Nowadays, it’s almost natural that when we get stuck on something, we turn to TikTok for guidance. However, according to a recent official decision, TikTok itself now serves as a lesson – in data protection matters. The case provides a number of lessons, namely the importance of
– recognising that remote access triggers GDPR international data transfer rules.
– conducting specific, country-level assessments and designing targeted safeguards.
– meeting the strict transparency obligations.
On 2 May 2025, the Irish Data Protection Commission (DPC) announced its decision closing the TikTok case, finding that TikTok had violated the GDPR on several points: firstly, by transferring the personal data of users residing in the EEA to China and failing to comply with transparency requirements, as it did not clearly indicate China as a destination for data transfers in its privacy notices from 2021 onwards. The DPC imposed a fine of €530 million on TikTok and issued a suspension order prohibiting the transfer of personal data from the European Union to China. Furthermore, the decision requires TikTok to bring its data processing practices into compliance with the legal requirements within six months.
The case centred on the fact that TikTok’s Chinese employees had remote access to user data stored in the EU, even though the data had not been physically transferred to China. In this case, the authority also clarified that remote access to personal data from third countries constitutes international data transfer within the meaning of the GDPR, regardless of whether the data physically leaves the EEA.
The Irish Data Protection Authority’s decision will set an important precedent for the application of the GDPR, as it sets clear expectations for strict compliance with international data transfer rules. The GDPR ensures a high level of protection and data protection rights for data subjects within the EEA with regard to their personal data. Accordingly, personal data may only be transferred if the conditions set out in Chapter V of the GDPR are met. Pursuant to Article 46, in the absence of an adequacy decision concerning the destination country, the parties transferring the data must apply appropriate safeguards, typically in the form of standard contractual clauses (SCCs) or binding corporate rules (BCRs) when transferring data to third countries within the group — in order to ensure a level of protection equivalent to that provided in the EU. It is important to note that, under these provisions, it is the responsibility of the organisation, the data controller, to verify and guarantee that the laws and practices of the third country in question provide a level of protection essentially equivalent to that provided by the regulations applicable in the EU. In light of the above, the data controller must carry out a country-specific assessment: it must also assess the practical impact of the legal system of the third country on data transfers.
However, the DPC found that the additional safeguards applied by TikTok, such as contractual and organisational measures, were not sufficient to mitigate the risks of government access arising from the Chinese legal system. In other words, the safeguards applied by TikTok appeared adequate on paper, but were insufficient in practice. Therefore, targeted safeguards are necessary: technical, contractual and organisational safeguards relating to data processing and data transfer must specifically address the identified risks. General, theoretical measures will not meet the requirements of the authorities.
Another key lesson, albeit not a new one, for organisations transferring personal data outside the EU is the need to comply with strict transparency requirements, including providing data subjects with adequate, comprehensive and clear information.
Source:
https://www.dataprotection.ie/en/news-media/latest-news/irish-data-protection-commission-fines-tiktok-eu530-million-and-orders-corrective-measures-following
#gdpr #datatransfer #data security