On 2 May 2025, the Irish Data Protection Commission (DPC) issued its final decision in relation to the investigation of international transfers made by TikTok. The DPC has fined TikTok EUR 530 million and issued an order requiring the company to bring its processing into line within 6 months.
The majority of the fine relates to the transfers, with the DPC finding that TikTok had “failed to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.”
In relation to transparency, the DPC stated that the version of the privacy notice at the relevant time did not name the third countries, including China, to which personal data was transferred and failed to specify that the processing included remote access to personal data stored in Singapore and the United States by personnel based in China. The privacy notice has since been brought into compliance.
If you would like assistance with preparing or reviewing transfer risk assessments, please get in touch with your usual contact or email hello@hellodpo.com
You can find the DPC’s press release on the decision here.
