The Irish Data Protection Commission (DPC) has imposed a fine of 530 million euros on the video platform TikTok for data protection violations. TikTok had forwarded European users' data to China and violated transparency requirements, the DPC explained in a statement on May 2.
Background to the proceedings against TikTok
In its role as lead supervisory authority for TikTok, the DPC acted in accordance with the one-stop-shop procedure pursuant to Art. 56 GDPR. The subject of the investigation was, on the one hand, the legality of data transfers to third countries in accordance with Chapter V GDPR, in particular to countries without an adequacy decision by the EU Commission.
Secondly, the authority examined whether TikTok had properly complied with its transparency obligation pursuant to Art. 13 para. 1 lit. f GDPR.
Unlawful data transfers to China
According to the DPC's findings, TikTok violated Art. 46 (1) GDPR in particular. The company was unable to sufficiently ensure that personal data of EEA users enjoyed a level of protection "essentially equivalent" to that of the GDPR when accessed by Chinese employees.
Particularly critical: TikTok's own assessment of Chinese law has already revealed significant deviations from European data protection standards - for example through the Chinese anti-terrorism law, the counter-espionage law and the national intelligence law.
Although TikTok used so-called Standard Contractual Clauses (SCC), the DPC also found that no effective additional safeguards were in place to prevent or control data access by Chinese state authorities. The additional technical, organizational and legal measures required by the ECJ ruling "Schrems II" had not been sufficiently documented or implemented. This concerned, among other things, the encryption of sensitive data during remote access and the lack of transparent access protocols.
This deficiency led to a complaint about TikTok's entire transmission practice. The DPC pointed out that TikTok's assessment of Chinese law itself did not allow for "essential equivalence" with the GDPR and thus lacked the basis for the selection and effectiveness of security measures.
In the proceedings, TikTok referred to the ongoing infrastructure program "Project Clover", which provides for local data storage within the EU (particularly in Ireland and Norway) as well as independent control mechanisms. The DPC recognized this project as a positive step. However, it made the continuation of data transfers to China dependent on the full implementation of GDPR-compliant protection mechanisms.
Lack of transparency towards users
A key element of the DPC decision concerns TikTok's failure to provide users in the European Economic Area with clear and complete information about the cross-border processing of their personal data. According to Art. 13 para. 1 lit. f GDPR, companies are obliged to inform data subjects transparently about whether and to which third countries their data will be transferred and how this transfer will take place.
TikTok's data protection policy from October 2021 did not meet these requirements in key respects: the specific third countries involved - in particular China - were not explicitly named, nor were the exact circumstances of the data transfers disclosed. In particular, it remained unclear that the transfers also involved remote data access by Chinese employees accessing servers in Singapore and the USA. This lack of transparency prevented users from exercising their data protection rights in full knowledge of the facts.
In the course of the proceedings, TikTok revised its privacy policy and submitted a new version dated December 2022 to the DPC. In the opinion of the authority, this new version met the requirements of Art. 13 para. 1 lit. f GDPR, as it not only named the third countries by name, but also explained the type of access and the server locations in more detail. The infringement found by the DPC thus related to the period from July 29, 2020 to December 1, 2022, during which TikTok did not sufficiently comply with its transparency obligations.
Reading tip: DMA violations - EU imposes 700 million euro fines on Apple and Meta
Misinformation during the procedure
A particularly serious aspect of the decision concerns TikTok's inadequate information policy towards the DPC during the ongoing proceedings. During the investigation, TikTok had repeatedly assured the DPC that no personal data of users from the EEA would be stored on servers in China. These assurances formed an essential basis for the DPC's assessment of the data flows.
However, in April 2025, TikTok informed the DPC that it had already discovered in February 2025 that, contrary to previous assurances, a limited amount of EEA user data had been stored on servers in China. TikTok explained that this was due to an internal error and a misunderstanding in the internal data classification. The affected data has since been deleted.
The DPC has taken this subsequent disclosure very seriously. The decision emphasizes that the provision of incorrect or misleading information in the context of supervisory procedures is a serious obstacle to effective control. Such misinformation can not only undermine the trust of the authority, but also significantly distort the data protection risk assessment.
The authority therefore announced a separate procedure to examine whether TikTok's behavior with regard to the late notification of data storage justifies further supervisory measures. Should intentional or grossly negligent conduct be established, this could lead to further sanctions.
Fine in the millions against TikTok
The DPC imposed a fine totaling 530 million euros:
- 485 million euros for breach of Art. 46 para. 1 GDPR (unlawful data transfer),
- 45 million euros for breach of Art. 13 para. 1 lit. f GDPR (lack of transparency).
TikTok was also obliged to bring all processing operations into compliance with the GDPR within six months of the expiry of the complaint period. Failure to do so could result in the suspension of all data transfers to China.
Evaluation of the proceedings against TikTok
The DPC's decision has far-reaching significance beyond TikTok. It underlines the strict standards for international data transfers from the EU - especially to countries without an adequacy decision. Companies are obliged to carry out in-depth legal assessments and take technical and organizational measures to guarantee an equivalent level of data protection.
In addition, the importance of transparent user information is once again emphasized. Data protection guidelines must be clear, complete and comprehensible - especially in the case of cross-border processing.
Last but not least, the decision shows that incomplete or misleading disclosures to the supervisory authorities can have significant consequences. The DPC is already considering further regulatory action against TikTok for the delayed disclosure of the storage of EEA data in China.
Source: Notice from the Irish Data Protection Commission on the fine against TikTok
🌍 Do you want to carry out a Transfer Impact Assessment (TIA) and evaluate the level of data protection in the recipient country and take the necessary measures? Then get in touch with us! We can offer you a tailor-made solution.
English 
German 
Italian 
French