Background information
- Date of final decision: 2 May 2025
- Cross-border
- LSA: Ireland
- CSAs: all SAs
- Controller: TikTok Technology Limited
- Legal Reference (s): Article 13 (Information to be provided where personal data are collected from the data subject), Article 46 (Transfers by way of appropriate safeguards)
- Decision: Administrative fine, Compliance order
- Key words: Administrative fine, Social media, Transparency
Summary of the Decision
Origin of the case
The Irish Supervisory Authority (SA) announced its final decision following an Inquiry into TikTok Technology Limited (“TikTok”). The Inquiry was launched by the Irish SA, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data of users of the TikTok platform in the EEA to the People’s Republic of China (“China”). In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.
Key Findings
The Irish SA found that that TikTok’s transfers to China infringed Article 46(1) GDPR because it failed to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.
Article 13(1)(f) GDPR requires data controllers to provide data subjects with information on that controller’s transfers of personal data to a third country. The Irish SA considered TikTok’s October 2021 EEA Privacy Policy and found that this policy was inadequate in two key respects for the purposes of Article 13(1)(f) GDPR.
Decision
The Irish SA imposed administrative fines totalling €530 million in this Decision, consisting of a fine of €45 million for its infringement of Article 13(1)(f) GDPR, and a fine of €485 million for its infringement of Article 46(1) GDPR.
The Irish SA ordered the suspension of the Data Transfers and to for TikTok to bring its processing operations into compliance with Chapter V of the GDPR following a period of 6 months from the period allowed for an appeal against the Irish SA’s final Decision. The Irish SA considers 6 months as being a reasonable period to provide TikTok to put an end to the transfers in the circumstances.
Further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.