Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Lithuania’s first “unicorn” heavily fined for breach of GDPR

PrintMailRate-it

​​​​​​​​​​​​​published on 24 September 2024 | reading time approx. 4 minutes


At the beginning of July this year, the State Data Protection Inspectorate (the Inspectorate) issued a decision imposing the largest administrative fine in Lithuania’s history, amounting to EURO 2.3​85.276, for breaches of the General Data Protection Regulation (GDPR). Previously in Lithuania the highest fine ever imposed for a data protection breach was "only" EURO 110.000. 

This impressive fine was imposed on Vinted UAB, the company that operates the online second-hand clothing trading and exchange platform Vinted, and which in 2019 became Lithuania's first “unicorn” – a highly successful start-up that is now worth more than EURO 1 billion and operates in 19 countries in Europe and North America. 

The fine was imposed after the Inspectorate examined the complaints forwarded by the French and Polish supervisory authorities and found infringements of Article 5(1)(a) (the principles of legality, fairness and transparency), Article 5(2) (the principle of accountability), and Articles 12(1) and 12(4) (the principles of transparent information, communication and conditions for the exercise of the rights of the data subject) of the GDPR.

As a reminder, the Inspectorate investigated complaints forwarded by the French and Polish supervisory authorities in 2021 and 2022, respectively, concerning the possible inadequate implementation by the company of the applicants' requests concerning the right to erasure ("right to be forgotten") and the right of access to the data.

The complaints procedure revealed that the company, in its response to the applicants' requests, indicated that it would not act on a specific request for deletion of data because the applicant concerned had not identified in the request the “specific grounds” set out in Article 17 of the GDPR – no specific reason corresponding to Article 17(1) of the GDPR was identified. The company has also not indicated all the reasons for its failure to act, i.e. the purposes for which the processing of the applicant's data, to a specific extent, was continued after the request.

The complaints also revealed that the company, in order to ensure the security of the platform and its users, unlawfully applied “shadow blocking” (processing of personal data with the intention that a person who may be in breach of the principles of the operation of the Vinted platform should leave the platform without being aware of such processing of his/her personal data) in respect of some of the applicants in violation of the principles of integrity and transparency. The inadequate implementation of the above-mentioned principles has negatively affected the ability of platform users to exercise other rights and remedies under the GDPR.

Moreover, Vinted UAB did not take sufficient technical and organizational measures to ensure the implementation of the principle of accountability and to be able to demonstrate that it had taken (or reasonably refused to take) action regarding the right of access to data.

In deciding on the amount of the fine, the Inspectorate referred to the European Data Protection Board's Guideline No 04/2022 of 24 May 2023 on the calculation of administrative fines under the GDPR, considering, for example, the cross-border scope of the company's processing, the fact that the infringements affected many data subjects and that the infringements lasted a long time. What is impressive is that the decision was coordinated between the supervisory authorities of 6 countries!

The Inspectorate's fine of almost 2.4 million is a penalty for inaction on the part of Vinted UAB, as in fact it was punished for failing to act when data subjects contacted it to exercise their rights. It is clear that the Inspectorate's decision urges other companies to get their internal documents governing the protection of personal data in order to establish procedures for the enforcement of data subjects' rights and not to ignore data subjects' requests.​​

 DATA PROTECTION BITES

author

Contact Person Picture

Liudgardas Maculevičius

Attorney at Law

Associate Partner

+370 5 2123 590

Invia richiesta

Contact Person Picture

Laima Nevarauskaitė

Assistant Attorney at Law

+370 5 2123 590

Invia richiesta

 RÖDL & PARTNER LITHUANIA

Discover more about our offices in Lithuania. Read more »
Deutschland Weltweit Search Menu