The DPC, in its role as the lead supervisory authority for TikTok, launched the inquiry to examine the lawfulness under the GDPR of TikTok’s transfers of EEA-based users’ personal data to China.

The inquiry also examined whether the provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.

A decision made by data protection commissioners Dr Des Hogan and Dale Sunderland and notified to TikTok yesterday found that TikTok infringed the GDPR in both respects.

The decision includes administrative fines totalling €530 million and an order requiring TikTok to bring its processing into compliance within six months.

It also includes an order suspending TikTok’s transfers to China if processing is not brought into compliance within this timeframe.

DPC deputy commissioner Graham Doyle said: “The GDPR requires that the high level of protection provided within the European Union continues where personal data is transferred to other countries.

“TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

The DPC submitted a draft decision to the GDPR cooperation mechanism on 21 February 2025, as required under Article 60 of the GDPR. No objections to the DPC’s draft decision were raised.

TikTok could also face further regulatory action over providing inaccurate information to the inquiry.

Throughout the inquiry, TikTok informed the DPC that it did not store EEA users’ data on servers located in China.

However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025 where limited EEA user data had in fact been stored on servers in China, contrary to TikTok’s evidence to the inquiry.

TikTok informed the DPC that this discovery meant that TikTok had provided inaccurate information to the inquiry.

Mr Doyle said: “The DPC is taking these recent developments regarding the storage of EEA user data on servers in China very seriously.

“Whilst TikTok has informed the DPC that the data has now been deleted, we are considering what further regulatory action may be warranted, in consultation with our peer EU data protection authorities.”

The DPC has said it will publish the full decision and further related information “in due course”.