Vinted, the famous second-hand platform, has been fined €2.3 million. The decision follows numerous complaints about the difficulties associated with deleting users’ personal data.
Since its launch in France in 2013, Vinted has managed to carve out a place for itself in the second-hand market sector, with some 23 million users, to the point of overshadowing Leboncoin and Cdiscount. Everyone now knows the slogan “You don’t wear it anymore? Sell it!”which has been widely used in its advertising campaigns. However, the platform has just been rapped on the knuckles by the European authorities. The Lithuanian Data Protection Authority, in cooperation with the CNIL, pronounced Tuesday July 2 fined €2.3 million for non-compliance with the General Data Protection Regulation (GDPR). It is being singled out for its handling of data erasure requests and the implementation of a system of “stealth ban” users, accused of being lacking transparency. A decision that follows an investigation carried out in collaboration with several European countries, including France.
Vinted fine: non-compliance with GDPR
Starting in 2020, many users began to complain about Vinted to the CNIL. Since the company is headquartered in Lithuania, the investigation into the matter was entrusted to the Lithuanian Data Protection Authority. First, Vinted is accused of failing to process “in a fair and transparent manner” requests for data erasure that were sent to it. However, Article 17 of the GDPR stipulates that everyone can request the erasure of their personal data under certain conditions, such as when the data is no longer necessary in relation to the purposes for which it was collected. However, the company refused these requests, without clearly explaining the reasons for its refusal.
On July 2, 2024, in cooperation with the CNIL, the Lithuanian Data Protection Authority imposed a fine of EUR 2,385,276 million on Vinted UAB for several breaches targeting users of the platform. https://t.co/PYOEutQSiC pic.twitter.com/mE4goLqJ1K
— CNIL (@CNIL) July 3, 2024
The second problem concerns the “stealth ban” system, also called “shadow ban” by Internet users. This practice consists of “making the activity of a user considered malicious (who does not respect the rules of the platform) invisible to other users, without the latter noticing, with the aim of encouraging them to leave the platform”. A commendable practice but which, here too, lacks transparency and can lead to discrimination. Finally, Vinted was unable to prove that it had correctly responded to all requests for the right of access to personal data.
Vinted fine: a lack of transparency and loyalty
Also, given the 50 million monthly active users worldwide, the Lithuanian Data Protection Authority has decided to impose a fine of 2.3 million euros on the company, one of its heaviest. Vinted has already announced that it will appeal the CNIL’s decision. “We fundamentally disagree with this decision”she told AFP. The platform considers that the decision “has no legal basis” and establishes “a new precedent that goes beyond both current legislation and industry practices”.
It aims to reassure its users, ensuring that “The cases mentioned by the Lithuanian Data Protection Authority (VDAI) are in no way related to the security of their accounts and do not involve any misuse or violation of their personal data”and insists that “privacy protection and compliance with GDPR (General Data Protection Regulation) are taken very seriously.”