Lithuania's biggest online platform operates across 16 markets in Europe, the US and Canada.
ADVERTISEMENTOnline platform Vinted will appeal the €2,3 m privacy fine it received from the Lithuanian data protection authority yesterday, a company spokesperson told Euronews today (4 July).
The platform, on which users can sell second hand clothes, shoes and bags, was ordered to pay the penalty as the Lithuanian watchdog found that the company breached the EU’s General Data Protection Regulation (GDPR) by failing to give users the right to erase their data.
The investigation was forwarded to Vilnius after the French and the Polish privacy regulators received local complaints. Under the GDPR, the regulator of the country where the company is headquartered deals with the case.
The Lithuanian probe found that the app also used “Shadow Blocking”: banning a user from the platform without his or her knowledge, after allegedly violating Vinted's rules of conduct. This hindered users from using their Privacy Rights under the GDPR.
A company spokesperson told Euronews today that Vinted “fundamentally disagrees with this fine and will continue to appeal."
“The cases referenced by the Lithuanian Data Protection Authority are in no way related to the security of accounts or involve any misuse or breach of [users] personal data. We take privacy and GDPR very seriously and have invested heavily into compliance and protecting our members, and we cooperate with the authority throughout this process,” the spokesperson added.
Vinted, founded in 2008, operates across 16 markets in Europe, as well as in Canada and the US. It acquired United Wardrobe, a Dutch competitor in 2024, and Trendsales, a Danish competitor, in 2024.
The company was previously hit with a €1.14m fine imposed by the Polish Competition and Consumer Authority. The appeal case is still pending. It was also ordered to pay a €1.5m fine by the Competition authority in Italy for breaching advertising rules.
The GDPR penalty is the highest issued in Lithuania ever since the EU's privacy rules entered into force in 2018. The biggest GDPR fine ever – €1.2bn -- was issued by the Irish authority against Meta for transferring EU user data to the US without adequate safeguards and for processing children's data without valid parental consent. Meta appealed this decision.
