Vinted Fined €2.3m Over Data Protection Failure

Written by

Vinted, the leading online platform for second-hand sales, has been fined €2,385,276 ($2,582,730) for breaching the EU’s General Data Protection Regulation (GDPR) in relation to personal data deletion requests.

The fine was issued on July 2 by the Lithuanian Data Protection Office (VDAI), the country where Vinted UAB’s global headquarters are based.

It follows a series of complaints over data protection failures, notably from France, Vinted’s leading customer market.

These complaints started in 2020 and "mainly concerned difficulties encountered by individuals in exercising their right to data erasure,” the French data protection authority (CNIL) noted in a public statement published on July 3.

These complaints were conveyed to the VDAI, which was tasked with investigating the case in collaboration with French, Polish, Dutch and German authorities.

Vinted’s ‘Stealth Ban’ System Under Scrutiny

According to the CNIL, the second-hand platform failed to "fairly and transparently" process requests for personal data deletion.

The authority also blamed Vinted for implementing a "stealth ban" system.

This system consists of "making the activity of a user considered to be malicious (who does not respect the platform's rules) invisible to other users, without the user noticing, to encourage the user to leave the platform,” explained the CNIL.

The French data protection authority considers this method "an excessive infringement of users' rights."

Finally, Vinted could not demonstrate that it had adequately responded to customer requests for access to personal data.

Vinted told French press agency AFP that it would appeal the case.

A Vinted spokesperson said: “We fundamentally disapprove of this decision, [which] has no legal basis and sets a new precedent that goes beyond both current legislation and industry practice."

Read more: Replacing GDPR in the UK: A Cost-Benefit Analysis

What’s hot on Infosecurity Magazine?