's operations and the prolonged impact on a large number of data subjects. The decision, coordinated with other EU data protection authorities, can be appealed within a month.
Original source