Vinted Faces 2.3 Million Euro Fine for Lithuanian Data Privacy Breach: What You Need to Know

In 2020, the Lithuanian Data Protection Authority imposed a fine of more than 2.3 million euros on Vinted, a second-hand specialist based in Vilnius. The decision followed numerous complaints filed in France against the company, which were mainly about the difficulties individuals faced in exercising their right to erasure of data.

Vinted expressed disagreement with the decision and stated that it has no legal basis and sets a new precedent beyond current legislation and industry practices. The company plans to appeal the decision. However, Vinted reassured its members that the cases mentioned by the Lithuanian Data Protection Authority were not related to the security of their accounts or any misuse of their personal data. The platform takes privacy protection and GDPR compliance seriously.

Among the failings noted by the authority was that Vinted did not process requests for deletion of users’ personal data in a fair and transparent manner. The platform also implemented a “stealth ban” system that was considered to excessively infringe on users’ rights. Additionally, Vinted was unable to demonstrate that it had properly responded to requests for access to customers’ personal data.

Vinted became profitable for the first time in 2023, employing more than 2,000 people, primarily in Lithuania. Despite this success, the company plans to cooperate with authorities in Poland, the Netherlands, and Germany regarding this issue as indicated by CNIL