News
The Court: the State Data Protection Inspectorate lawfully and reasonably found that UAB Vinted has violated GDPR regarding the processing of personal data
On May 22, the Regional Administrative Court dismissed the applicant UAB Vinted’s complaint against the defendant State Data Protection Inspectorate for the annulment of certain parts of the decisions.
The company approached the court requesting to annul the administrative decisions adopted by the State Data Protection Inspectorate (hereinafter referred to as the ‘Inspectorate’) in connection with the complaints of three different personal data subjects related to the cross-border processing of personal data. These complaints were submitted to the Inspectorate by the French national data protection supervisory authority because the companies (i.e. data controllers or processors) have their main or sole registered offices in a Member State, in this case – in the Republic of Lithuania.
The complaints of the personal data subjects indicated that the company refused to comply with their requests for the right to request the erasure of personal data (‘the right to be forgotten’); in addition, one of the complaints dealt with the fact that the company did not respond to the data subject’s request for access to their data.
Having examined these complaints, on 5 February 2024, the Inspectorate adopted individual decisions for each complaint, in which it acknowledged that the actions of UAB Vinted bear the signs of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals the Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the ‘GDPR’) related to three main areas: 1) due to improper examination of requests from personal data subjects to erase their data as well as insufficient and unclear information provided, in violation of: a) Paragraph a of Part 1 of Article 5 of GDPR, which stipulates that personal data must be processed fairly and transparently (in the present case, the data subjects were not clearly explained the reasons for blocking their accounts or provided with sufficient information about the processing of their data); b) Part 1 of Article 12 of GDPR, which obliges the data controller to provide information in a clear, intelligible and easily accessible form (the company’s responses to data subjects regarding the refusal to erase their data were vague and unclear; c) Part 4 of Article 12 of GDPR, according to which, if the data controller refuses to comply with the data subject’s request, the data controller must provide reasons for the refusal and information about the possibility of appealing such a decision (in the present cases, such information was provided too late or not provided at all); 2) failure to properly implement the accountability principle in violation of: a) Part 2 of Article 5 of GDPR, which stipulates that the data controller must be responsible for compliance with the principles of data processing and be able to prove it (the company failed to provide sufficient evidence that the rights of data subjects were properly implemented and the blocking of accounts was justified); b) Article 24 of GDPR, which obliges the data controller to implement appropriate technical and organizational measures to ensure compliance of data processing with GDPR (in the present case, the company failed to save correspondence with one of the data subjects and could not prove that the data processing was carried out lawfully and transparently); 3) processing of personal data in the context of so-called shadow block, which was carried out without a clear and lawful basis in violation of: a) Paragraph a of Part 1 of Article 5 of GDPR, which stipulates that data must be processed lawfully (when applying the so-called shadow block, the company failed to provide a lawful basis for such processing; b) Paragraph f of Part 1 of Article 6 of GDPR, which stipulates that personal data may only be processed if at least one of the grounds for lawful processing is present (in the present case, the processing of data with the purpose of achieving the so-called shadow block was not based on the user’s consent or any other lawful condition for such processing, as detailed in Article 6 of GDPR).
UAB Vinted indicated that the contested administrative decisions of the Inspectorate adopted after examining the complaints of natural persons regarding the processing of their personal data in the user accounts of the UAB Vinted platform, which had been forwarded by foreign data protection supervisory authorities, are unmotivated and unfounded. The company claimed that it had duly considered the data subjects’ requests to erase their data and had provided all the information required by law, had not violated the fundamental rights and freedoms of the data subjects, had not restricted their privacy, and had not endangered the security of their data. The company also claimed that, when examining the complaints, the Inspectorate exceeded its limits as it established violations that the data subjects had not even clearly specified and for which the limitation periods on liability had expired. The legality of the decisions was also contested due to the allegedly violated examination deadlines and inappropriate wording of the decisions, i.e. alleged failure to comply with the requirements of the Code of Administrative Offences and the Law on Legal Protection of Personal Data.
Having examined the contents of the contested decisions as well as all the collected materials of this huge administrative case, the court found that the Inspectorate’s decisions were based on both facts and legal norms. It was acknowledged that the Inspectorate acted within its competence and did not go beyond the complaints examined. The court emphasized that the supervisory authority has a duty to assess both direct wording of the complaints and the entire factual context, especially when violations are related to the same factual basis. This ensures a comprehensive assessment of application and enforcement of the GDPR provisions.
The court pointed out that the practice of the so-called shadow block, when users are restricted from using their accounts without clear information and possibility of using legal remedies, was carried out without a legal basis as established by Article 6 of GDPR, thus violating the principle of lawfulness enshrined in Paragraph a of Part 1 of Article 5 of GDPR.
The court noted that although such block may be motivated by the aim of protecting other users from possible malicious activity, this in itself cannot be deemed a sufficient basis. Pursuant to Paragraph f of Part 1 of Article 6 of GDPR, a legitimate interest may only apply where the processing of data is necessary to achieve the goals pursued, there are no other less restrictive measures available, and where the rights and fundamental freedoms of the data subject do not override that interest. The essence of shadow block, i.e. the deliberate non-disclosure of information to the user, goes contrary to the principles of GDPR, in particular the principle of lawfulness. The user to whom such measure is applied is not given any real opportunity to understand that his or her account has been restricted, let alone exercise his or her rights (such as the right to access data, the right to request their deletion or the right to object to data processing).
Such a secret and disproportionate effect infringes the rights of the data subject and makes it difficult to defend his or her interests. This is particularly relevant when the person is not even provided with information about the specific violation he or she is accused of. The data subject has the right to know what actions of his or hers constitute an infringement in order to be able to stop the potentially unlawful activity or exercise the right of defence.
The court believes that shadow block could only be applied where the interests of the data controller do not override the rights of the data subject. In this case, the balance of the legal basis as defined in Paragraph f of Part 1 of Article 6 of GDPR has not been ensured.
The court also found that the company had not properly examined the data subjects’ requests to delete their personal data, i.e. a mere formal refusal was not enough. The data controller should have seriously and actively assessed the validity of each request in accordance with the criteria set out in Article 17 of GDPR.
The court pointed out that the applicant had also failed to comply with the obligation to inform data subjects about the progress and results of examination of their requests, thus violating the principles of fairness and transparency enshrined in Paragraph a of Part 1 of Article 5 of GDPR and the requirements of Part 1 and Part 4 of Article 12 of GDPR demanding to provide information in a clear, intelligible and easily accessible form. In refusing to comply with the data subjects’ requests, the company failed to provide clear reasons for the refusal and did not inform about the possibility of appealing such a decision as required by Part 4 of Article 12 of GDPR.
It was also established that the applicant failed to implement the accountability principle as provided by Part 2 of Article 5 of GDPR, i.e. the company failed to prove that its actions complied with the provisions of GDPR and that the blocking of user accounts was justified. This also violated Article 24 of GDPR, which obliges the data controller to implement appropriate technical and organisational measures to ensure compliance of data processing with legal acts.
When assessing the form and motivation of the decisions, the court acknowledged that it was clear from the contents of the decisions that the Inspectorate examined each complaint and adopted the relevant decision; therefore, the formal defect, i.e. the absence of a clear wording on the satisfaction or dismissal of the complaint in the operative part, does not constitute grounds for deeming these decisions unlawful. The decisions complied with the requirements of the Law on Public Administration and the Law on Legal Protection of Personal Data (hereinafter referred to as the ‘LLPPD’) regarding the reasoning and sufficiency of information.
The court also noted that the international cross-border cooperation procedure was applied in the present case; therefore, the national review deadlines of three months from the receipt of the complaint established by the LLPPD do not apply. Since the defendant did not impose any administrative penalties, only indicating violations of GDPR and stating the need to apply sanctions, the applicant’s arguments regarding the expiration of the statute of limitations for administrative penalties were deemed legally irrelevant. The court noted that administrative liability was not imposed by the appealed decisions.
Thus, the court found that all the examined factual circumstances and legal norms were assessed properly, and the Inspectorate acted in accordance with the law as well as within its competence. Therefore, the court dismissed the applicant’s complaint as unsubstantiated. This court decision may be appealed.
This is the first case in Lithuania in which a mock trial was initiated. Pursuant to Part 1 of Article 127 of the Law on Administrative Proceedings, if there is evidence that more than twenty individual administrative cases that are similar in terms of law and facts are being examined in the court, these cases may be examined by way of mock trial. Having established that 54 administrative cases are being examined in the Regional Administrative Court, i.e. more than twenty similar individual administrative cases, in which the decisions of the State Data Protection Inspectorate regarding the actions of the Lithuanian capital startup UAB Vinted in relation to different personal data subjects are being contested, on 10 March 2025, the Chair of the Court made a decision to assign the case to be examined by way of mock trial. “So far, the court is still experiencing difficulties due to the influx of cases that has been ongoing for the past few years. As a result, we initiated mock trial procedure as one of the measures to ensure more efficient and economical work of the court,” said Dr. Gediminas Užubalis, the Chair of the Regional Administrative Court, “In addition, this significant precedent will allow for the formation of a clearer common practice and thus more efficient protection of the public interest and ensuring the economy of the judicial process.”
Administrative case No. eI3-1348-428/2025
When quoting or otherwise distributing this information, please cite the source.
Media contacts





