The largest e-commerce platform for second-hand goods in Europe is the first Lithuanian "unicorn"Vinted" improperly processed personal data and violated the European Union (EU) General Data Protection Regulation (GDPR), the court ruled.
Vinted told BNS that it disagrees with the court's decision and intends to appeal it.
The Regional Administrative Court on Thursday rejected the company's appeal, in which it requested the annulment of the decisions of the State Data Protection Inspectorate.
"The inspectorate's decisions were based on both facts and legal norms. It was recognized that the inspectorate acted within its competence and did not exceed the limits of the complaints," the court reported.
The Inspectorate, after examining complaints forwarded by the French national data protection supervisory authority, decided in February last year that Vinted had improperly handled customers' requests to delete their data, had insufficiently and unclearly explained the reasons for blocking their accounts, and had not provided sufficient information about data processing.
Also, according to the inspectorate, the company improperly implemented the principles of data processing accountability and applied the so-called "shadow blocking" without a clear legal basis.
For its part, Vinted convinced the court that it had properly assessed the requests to delete data and provided all necessary information, as well as not violating the fundamental rights and freedoms of its customers, not restricting their privacy, and not endangering the security of their data.
"The decisions of the State Data Protection Inspectorate regarding us have nothing to do with the security of user accounts and do not involve any misuse of personal data or security breach (…). We disagree with the court's decision and intend to appeal it," Vinted explained to BNS in a comment.
According to the company, the inspectorate's decisions are largely based on how Vinted communicated with people about their data deletion requests, what measures it took to block the accounts of those who violated the rules, and how long it kept one specific response to a request for access to personal data.
Vinted said it had, however, cooperated with the inspectorate and improved its operational processes based on the suggestions.
According to the court, this case is the first model trial in Lithuania, where more than 20 legally and factually homogeneous individual administrative cases are examined.
The Regional Administrative Court is considering 54 cases challenging the inspectorate's decisions regarding Vinted's actions in processing personal data.
The Inspectorate fined Vinted 2,385 million euros last July for violations of consumer data protection, following complaints from residents of France and Poland.
The company has appealed the fine to the court, but the case has been suspended until the latest decision on personal data processing enters into force. It can be appealed to the Supreme Administrative Court of Lithuania within 30 days.
