In July 2024, some notable fines were issued by European privacy regulators. For example, the popular second-hand platform Vinted was fined more than EUR 2 million by the Lithuanian privacy regulator for a breach in the handling of a request for the deletion of personal data by users of the platform. In addition, the drugstore chain Kruidvat was fined EUR 600,000 by the Dutch privacy regulator for tracking visitors to the website kruidvat.nl via so-called “tracking cookies” without the website visitors having given their consent.
These rulings emphasise once again how important it is for companies to comply with European and national legislation when processing the personal data of, for example, customers, employees or suppliers.
State Data Protection Inspectorate ruling – Vinted fine
A number of users of the Vinted platform had complained to the French and Polish regulators that Vinted had not responded (or had not responded adequately) to their request for access or their request to delete the personal data held about them by the platform.
These complaints were forwarded to the Lithuanian regulator as Vinted’s head office is in Lithuania and it thus had jurisdiction.
During the investigation of Vinted, it was found that there were multiple breaches, including:
(i) Failure to deal properly with a request for access or a request for deletion:
The platform failed to properly respond to the requests of the data subjects. Vinted wrongly asked the data subjects to provide a specific reason for the request to delete personal data. In addition, Vinted was not transparent in relation to the data subjects about the reason why it refused the request for deletion.
(ii) “Shadow blocking”: It was also found that the platform applied “shadow blocking” unlawfully and in violation of several principles of the GDPR. “Shadow blocking” is the processing of personal data with the intention of excluding a user who has allegedly violated the guidelines of the Vinted platform from the platform without notifying the user. Vinted applied these practices without informing the user of such processing of their personal data.
(iii) Failure to comply with the principle of accountability: Finally, it was established that Vinted had not taken sufficient technical and organisational measures to ensure compliance with the so-called “principle of accountability” under the GDPR to be able to demonstrate that it had taken action with regard to the right of access.
Dutch Data Protection Authority ruling – Kruidvat fine
The drugstore chain Kruidvat, known for its wide range of health and beauty products, has been taken to task by the Dutch Data Protection Authority for placing so-called “tracking cookies” without the consent of website visitors. Kruidvat collected a variety of personal data from visitors, such as location data, browsing behaviour, purchases and which recommendations they clicked on by placing those tracking cookies on the website kruidvat.nl. This data was used to create personal profiles.
It was established that there was unlawful processing of personal data. This was because the tracking cookies were placed on the visitors’ computers without their prior consent. The cookie banner on the website kruidvat.nl had boxes ticked by default where “accept all cookies” was automatically selected, which does not meet the conditions of valid consent according to the principles of the GDPR. In addition, it was found that the process for withdrawing consent (“opt out”) was too complicated and cumbersome: the placing of tracking cookies requires obtaining the legally valid consent of the website visitors. In other words, the consent must be free, specific, informed and unambiguous. The use of pre-ticked boxes in the cookie banner does not meet this requirement. The collection and processing of personal data in this way is therefore considered unlawful (and in violation of the GDPR).
What this means for your business
Both rulings again once emphasise the importance of processing personal data in compliance with the principles of the GDPR, as discussed earlier in this article.
Companies should inform both internal and external data subjects (customers, employees, suppliers, etc.) in a clear, transparent and comprehensible manner about the processing of their personal data, including when handling access or deletion requests or when placing cookies via a cookie banner. Failure to comply with these GDPR principles can lead – as has been shown by Vinted and Kruidvat – to companies being fined by the national privacy regulator.
Our PKF BOFIDI Legal experts will be pleased to help you with more information
In any case, PKF BOFIDI Legal can assist you with correct compliance with the GDPR by, among other things, drafting clear internal and external policies; advising on lawful processing of personal data, the obligation of transparency, implementing of cookie banners, etc. Please do not hesitate to contact our team.
This article was written by Jenny Cheung, who specialises in intellectual property, ICT, data protection and privacy.