The DPC fined TikTok after concluding that the company violated the General Data Protection Regulation (GDPR) in two key ways: by unlawfully transferring personal data of European Economic Area (EEA) users to China, and by failing to adequately inform users about these transfers.
The inquiry found that TikTok did not ensure the transferred data received protection equivalent to EU standards, as required under Article 46(1) GDPR. The company also failed to mention China as a destination in its 2021 privacy policy, breaching Article 13(1)(f) GDPR.
Although TikTok later updated its privacy policy and launched “Project Clover” to strengthen data protection, the DPC held that the company’s actions were insufficient. The decision mandates TikTok to bring its processing operations into full compliance within six months or face a suspension of all data transfers to China.
Compounding the issue, TikTok admitted in April 2025 that some EEA user data had indeed been stored on servers in China—contradicting earlier assurances to the DPC. While TikTok claims this data has now been deleted, the DPC is considering further regulatory measures in light of the misleading information.