On 30 April 2025, the Irish Data Protection Commission (the ‘DPC’) adopted a final decision in an own-volition statutory inquiry, concerning TikTok Technology Limited’s (‘TikTok’) transfers of EEA User Data to China. The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (GDPR). The DPC was competent to act as lead supervisory authority for the processing at issue, pursuant to Article 56 GDPR. Prior to its adoption, the DPC submitted a draft of its decision to the Concerned Supervisory Authorities in February 2025, as required under Article 60(3) of the GDPR. The Concerned Supervisory Authorities did not raise any objections (for the purpose of Article 60(4) GDPR) to the draft decision.

Background to the Inquiry Process

The transfers of personal data considered in the Decision consisted of TikTok’s transfers of EEA User Data to China by way of remote access to that personal data by personnel of the ByteDance group of companies in China. The Decision considered whether those transfers complied with Chapter V of the GDPR. The Decision also considered whether TikTok’s provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.

Summary of Findings

The decision concluded that:

• The DPC found that TikTok infringed Article 46(1) GDPR during the temporal scope of the Inquiry by carrying out the Data Transfers while failing to verify, guarantee and demonstrate that that the personal data of EEA users subject to the Data Transfers was afforded a level of protection essentially equivalent to that guaranteed within the European Union.
• The DPC found that TikTok infringed Article 13(1)(f) GDPR from 29 July 2020 to 1 December 2022 by failing to provide data subjects with required information on the Data Transfers and information on how the processing concerned remote access to personal data stored in Singapore and the United States by personnel based in China.

Corrective Measures

Having considered the infringements of the GDPR as set out above, the DPC decided to exercise the following corrective powers, in accordance with Article 58(2) GDPR:

• An order pursuant to Article 58(2)(j) GDPR requiring TikTok Ireland to suspend the Data Transfers.
• An order pursuant to Article 58(2)(d) GDPR requiring TikTok Ireland to bring the processing into compliance. This requires TikTok to ensure that any EEA User Data located in China, as a result of the Remote Access Solution, when the order takes effect must cease being processed in China immediately at that point in time.
• Two administrative fines pursuant to Article 58(2)(i) GDPR as follows:

In respect of TikTok’s infringement of Article 46(1) GDPR, a fine of €485million.

In respect of TikTok’s infringement of Article 13(1)(f) GDPR, a fine of €45million.

For more information, you can download:

• A complete summary of the decision at this link: Summary of inquiry into TikTok Technology Limited 30 April 2025
• The full decision at this link: Full decision into TikTok Technology Limited 30 April 2025