TikTok must bring its processing into compliance within six months or risk further restrictions. Of the total fine, €45 million was for transparency violations and €485 million for unlawful transfers.
The Irish Data Protection Commission (DPC) has fined TikTok €530 million for breaching the EU’s General Data Protection Regulation (GDPR), citing unlawful transfers of EEA user data to China and failure to meet transparency standards.
In its May 2, 2025 decision, the DPC found that TikTok violated Article 46(1) GDPR by transferring EEA user data to China without verifying that Chinese law offered “a level of protection essentially equivalent” to that of the EU. Although TikTok argued the transfers were not subject to Chinese laws, the DPC concluded otherwise, citing diverging Chinese legislation such as the National Intelligence Law and Cybersecurity Law.
TikTok also breached Article 13(1)(f) GDPR by failing to name China among data transfer destinations or clarify processing methods in its 2021 privacy policy. The DPC noted that TikTok corrected this in its December 2022 policy.
TikTok must bring its processing into compliance within six months or risk further restrictions. Of the total fine, €45 million was for transparency violations and €485 million for unlawful transfers.