The basis for imposing the penalty
In early July, Vinted UAB , a company that provides a platform for selling used clothing, received an administrative fine of €2,300,000.00 . The fine was imposed by the Lithuanian supervisory authority. The proceedings were initiated following complaints from users of the website.
Users pointed out the company's failure to implement their rights, particularly the right to access their personal data and the right to be forgotten. Additionally, the company was criticized for claiming that while logging into the platform is simple and intuitive, withdrawing funds after a purchase is difficult, and that the platform requires the provision of numerous additional personal data, including a scan of an ID card.
This case clearly demonstrates that even large businesses still lack an adequate approach to data protection. Failure to exercise data subject rights carries a higher level of fines, i.e., up to €20 million, or in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever is higher.
Data subject rights
It should be recalled that persons whose data are processed have the following rights:
- the right to be informed (Article 12 of the GDPR),
- the right to access personal data, including obtaining a copy thereof in a machine-readable form (Article 15 of the GDPR),
- the right to rectify data if they are incorrect or incomplete, including their updating (Article 16 of the GDPR),
- the right to delete data if there is no other basis for further processing (Article 17 of the GDPR),
- the right to restrict data processing (Article 18 of the GDPR),
- the right to data portability (Article 20 of the GDPR)
- the right to object to data processing and the right not to be subject to automated decision-making, including profiling (Articles 21 and 22 of the GDPR).
Data subjects have the right to be aware of how and for what purposes their personal data is being processed by the controller, and to have control over it. The controller must be technically and organizationally ready to implement each of these rights.
Data minimization principle
It should be noted that the controller is prohibited from collecting excess data, so-called "just in case," or data intended for future use. Personal data, in accordance with the principle of data minimization, should be collected only to the extent necessary to achieve a given purpose. Scanning ID cards primarily involves the processing of additional data, including image, parents' names, PESEL number, and document number, which are unnecessary for transferring funds. If their confidentiality is compromised, this data poses a high risk of violating the rights and freedoms of the data subject, particularly identity theft or the possibility of incurring financial liabilities.
In accordance with the privacy by design , the controller should always design its processes to secure processing from the outset and ensure the privacy of data subjects. Each processing activity should also be supported by a legal basis, as specified in Article 6 of the GDPR.
Risk-based approach
This case clearly demonstrates that individuals' awareness of the processing of their personal data is constantly growing, which should be considered a positive development. Data subjects, upon noticing irregularities in the processing of their data, report these situations to the supervisory authority. For data controllers, this means they must re-examine their processing processes and verify whether they are acting at any stage in violation of the GDPR, in accordance with the fundamental principle of a risk-based approach.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of July 24, 2024
author:
