Skip to content

Irische Datenschutzbehörde: Bußgeld in Höhe von 530 Millionen EURO gegen TikTok / Bytedance wegen Übermittlung personenbezogener Daten der Nutzer nach China

Die Irische Datenschutzbehörde (IDPC) hat ein Bußgeld in Höhe von 530 Millionen EURO gegen TikTok / Bytedance wegen Übermittlung personenbezogener Daten der Nutzer nach China verhängt.

Die Pressemitteilung der IDPC:
Irish Data Protection Commission fines TikTok €530 million and orders corrective measures following Inquiry into transfers of EEA User Data to China

The Irish Data Protection Commission has today announced its final decision following an Inquiry into TikTok Technology Limited (“TikTok”). This Inquiry was launched by the DPC, in its role as the Lead Supervisory Authority for TikTok, to examine the lawfulness of TikTok’s transfers of personal data [1] of users of the TikTok platform in the EEA to the People’s Republic of China (“China”). In addition, the Inquiry examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.

The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Mr Dale Sunderland, and has been notified to TikTok, finds that TikTok infringed the GDPR regarding its transfers of EEA User Data to China [2] and its transparency requirements [3]. The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within 6 months. The decision also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.

DPC Deputy Commissioner Graham Doyle commented:

“The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.

TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.

As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

The DPC submitted a draft decision to the GDPR cooperation mechanism on 21 February 2025, as required under Article 60 of the GDPR. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

Erroneous information submitted to Inquiry
Throughout the Inquiry, TikTok informed the DPC that it did not store EEA User Data on servers located in China. However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA User Data had in fact been stored on servers in China, contrary to TikTok’s evidence to the Inquiry. TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the Inquiry.

Deputy Commissioner Doyle added that

“The DPC is taking these recent developments regarding the storage of EEA User Data on servers in China very seriously. Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities.”

The DPC will publish the full decision and further related information in due course.



[1] The Law on Data Transfers outside the EU
The GDPR provides a high level of protection of personal data throughout the EEA and provides data protection rights to individuals. When personal data is transferred outside of the EEA this can impede the ability of individuals to exercise rights and can circumvent that high level of protection. Therefore, it is crucial that the level of protection ensured by the GDPR should not be undermined in the case of such transfers. Accordingly, transfers of personal data can take place only if the conditions laid down in Chapter V of the GDPR are complied with. This ensures that the high level of protection provided within the European Union continues where personal data is transferred to a third country.

Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection (“Adequacy Decision”).

To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay.

Under the GDPR where an organisation (“Data Controller”) intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses. These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.



[2] The DPC’s Findings regarding the lawfulness of the Transfers
In this Inquiry TikTok Ireland was required to assess if Chinese law guaranteed an essentially equivalent level of protection to EU law. The Decision finds that TikTok’s transfers to China infringed Article 46(1) GDPR because it failed to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses (“SCCs”) were effective to ensure that the personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU. While TikTok maintains that transfers via remote access are not subject to the laws and practices in question, TikTok’s own assessment of Chinese law provided to the DPC during the Inquiry set out how aspects of the Chinese legal framework preclude a finding of essential equivalence to EU law. The DPC had regard to this assessment and to the Chinese laws identified by TikTok which materially diverge from EU standards such as the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law. In particular, the DPC found that TikTok’s failure to adequately assess the level of protection provided by Chinese law and practices to the personal data of EEA users the subject of transfers, which said personal data is processed in China, not only directly impacted TikTok’s ability to select appropriate safeguards and supplementary measures, but also prevented TikTok from verifying and guaranteeing an essentially equivalent level of protection.

In exercising corrective powers, the DPC also considered ongoing changes brought about by TikTok under “Project Clover”. Notwithstanding these changes, the DPC found that it is appropriate, necessary and proportionate to order the suspension of the Data Transfers and to order TikTok to bring its processing operations into compliance with Chapter V of the GDPR following a period of 6 months from the period allowed for an appeal against the DPC’s final Decision. The DPC considers 6 months to being a reasonable period to provide TikTok to put an end to the transfers in the circumstances.



[3] The DPC’s Findings regarding Transparency
Article 13(1)(f) GDPR requires data controllers to provide data subjects with information on that controller’s transfers of personal data to a third country. The DPC considered TikTok’s October 2021 EEA Privacy Policy and found that this policy was inadequate in two key respects for the purposes of Article 13(1)(f) GDPR.

First, TikTok’s 2021 Privacy Policy did not name the third countries, including China, to which personal data was transferred. Second, the 2021 Privacy Policy did not explain the nature of the processing operations that constitute the transfer. Specifically, the 2021 Privacy Policy failed to specify that the processing included remote access to personal data stored in Singapore and the United States by personnel based in China.

TikTok updated its Privacy Policy during the course of the Inquiry and provided its December 2022 EEA Privacy Policy to the DPC. That Privacy Policy did identify the third countries to which EEA user data was transferred. That Privacy Policy also informed EEA Users that personal data was stored on servers in the United States and Singapore, and was the subject of remote access by entities in TikTok’s corporate group located in Brazil, China, Malaysia, Philippines, Singapore, and the United States.

The DPC assessed TikTok’s December 2022 EEA Privacy Policy as compliant with the requirements of Article 13(1)(f) GDPR in terms of the Data Transfers subject to the material scope of the Decision. Therefore, the duration of the infringement of Article 13(1)(f) GDPR in the Decision relates to the period from 29 July 2020 to 1 December 2022.

The DPC imposes administrative fines totalling €530 million in this Decision, consisting of a fine of €45 million for its infringement of Article 13(1)(f) GDPR, and a fine of €485 million for its infringement of Article 46(1) GDPR.



Irische Datenschutzbehörde: Bußgeld in Höhe von 251 Millionen EURO gegen Meta wegen Datenschutzverstößen im Zusammenhang mit einem Facebook-Datenleck

Die Irische Datenschutzbehörde hate eine Bußgeld in Höhe von 251 Millionen EURO gegen Meta wegen Datenschutzverstößen im Zusammenhang mit einem Facebook-Datenleck verhängt.

Die Pressmeitteilung der Irischen Datenschutzbehörde:
Irish Data Protection Commission fines Meta €251 Million

The Irish Data Protection Commission (DPC) has today announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These own-volition inquiries were launched by the DPC following a personal data breach, which was reported by MPIL in September 2018.

This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. The breach arose from the exploitation by unauthorised third parties of user tokens[1] on the Facebook platform. The breach was remedied by MPIL and its US parent company shortly after its discovery.

The decisions, which were made by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251 million.

The DPC submitted a draft decision to the GDPR cooperation mechanism in Sept 2024, as required under Article 60 of the GDPR[2]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

The DPC’s final decisions record the following findings of infringement of the GDPR:

Decision 1
Article 33(3) GDPR - By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
Article 33(5) GDPR - By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.
Decision 2
Article 25(1) GDPR - By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
Article 25(2) - By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.
DPC Deputy Commissioner Graham Doyle commented:

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals. Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

The DPC will publish the full decision and further related information in due course.


Irische Datenschutzbehörde: Bußgeld in Höhe von 310 Millionen EURO gegen LinkedIn - DSGVO-Verstöße durch Analyse des Nutzerverhaltens und zielgerichtete Werbung

Die Irische Datenschutzbehörde hat ein Bußgeld in Höhe von 310 Millionen EURO gegen LinkedIn wegen DSGVO-Verstößen im Zusammenhang mit der Analyse des Nutzerverhaltens und zielgerichteter Werbung verhängt.

Die Pressemitteilung der Irischen Datenschutzbehörde:
Irish Data Protection Commission fines LinkedIn Ireland €310 million

The Irish Data Protection Commission (DPC) has today announced its final decision following an inquiry into LinkedIn Ireland Unlimited Company (LinkedIn). This inquiry was launched by the DPC, in its role as the lead supervisory authority for LinkedIn, following a complaint initially made to the French Data Protection Authority.

The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis[1] and targeted advertising[2] of users who have created LinkedIn profiles (members). The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and notified to LinkedIn on 22 October 2024, concerns the lawfulness, fairness and transparency of this processing. The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million.

The DPC submitted a draft decision to the GDPR cooperation mechanism in July 2024, as required under Article 60 of the GDPR[3]. No objections to the DPC’s draft decision were raised. The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.

The DPC’s final decision records the following findings of infringement of the GDPR:

Article 6 GDPR and Article 5(1)(a) GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
Did not validly rely on Article 6(1)(a) GDPR (consent) to process third party data of its members for the purpose of behavioural analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first party data of its members for the purpose of behavioural analysis and targeted advertising.
Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
Article 5(1)(a) GDPR, the principle of fairness.
DPC Deputy Commissioner Graham Doyle commented:

“The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject's fundamental right to data protection.”

The DPC will publish the full decision and further related information in due course.

Summary of LinkedIn Decision Infographic

Further information
This decision relates to a complaint-based inquiry, which was commenced on 20 August 2018, following a complaint made by the French non-profit organisation, La Quadrature Du Net. The complaint was initially made to the French Data Protection Authority and thereafter provided to the DPC in its role as the lead supervisory authority for LinkedIn, which acts as the controller for the processing of personal data at issue.

This inquiry examined the lawfulness, fairness and transparency of the processing of the personal data of users of the LinkedIn platform for the purposes of behavioural analysis and targeted advertising. The personal data in question encompassed data provided directly to LinkedIn by its members (first-party data) and data obtained via its third-party partners relating to its members (third-party data).

The GDPR requires processing of personal data to be based on one of the legal bases outlined in Article 6(1) GDPR, such as consent, contractual necessity or legitimate interests. Depending on the lawful basis selected by controllers, certain conditions must to be met. For example, any consent obtained must meet the standard required by the GPDR of being a freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.

The GDPR also requires that processing is carried out in a fair manner. Fairness is an overarching principle, which requires that personal data may not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. An absence of fairness can result in a loss of autonomy of data subjects over their personal data, put them in a position where they may be unable to exercise other GDPR rights, and impact their fundamental rights to privacy and personal data protection.

Transparency is another crucial aspect of data protection, and gives data subjects control over the processing of their personal data. Compliance with transparency provisions by controllers ensures that data subjects are fully informed of the scope and consequences of the processing of their personal data in advance and in a positon to exercise their rights.

The DPC’s final decision exercised the following corrective powers:

a reprimand pursuant to Article 58(2)(b) GDPR;
three administrative fines totalling €310 million pursuant to Articles 58(2)(i) and 83 GDPR; and
an order to LinkedIn to bring its processing into compliance with the GDPR pursuant to Article 58(2)(d).




Irische Datenschutzbehörde: Bußgeld in Höhe von 345 Millionen EURO gegen TikTok wegen diverser Verstöße gegen die DSGVO

Die Irische Datenschutzbehörde hat ein Bußgeld in Höhe von 345 Millionen EURO gegen TikTok wegen diverser Verstöße gegen die DSGVO verhängt.

Die Pressemitteilung der Irish Data Protection Commission:
Irish Data Protection Commission announces €345 million fine of TikTok

The Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023.

This own-volition inquiry sought to examine the extent to which, during the period between 31 July 2020 and 31 December 2020 (the Relevant Period), TTL complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:

Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the ‘Family Pairing’ feature; and
Age verification as part of the registration process.
As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings.

At the conclusion of its investigation, the DPC submitted a draft decision to all Supervisory Authorities Concerned (CSAs), for the purpose of Article 60(3) GDPR, on 13 September 2022. The DPC’s draft decision proposed findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) GDPR, in relation to the above processing. While there was broad consensus on the DPC’s proposed findings, objections to the draft decision were raised by the Supervisory Authorities (each an SA, collectively SAs) of Italy and Berlin (acting on behalf of itself and the Baden-Württemberg SA).

The objection raised by the Berlin SA sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards ‘dark patterns’ while the objection raised by the Italian SA sought to reverse the DPC’s proposed finding of compliance with Article 25 GDPR, as regards TTL’s approach to age verification during the Relevant Period. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and, in the circumstances, decided to refer the objections to the EDPB for determination pursuant to the Article 65 GDPR dispute resolution mechanism.

The European Data Protection Board adopted its binding decision on the subject matter of the objections on 2 August 2023 with a direction that the DPC must amend its draft decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness, further to the objection raised by the Berlin SA, and to extend the scope of the existing order to bring processing into compliance, to include reference to the remedial work required to address this new finding of infringement.

The DPC’s decision, which was adopted on 1 September 2023, records findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR. The decision further exercises the following corrective powers:

A reprimand;
An order requiring TTL to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TTL; and
Administrative fines totalling €345 million.
For more information, the EDPB has published the Article 65 decision and the final decision on its website.


Die vollständige Entscheidung finden Sie hier: