Referral C-730/25 (Vinted, 17 Nov 2025)

Question 1
Must the provisions of Article 55(1), Article 56(1), Article 57(1), Articles 58(1) and (2), and Article 60 of the GDPR be interpreted as precluding a practice of a Member State whereby the supervisory authority is no longer able to take a decision on a complaint relating to cross‑border data processing and/or impose the corrective measures laid down in Article 58(2) of the GDPR solely on the ground that the two‑year limitation period for the imposition of an administrative fine laid down in national law has expired?
Question 2
Must Article 57(1)(f) and Articles 58(1) and (2) of the GDPR be interpreted as meaning that, when investigating a data subject’s complaint concerning a specific infringement indicated in the complaint, a supervisory authority may (or must) take a decision regarding other infringements of the GDPR relating to the same data processing which were discovered during the investigation, or must it confine itself to the subject matter of the complaint?
Question 3
Must Article 57(1)(f) of the GDPR be interpreted as meaning that the supervisory authority is required, when it receives a complaint from a data subject, to define clearly the scope of the investigation and to specify to the controller the precise information required from it in order to ensure that the complaint is investigated properly?
Question 4
Must Articles 5(2) and 24 of the GDPR be interpreted as meaning that, in accordance with the principle of accountability, the data controller is required to retain all available data relating to the data subject who lodged the complaint for the entire duration of the investigation, even if that data is not directly related to the scope of the complaint investigated by the supervisory authority, and that such storage is compatible with:

the principle of data minimisation laid down in Article 5(1)(c) GDPR; and
the principle of storage limitation laid down in Article 5(1)(e) GDPR?

Question 5
Must Article 5(1)(a) and Articles 12(1) and (4) of the GDPR be interpreted as meaning that, where a data subject submits an unspecified request for erasure pursuant to Article 17 GDPR, without stating the grounds for erasure:

the controller may refuse to erase the data; and
the controller is not required to inform the data subject that it has assessed, on its own initiative, whether at least one of the grounds for erasure referred to in Article 17(1) GDPR exists?

Further, in the event of a refusal to erase personal data based on such a request, must the principle of transparency laid down in Article 5(1)(a) and Article 12(1) GDPR, read in conjunction with Article 12(4), be interpreted as requiring the controller to provide the data subject with information on all the reasons for which the personal data will continue to be processed, including:

the purposes of the remaining processing operations,
the categories of data,
the processing operations, and
the lawful basis?

Question 6
Must Article 5(1)(a), Article 6(1)(f), Article 13(1)(d), Article 14(3)(a) and Article 14(5) of the GDPR be interpreted as meaning that the controller’s obligation to provide information concerning the processing of personal data carried out in relation to shadow banning is fulfilled, and complies with the principle of transparency, where:

the controller states in its privacy policy that banning will occur where platform rules are breached, without specifying the possible types of banning, including shadow banning;
the controller states that the personal data (including the reason for banning, its duration and profile data) will be processed on the basis of legitimate interest; and
the data subject is not individually informed of the processing relating to shadow banning either at the beginning of that processing or during it, but only after the shadow banning period (not exceeding 30 days) has ended and full banning has been applied?

If the answer is in the negative, must Article 14(5)(b) GDPR be interpreted as meaning that the controller may rely on the exception from the obligation to provide information laid down in that provision where the processing is carried out for the purposes of shadow banning?
Question 7
Must Article 5(1)(a) and Article 6(1)(f) of the GDPR be interpreted as meaning that the actions of a controller who processes a user’s personal data for the purpose of shadow banning without informing the data subject, but with the aim of protecting the platform, its users and members, may nevertheless be regarded as lawful under the GDPR?