Given that they have received a significant number of complaints concerning the online clothing sales website vinted.com, operated by the Lithuanian company Vinted UAB, the supervisory authorities from France, Lithuania and Poland have entered into cooperation to investigate compliance of this website with GDPR. The supervisory authorities have jointly established a working group, facilitated by the EDPB, which held its first meeting on 8 November.
The supervisory authorities are focusing in particular on the following: the fact that the website operator requires a scan of an identity card in order to unblock funds received from sales on a user's account and the associated legal basis; the procedure and criteria to block an account and the corresponding retention periods.
As Vinted has its main establishment in Lithuania, the Lithuanian data protection authority is the lead supervisory authority. The Vinted platform is also available in several other countries in Europe. For this reason, the national supervisory authorities have jointly decided to set up a working group to facilitate coordinated action in resolving the complaints they have received. This will ensure consistent and effective investigation of the compliance of the processing of data by Vinted with the GDPR provisions.