Vinted said Wednesday that the State Data Protection Inspectorate’s (SDPI) inquiry does not concern the security of accounts, while its recent decision sets a “new precedent that goes beyond the boundaries of legal regulation.”
“We want to reassure our members that the investigation by the State Data Protection Inspectorate has nothing to do with the security of their accounts or the misuse of their personal data. We take GDPR [the General Data Protection Regulation] and privacy very seriously and invest heavily in regulatory compliance and the security of our members. We have collaborated with the SDPI Throughout the process,” Vinted told ELTA in a written comment.
“However, we do not see any legal basis for this decision of the SDPI and we believe that it creates a new precedent that goes beyond the boundaries of legal regulation and best practices in the field. We completely disagree with the decision and will challenge it in court,” the company stated.
The SDPI carried out an investigation following the applicants’ complaints forwarded by the French and Polish supervisory authorities in 2021 and 2022, respectively, alleging that the company had not properly implemented their requests regarding the right to erasure (‘right to be forgotten’) and the right of access.
The regulator also said it had found that Vinted did not take sufficient technical and organisational measures to ensure the implementation of the principle of accountability and to be able to demonstrate that it had taken (or reasonably refused to take) action with regard to right of access.