Referral C-730/25 (Vinted, 17 Nov 2025)

1. Must the provisions of Article 55(1), Article 56(1), Article 57(1), Articles 58(1) and (2) and Article 60 of the General Data Protection Regulation 1 (‘GDPR’) be interpreted as precluding a practice of a Member State whereby the supervisory authority is no longer able to take a decision on a complaint relating to cross-border data processing and/or impose the corrective measures laid down in Article 58(2) of the GDPR solely on the grounds that the two-year limitation period for the imposition of an administrative fine laid down in national law has expired?

2. Must Article 57(1)(f) and Articles 58(1) and (2) of the GDPR be interpreted as meaning that, when investigating a data subject’s complaint concerning a specific infringement indicated in the complaint, a supervisory authority may (or must) take a decision regarding other infringements of the GDPR relating to the same data processing which have were discovered during the investigation of the complaint, or must it confine itself to the subject matter of the complaint?

3. Must Article 57(1)(f) of the GDPR be interpreted as meaning that the supervisory authority is required, when it receives a complaint from a data subject, to define clearly the scope of the investigation and to specify to the controller the precise information required from it in order to ensure the complaint is investigated properly?

4. Must Articles 5(2) and 24 of the GDPR be interpreted as meaning that, in accordance with the principle of accountability, the data controller is required to retain all available data relating to the data subject who lodged the complaint for the entire period of the investigation of the complaint, even if that data is not directly related to the scope of the complaint investigated by the supervisory authority, and that such storage is compatible with the principle of data minimisation laid down in Article 5(1)(c) of the GDPR and the principle of storage limitation laid down in paragraph (e) thereof?

5. Must Article 5(1)(a) and Articles 12(1) and (4) of the GDPR be interpreted as meaning that, where a data subject submits an unspecified request for the erasure of his/her personal data pursuant to Article 17 of the GDPR, without stating the grounds for erasure, the controller may refuse to erase the data and is not required to inform the data subject that it has assessed, on its own initiative, whether at least one of the grounds for erasure referred to in Article 17(1) of the GDPR exists? Also, in the event of a refusal to erase personal data based on a request under Article 17 of the GDPR, must the principle of transparency enshrined in Article 5(1)(a) and Article 12(1) of the GDPR, read in conjunction with Article 12(4), be interpreted as requiring the controller to provide the data subject with information on all of the reasons for which the personal data will be processed, including the purposes of the remaining processing operations, categories of data, the processing operations and the lawful basis?

6. Must Article 5(1)(a), Article 6(1)(f), Article 13(1)(d), Article 14(3)(a) and Article 14(5) of the GDPR be interpreted as meaning that the controller’s obligation to provide the data subject with information regarding the processing of personal data carried out in relation to shadow banning is considered to be fulfilled and to comply with the principle of transparency where the controller states in its privacy policy that banning will occur where the platform’s rules are breached (without specifying the possible types of banning, including shadow banning), and that the personal data (including the reason for the banning, duration and profile data) will be processed on the basis of the legitimate interest of protecting and ensuring the security of the platform, its users and members, but the data subject is not individually informed of the processing of personal data carried out in relation to shadow banning either at the beginning of such processing or later, but only after the shadow banning period (not exceeding 30 days) has ended and full banning has been applied, the data subject is provided with information regarding the processing of personal data due to banning (full banning, not shadow banning)? If the answer to the latter question is in the negative, must Article 14(5)(b) of the GDPR be interpreted as meaning that the controller may rely on the exception from the obligation to provide information laid down in that provision, where the processing is carried out for the purposes of shadow banning?

7. Must Article 5(1)(a) and Article 6(1)(f) of the GDPR be interpreted as meaning that the actions of a data controller who processes a user’s personal data for the purpose of shadow banning without informing the data subject of such processing, but with the aim of protecting the platform, its users and members, may be regarded as in compliance with the lawfulness requirements laid down in the GDPR?