On 2 May 2025, Ireland's Data Protection Commission handed down the largest GDPR fine of the year: €530 million against TikTok Technology Limited for unlawfully transferring the personal data of European users to China and failing to be transparent with those users about it.
The fine made global headlines. But for Dublin businesses, it carries a significance beyond the headline number. Ireland is the European headquarters of TikTok, Meta, LinkedIn, Google, Apple, and dozens of other major technology companies. The DPC — operating from Dublin — is the lead supervisory authority for most of the world's largest data processors under the GDPR's one-stop-shop mechanism. That makes Ireland the epicentre of GDPR enforcement in Europe. And that matters for every Irish business that handles personal data.
This article explains what actually happened in the TikTok case, what legal violations the DPC found, and — most importantly — what the practical lessons are for Dublin-based businesses that are nowhere near TikTok's scale but are subject to the same legal framework.
What Happened: The TikTok Decision in Plain Terms
The DPC's inquiry into TikTok began in September 2021 and focused on two specific issues: whether TikTok's transfers of European user data to China were lawful under GDPR, and whether TikTok had been sufficiently transparent with its users about those transfers.
After nearly four years of investigation, the DPC's conclusion was clear on both counts. The fine breaks down as follows:
The Data Transfer Violation — €485 Million
Under GDPR Article 46(1), personal data can only be transferred outside the European Economic Area if the receiving country provides a level of data protection essentially equivalent to that guaranteed within the EU. China has no such adequacy decision from the European Commission. Transfers to China, therefore, require additional safeguards — most commonly Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment (TIA) that verifies the receiving country's legal framework provides equivalent protection in practice.
TikTok had SCCs in place. What it did not do adequately was verify that those SCCs were actually effective, given the reality of Chinese law. The DPC found that Chinese legislation — specifically the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law, and the National Intelligence Law — contains provisions that materially diverge from EU standards and could compel TikTok to provide Chinese authorities with access to European user data. TikTok's own legal assessment of Chinese law, provided to the DPC during the inquiry, identified these divergences. Yet TikTok proceeded with transfers without demonstrating that supplementary measures adequately addressed them.
Critical finding — The DPC found that TikTok failed to verify, guarantee, and demonstrate that EEA user data accessed remotely by staff in China was afforded protection essentially equivalent to EU law — even though TikTok's own lawyers identified the legal risks.
A further and significant aggravating factor emerged during the inquiry. TikTok had consistently told the DPC throughout the investigation that it did not store EEA user data on servers in China. In April 2025 — shortly before the final decision was issued — TikTok disclosed that it had discovered in February 2025 that limited EEA user data had in fact been stored on servers in China, directly contradicting its earlier evidence. The DPC stated it was considering what further regulatory action this disclosure might warrant.
The Transparency Violation — €45 Million
The second violation is more straightforward but equally instructive. GDPR Article 13(1)(f) requires data controllers to tell users, in their privacy policy, which specific third countries their data may be transferred to and what processing those transfers involve. TikTok's privacy policy during the period under investigation — July 2020 to December 2022 — did not name China as a destination for user data. It used vague language about transfers outside the EEA without identifying the specific country.
The lesson for your business — Saying 'your data may be transferred outside the EU' in your privacy policy is not sufficient under GDPR. You must name the specific countries and describe the nature of the processing involved.
Why Dublin Businesses Need to Take This Seriously
The TikTok fine is not an isolated event. It is the most recent in a sustained pattern of GDPR enforcement centred on Dublin that has produced the largest privacy fines in the world.
- €3.5 billion in total GDPR fines issued by the Irish DPC since May 2018 — more than four times the output of the second-ranked EU regulator, Luxembourg. €1.2 billion fine against Meta in 2023 — still the largest single GDPR fine ever issued globally — also from the DPC.
- €310 million fine against LinkedIn in 2024 for using personal data for behavioural advertising without a lawful basis.
- €251 million fine against Meta in 2024 for a data breach affecting 29 million Facebook users worldwide.
- €530 million against TikTok in 2025 — the largest fine of that year — for unlawful data transfers and transparency failures.
The DPC enforced more than half of all European GDPR fines in 2024. It is not a passive regulator. And critically, its enforcement is expanding beyond the multinational technology sector. In 2024, the DPC also pursued enforcement actions against Irish public authorities, financial services companies, and energy providers. The direction of travel is clear: Irish entities of all sizes and sectors are within the DPC's enforcement scope.
There is also a developing trend across European regulators of pursuing personal liability for directors and management in cases of significant or repeated GDPR failures. The Dutch Data Protection Authority's investigation into whether it can hold the directors of Clearview AI personally liable — following a €30.5 million fine — signals where enforcement is heading. For Irish business owners and directors, this is not an abstract risk.
Five Lessons Every Dublin Business Should Take From the TikTok Decision
SCCs Are Not a Checkbox — They Require Evidence
The most important technical lesson from the TikTok case is that Standard Contractual Clauses are a legal mechanism, not a compliance solution in themselves. The DPC found that TikTok had SCCs in place and still violated GDPR. The problem was the absence of a credible Transfer Impact Assessment demonstrating that those SCCs were effective given the legal environment of the receiving country.
If your business transfers any personal data to a country outside the EEA — to a SaaS platform headquartered in the US, a marketing tool hosted in India, a cloud storage provider with data centres in multiple countries — you need to understand the legal basis for that transfer and have evidence that it is adequate. SCCs alone are not sufficient if the receiving country's law undermines them.
Practical action — Audit every third-party tool or platform your business uses that receives or processes personal data. For each one, identify where the data is physically processed and stored. Check whether the vendor has provided a Transfer Impact Assessment or equivalent documentation. If they have not, ask for it.Your Privacy Policy Must Name Countries, Not Just Regions
The €45 million transparency fine was issued specifically because TikTok's privacy policy did not name China as a transfer destination. This is a concrete, testable requirement that applies to every data controller — including small and medium Irish businesses.
Review your privacy policy today with this question in mind: if your website uses Google Analytics, your CRM is hosted by a US provider, or your email marketing platform is based outside the EU, does your privacy policy specifically name the countries involved and describe what processing takes place there? If it uses generic language like 'we may transfer your data internationally' without specifics, it is not compliant.Remote Access Counts as a Transfer
One of TikTok's defences was that its Chinese staff accessed EEA user data remotely rather than storing it in China, and that remote access did not constitute a transfer subject to GDPR's Chapter V restrictions. The DPC rejected this argument entirely. If staff in a non-EEA country can access personal data — regardless of where the servers are physically located — that access constitutes a cross-border transfer subject to GDPR requirements.
For Irish SMEs, this has immediate practical implications. If you use any software-as-a-service product where the vendor's support or development team, based outside the EEA, could access your customers' data for troubleshooting or maintenance purposes, that access is a transfer. Your contracts and data processing agreements need to address it.Inaccurate Information to Regulators Is a Serious Aggravating Factor
The revelation that TikTok had provided incorrect information to the DPC throughout the inquiry — repeatedly stating that EEA data was not stored in China when it was — is likely to result in additional enforcement action beyond the €530 million already imposed. The DPC made clear that it considers this disclosure very seriously.
For any Irish business that finds itself the subject of a DPC inquiry or complaint — however small — the lesson is unambiguous: engage transparently, provide accurate information, and if you discover that information you previously provided was incorrect, disclose it promptly and proactively. Attempting to manage a regulatory investigation through incomplete disclosure is an approach that dramatically increases both financial and reputational risk.Data Minimisation Is Your Best Compliance Strategy
The most effective way to reduce your GDPR exposure is to collect less data, retain it for shorter periods, and share it with fewer third parties. Every data point you collect is a potential liability. Every third-party integration that receives personal data is a potential transfer requiring legal justification. Every additional data processor you work with is a potential link in the chain of accountability.
For most Dublin SMEs, a data minimisation audit — identifying what personal data the business collects, why it collects it, where it goes, how long it is kept, and whether all of it is genuinely necessary — is the highest-value GDPR compliance exercise available. It directly reduces risk, simplifies your compliance documentation, and strengthens your legal basis for the data processing you do retain.
What This Means for Your Website and Digital Infrastructure
For Dublin businesses working with a digital agency on their website or web application, the TikTok decision has practical implications for how digital infrastructure is designed and documented.
Third-Party Scripts and Data Flows
A typical business website in 2026 loads scripts from dozens of third parties: analytics platforms, advertising pixels, chat widgets, CRM integrations, payment processors, social media plugins. Each of these scripts may transfer personal data — including IP addresses, browsing behaviour, and form submissions — to the third party's servers, which may be located outside the EEA. Each transfer requires a legal basis and documentation.
A data flow map — documenting every third-party script on your website, what data it collects, where it sends that data, and on what legal basis — is not optional under GDPR. It is a core accountability requirement. Most Irish businesses do not have one. Most of those that do have one have not updated it recently.
Consent Management and the ePrivacy Regulations
The DPC actively enforces Ireland's ePrivacy Regulations alongside GDPR — and in 2024 alone concluded 146 investigations and prosecuted eight companies under these regulations. The ePrivacy Regulations govern the use of cookies and tracking technologies, and require that non-essential tracking cookies are only placed with the user's prior, informed, freely given consent.
A consent management platform that presents a genuine choice — where declining tracking is as easy as accepting it, where consent preferences are actually respected, and where third-party scripts are genuinely blocked until consent is given — is a legal requirement, not an optional nicety. The DPC has consistently found that consent banners designed to nudge users toward acceptance, or that load tracking scripts before consent is recorded, violate both the ePrivacy Regulations and GDPR.
Cloud and SaaS Infrastructure
If your website or application uses cloud infrastructure — AWS, Azure, Google Cloud, or any SaaS platform — you need to know where your customer data is being processed and stored. For EU-based customers, data processed in US data centres is subject to US law, including legislation that may allow US government access to that data. This is directly analogous to the TikTok situation, albeit at a different scale.
Many cloud providers offer EU-specific data residency options — data regions, sovereign cloud products, or contractual guarantees that data will not leave the EEA. For Irish businesses handling sensitive personal data, these options are worth evaluating. For businesses building new digital infrastructure in 2026, selecting EU-hosted providers from the outset is significantly simpler than migrating existing infrastructure later.
A Practical GDPR Audit Checklist for Dublin Businesses
The following is a prioritised list of actions every Dublin business should complete in light of the TikTok decision and the broader trajectory of DPC enforcement:
- Review your privacy policy for country-specific transfer disclosures. Name every country to which personal data is transferred. Remove vague language about international transfers and replace it with specific named destinations.
- Audit all third-party data processors. List every SaaS tool, plugin, or platform that receives personal data from your business. Confirm you have a valid Data Processing Agreement with each. Confirm the legal basis for any transfers outside the EEA.
- Conduct Transfer Impact Assessments for non-EEA transfers. For each transfer to a non-adequate country, document why you believe the legal safeguards in place are effective. Do not rely on SCCs alone without assessing the receiving country's legal environment.
- Audit your consent management platform. Test whether your cookie banner actually blocks third-party scripts before consent is given. Test whether declining consent is as straightforward as accepting it. If not, your implementation is likely non-compliant.
- Map your data flows. Document what personal data you collect, why, where it goes, how long you keep it, and who has access to it. Update this document whenever your digital infrastructure changes.
- Review staff access to personal data. If any staff based outside the EEA — whether employees, contractors, or third-party support staff — can access personal data, that access is a transfer requiring legal justification.
- Appoint or identify your data protection contact. Most Irish SMEs below the threshold for a mandatory Data Protection Officer should still designate someone internally responsible for GDPR compliance and ensure that person has up-to-date knowledge of DPC guidance.
The Bigger Picture: GDPR Is Infrastructure, Not Paperwork
The TikTok fine will be appealed. TikTok has already challenged it in the Irish High Court, obtaining a temporary stay on the requirement to suspend data transfers to China. The legal process will continue for years. But the underlying regulatory direction is not in dispute.
The DPC is the most active GDPR enforcer in Europe. It has issued more than €4 billion in fines since 2018. It is expanding enforcement beyond big tech into financial services, energy, and public bodies. It is watching how AI tools process personal data. And European regulators are increasingly interested in holding individual directors personally accountable for systemic compliance failures.
For Dublin businesses, GDPR compliance is not a once-a-year legal exercise. It is a continuous operational discipline that needs to be embedded into how you design your website, select your software tools, manage your customer relationships, and structure your digital infrastructure. The businesses that understand this in 2026 will be significantly better positioned than those that treat GDPR as a problem to be dealt with only when something goes wrong.
This article is for informational purposes and does not constitute legal advice. Irish businesses with specific data protection concerns should consult a qualified data protection solicitor.
Comments
Post a Comment