On July 2, 2024, in cooperation with the CNIL, the Lithuanian data protection authority imposed a fine of 2,385,276 euros against the company Vinted UAB for several breaches targeting users of the platform.
VINTED offers a community-based online marketplace platform that allows registered users to sell, buy and trade used clothing and accessories. The platform is accessible via a mobile application and from a web browser and has approximately 50 million monthly active users worldwide.
Strengthened cooperation with the CNIL throughout the procedure
From 2020, the CNIL has received numerous complaints against the company VINTED, mainly relating to difficulties encountered by people in exercising their right to erasure of data.
In accordance with the cooperation procedures established by the General Data Protection Regulation (GDPR), it is the Lithuanian data protection authority which was competent to carry out the investigations into this file, VINTED having its head office in Lithuania. The French complaints were therefore communicated to the Lithuanian authority.
The CNIL cooperated closely with its counterpart throughout the procedure, as well as with the other authorities concerned (Polish, Dutch and German).
The shortcomings retained
At the end of the investigations, the Lithuanian data protection authority found several breaches of the GDPR against the company VINTED.
- The company did not handle the erasure requests it received in a fair and transparent manner:
- the company could not refuse erasure on the sole ground that individuals did not cite one of the criteria provided for by the GDPR in their erasure request;
- in cases where it has refused erasure, the company has not informed the complainants of all the reasons for the refusal.
- The company illegally implemented “stealth banning”, a method which consists of making invisible to other users the activity of a user considered malicious (who does not respect the rules of the platform), without the latter does not notice it, with the aim of encouraging them to leave the platform.
Although such a practice is intended to protect the platform, the conditions in which it was implemented caused an excessive infringement of the rights of users, in particular because they were not informed of this measure and that it this could lead to discrimination (ineffectiveness in exercising the right to contact customer support, impossibility of exercising one’s rights, etc.).
In addition, the objectives of the stealth ban could be achieved by the complete block, which occurred automatically 30 days after the stealth ban and of which people were informed.
- The company could not demonstrate that it had properly responded to right of access requests.
The CNIL informed the complainants of this decision, in accordance with what the GDPR provides.
This sanction decision reaffirms the obligation for online platforms to ensure the exercise of the rights of data subjects and to process their data in a fair and transparent manner.
https://www.cnil.fr/fr/marche-en-ligne-sanction-de-23-millions-deuros-lencontre-de-vinted