Important financial penalty for online marketplace Vinted for failure to comply with the right of erasure
What is the right of erasure?
Any data subject may exercise the right of erasure against the responsible person by requesting the erasure of his or her personal data in the following situations:
- When the personal data are no longer necessary for the purpose of processing for which they were collected.
- When the personal data were collected thanks to the express consent given by the data subject and the data subject decides to withdraw it.
- When the data subject objects to the processing of his or her personal data when such processing is based on legitimate interest or when the personal data are subject to direct marketing.
- When the personal data have been unlawfully processed.
- Where the personal data must be erased in order to comply with a legal obligation that applies to the controller.
- If the personal data have been obtained as a result of the provision of information society services.
It is important to mention that the right of erasure is directly related to the right to be forgotten, which is why when the data subject exercises the right of erasure, it implies an extension of the obligation of the data controller who has made public data public to erase all links to, copies or replicas of such data.
However, this right of erasure and its extension with the right to be forgotten should not be confused with an unlimited nature in its prolongation, since it may be feasible not to proceed with erasure when the processing is necessary for the exercise of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest, for the exercise of public powers, for reasons of public interest or for the formulation, exercise or defence of claims.
Vinted fined
Vinted is a community platform aimed at private individuals where sellers and buyers of clothing are put together. It was in 2020 that users of the platform began to have problems with the exercise of their right to suppression of personal data.
It was the Lithuanian Data Protection Authority that analysed the case, as Vinted’s headquarters are located in Lithuania, and finally determined that the platform had infringed the General Data Protection Regulation (GDPR) on the grounds that it had not dealt transparently with users’ requests for deletion of their data.
The company could not refuse erasure on the sole ground that the individuals concerned did not cite one of the criteria provided for in the GDPR. Moreover, Vinted refused to delete the data without informing its data subjects of the reasons for its refusal.
This sanction reaffirms the obligation of platforms to ensure that data subjects’ rights are legitimately exercised and that their data are processed in a fair and transparent manner.
Infringement of users’ rights
In addition to not being able to prove that it had responded correctly to the requests, it was found that the company illegally implemented stealth banning, a method that consists of making the activity of a user considered malicious invisible to other users, without them being aware of it, in order to encourage them to leave the platform. Although this type of practice is intended to protect the platform, the conditions under which Vinted implemented it severely infringed the rights of users, without them being informed of this measure, resulting in outright discrimination.