Fines

TikTok Fined €530m by Irish DPC for Illegal EEA Data Transfers to China — 2025

admin
7 min read · Apr 4, 2026

Summary & Key Facts

In one of the most significant GDPR enforcement decisions ever issued, the Irish Data Protection Commission (DPC) fined TikTok Technology Limited €530,000,000 on 2 May 2025 for illegally transferring the personal data of European Economic Area (EEA) users to China. The decision also found that TikTok had provided inaccurate evidence during the inquiry — compounding the severity of the violation.

This is the second-largest GDPR fine ever issued, surpassed only by Meta’s €1.2 billion fine in 2023. TikTok is currently appealing the decision before the High Court of Ireland; the Court stayed the DPC’s order on 14 November 2025, meaning the compliance order is temporarily paused while the appeal proceeds.

Key facts at a glance:

  • Organisation fined: TikTok Technology Limited
  • Regulator: Irish Data Protection Commission (DPC)
  • Fine amount: €530,000,000
  • Date of decision: 2 May 2025
  • Violation: GDPR Chapter V — failure to ensure EEA user data was protected to an equivalent standard when accessed by staff in China
  • Additional finding: TikTok provided inaccurate evidence — data was found to be stored on servers in China, contrary to representations made during the inquiry
  • Compliance order: TikTok ordered to bring processing into compliance within 6 months
  • Litigation status: TikTok is appealing to the High Court of Ireland; a stay was granted on 14 November 2025 — the appeal is ongoing

For the full DPC decision, see: DPC: Irish Data Protection Commission fines TikTok €530 million

Supervisory Authority’s Findings

The DPC’s inquiry examined whether TikTok’s transfers of EEA personal data to China — specifically access by TikTok’s Chinese parent company ByteDance and its staff — complied with Chapter V of the EU GDPR, which governs international transfers of personal data to third countries.

Transfer mechanism failures: TikTok failed to demonstrate that EEA user data received an equivalent level of protection in China as it would under EU GDPR. China is not a country for which the European Commission has issued an adequacy decision, meaning TikTok was required to rely on an alternative transfer mechanism (such as Standard Contractual Clauses, or SCCs) — and to supplement those mechanisms with a genuine assessment of the protections available in China.

Inaccurate evidence: Particularly seriously, the DPC found that TikTok had made inaccurate representations during the inquiry about the storage of user data. Data that TikTok had represented as not being stored in China was, in fact, stored on servers located in China. This finding of inaccurate evidence is a significant aggravating factor in the enforcement action.

Compliance order: The DPC ordered TikTok to bring its processing into compliance within six months of the decision. However, as noted below, this order is currently stayed pending TikTok’s appeal.

For EDPB commentary, see: EDPB press release on the TikTok decision

EU GDPR Articles Violated

The DPC’s decision engaged primarily the international transfer provisions of EU GDPR:

Article Description
EU GDPR Article 44 General principle for transfers — personal data may only be transferred to a third country if the conditions of Chapter V are met
EU GDPR Article 46 Transfers subject to appropriate safeguards — TikTok failed to demonstrate that its SCCs or other mechanisms provided equivalent protection in China
EU GDPR Article 5(1)(f) Integrity and confidentiality — failure to ensure appropriate security of data transferred internationally
EU GDPR Article 5(2) Accountability principle — TikTok was unable to demonstrate compliance with the above obligations

The case also raises questions about Article 13/14 transparency obligations — specifically whether users were adequately informed that their data could be accessed by staff outside the EEA.

For EU GDPR text, see: EUR-Lex: Regulation (EU) 2016/679 — GDPR

For enforcement context, see: GDPR Enforcement Tracker

Cross-Border & One-Stop-Shop Implications

TikTok’s EU operations are headquartered in Ireland, making the Irish DPC its lead supervisory authority under the EU GDPR’s one-stop-shop (OSS) mechanism. Under OSS, a multinational company with EU operations is primarily regulated by the DPA in the country where its EU headquarters is located — in TikTok’s case, Ireland.

The one-stop-shop mechanism means that the DPC’s decision, once final, would apply across all EU member states. Other national DPAs were involved in the process as “concerned supervisory authorities” under Article 60 of the EU GDPR, which requires the lead DPA to cooperate with its counterparts. The EDPB had previously issued a binding decision in the related TikTok inquiry on children’s data (2023), and the EDPB was engaged in the oversight process for this decision as well.

For organisations operating across multiple EU member states, this case is a reminder that the OSS mechanism does not reduce liability — it concentrates regulatory oversight at the lead authority, whose decisions bind across the EU.

EU GDPR vs UK GDPR: What UK Organisations Should Note

This EU DPC decision does not directly apply to UK organisations. Following Brexit, the UK operates under its own data protection regime — the UK GDPR, supplemented by the Data Protection Act 2018 — overseen by the ICO, not the DPC or any EU supervisory authority.

However, this case carries significant indirect relevance for UK organisations:

  1. International transfer expectations: The EU GDPR’s Chapter V transfer standards are closely mirrored in the UK GDPR’s international transfer framework (UK GDPR Chapter V). The regulatory expectations around third-country transfers — including the need to supplement SCCs with a genuine Transfer Risk Assessment — are substantively similar under both regimes. The TikTok case signals how seriously regulators view inadequate transfer safeguards.

  2. UK-EU data flows: UK organisations that receive personal data from EU/EEA entities must ensure they comply with the transfer mechanisms used by the sending organisation. The TikTok case highlights the scrutiny being applied to data flows between democratic countries and jurisdictions (like China) without adequacy status.

  3. ICO enforcement signals: While the ICO has not yet issued a comparable fine for international transfer failures of this scale under the UK GDPR, the TikTok case — and the EU’s increasingly assertive stance on Chapter V — is likely to inform ICO expectations and enforcement priorities.

  4. Reputational and contractual risk: UK organisations with Chinese operations, supply chains, or service providers accessing UK personal data should review their transfer mechanisms and consider whether a Transfer Risk Assessment adequately addresses the risks.

Key Lessons & Compliance Actions

For all organisations transferring personal data to third countries (EU and UK):

  • Do not rely on SCCs alone. Standard Contractual Clauses must be supplemented with a Transfer Impact Assessment (EU) or Transfer Risk Assessment (UK) that genuinely evaluates the legal and practical protections available in the destination country.
  • Audit your data flows. Know where your data goes — including data accessed remotely by staff or service providers in non-adequate third countries.
  • Verify your representations to regulators. The finding that TikTok provided inaccurate evidence is a stark reminder: regulators have investigative powers and will scrutinise the accuracy of submissions. Inaccurate evidence is a serious aggravating factor.
  • Act on compliance orders promptly. The six-month window in the DPC’s compliance order reflects the gravity of the violation. Organisations that receive compliance orders should treat them as urgent board-level priorities.

For HR teams:
– Review contracts with international HR and payroll providers to ensure that transfers of employee data to non-adequate countries are covered by appropriate transfer mechanisms.
– Ensure data protection training covers international transfer obligations, including for staff who access employee data globally.

For senior leadership:
– Elevate international data transfer risk to board-level visibility. Ensure your DPO or data protection lead has assessed all significant third-country data flows.
– Consider commissioning a Transfer Impact Assessment for any transfers to China, Russia, or other jurisdictions without adequacy status under the EU or UK GDPR.

For marketing:
– Review advertising and analytics platforms that may transfer European user data to third countries (including US platforms that sub-process to non-adequate jurisdictions).
– Verify that consent mechanisms adequately disclose international transfer destinations to users.

Related EU Guidance

Strengthen Your Team’s Knowledge

Are your international data transfers fully compliant? Our GDPR International Transfers Training Module covers SCCs, Transfer Risk Assessments, and how to document your third-country transfer decisions. For broader GDPR compliance, explore our GDPR Foundation Course for Corporate Professionals.

Author

Popular posts on Measured Collective

  1. The Biggest GDPR Fines So Far (2026)
  2. Are EU-UK Cross-Border Data Transfers at Risk of Change?
  3. ICO Updates International Transfer Guidance: What It Means for Your Business
  4. GDPR & Google Workspace: How to stay compliant with GDPR
  5. Is Google Forms GDPR compliant?
eu

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR