The Irish Data Protection Commission (DPC) found that TikTok’s data practices violated the GDPR. The DPC decision followed the examination of whether the transfer of personal data from users in the European Economic Area (EEA) to China were in compliance with the GDPR and whether TikTok met its transparency obligations. 

In particular, it found that TikTok failed to ensure that EEA user data transferred to China was protected to the same level as required within the EU. Furthermore, the DPC found that TikTok fell short of its transparency requirements by not providing users with sufficient or adequate information regarding the transfer of their data to China. 

As a result, TikTok was issued a substantial fine of €530 million and ordered to bring its data processing practices into compliance within six months. If the company fails to do so, the DPC has mandated a suspension of data transfers to China.