Who We Are

Decisions

Filters

[Reset]

Inquiry into TikTok Technology Limited

Area: Cross-border company

Topic: Transfers

Articles: 13, 46. 58

DPC Reference:

Decision Date: 2 October 2025

On 30 April 2025, the Irish Data Protection Commission (the ‘DPC’) adopted a final decision in an own-volition statutory inquiry, concerning TikTok Technology Limited’s (‘TikTok’) transfers of EEA User Data to China. The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (GDPR). The DPC was competent to act as lead supervisory authority for the processing at issue, pursuant to Article 56 GDPR. Prior to its adoption, the DPC submitted a draft of its decision to the Concerned Supervisory Authorities in February 2025, as required under Article 60(3) of the GDPR. The Concerned Supervisory Authorities did not raise any objections (for the purpose of Article 60(4) GDPR) to the draft decision.

Background to the Inquiry Process

The transfers of personal data considered in the Decision consisted of TikTok’s transfers of EEA User Data to China by way of remote access to that personal data by personnel of the ByteDance group of companies in China. The Decision considered whether those transfers complied with Chapter V of the GDPR. The Decision also considered whether TikTok’s provision of information to users in relation to such transfers met TikTok’s transparency requirements as required by the GDPR.

Summary of Findings

The decision concluded that:

  • The DPC found that TikTok infringed Article 46(1) GDPR during the temporal scope of the Inquiry by carrying out the Data Transfers while failing to verify, guarantee and demonstrate that that the personal data of EEA users subject to the Data Transfers was afforded a level of protection essentially equivalent to that guaranteed within the European Union.
  • The DPC found that TikTok infringed Article 13(1)(f) GDPR from 29 July 2020 to 1 December 2022 by failing to provide data subjects with required information on the Data Transfers and information on how the processing concerned remote access to personal data stored in Singapore and the United States by personnel based in China.

Corrective Measures

Having considered the infringements of the GDPR as set out above, the DPC decided to exercise the following corrective powers, in accordance with Article 58(2) GDPR:

  • An order pursuant to Article 58(2)(j) GDPR requiring TikTok Ireland to suspend the Data Transfers.
  • An order pursuant to Article 58(2)(d) GDPR requiring TikTok Ireland to bring the processing into compliance. This requires TikTok to ensure that any EEA User Data located in China, as a result of the Remote Access Solution, when the order takes effect must cease being processed in China immediately at that point in time.
  • Two administrative fines pursuant to Article 58(2)(i) GDPR as follows:

In respect of TikTok’s infringement of Article 46(1) GDPR, a fine of €485million.

In respect of TikTok’s infringement of Article 13(1)(f) GDPR, a fine of €45million.

Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Tusla Child and Family Agency - August 2020

Area: Health

Topic: Children - legal basis

Articles: 32(4), 33(1), 5(1)(d), 32(1)

DPC Reference: IN-18-11-4

Decision Date: 12 August 2020

This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:

  • Five distinct findings of infringements of Article 32(1) of the GDPR in respect of Tusla’s obligation implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its various processing operations.

  • A finding that Tusla infringed Article 32(4) of the GDPR by failing to take steps to ensure that any natural person acting under their authority does not process personal data except on instructions from Tusla.

  • A finding that Tusla infringed Article 5(1)(d) of the GDPR on the four occasions by failing to ensure that the personal data that it processed was accurate and, where necessary, kept up to date.

  • A finding that Tusla infringed Article 33(1) of the GDPR on 8 occasions by failing to notify the personal data breaches without undue delay.

The corrective powers exercised:

  • The decision imposed two distinct administrative fines on Tusla for its infringements of Article 32(1) and Article 33(1) in circumstances where some of the processing operations under consideration were not “the same or linked processing operations” within the meaning of Article 83(3) of the GDPR. The amount of the fines were €50,000 and €35,000 respectively.

  • The decision ordered Tusla to bring its processing operations identified in the decision into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risks.

  • The decision issued a reprimand to Tusla regarding its infringements of Articles 5(1)(d), 32(1), 32(4), and 33(1) of the GDPR.

Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Tusla Child and Family Agency (Tusla)

Area: Public authority

Topic: Children - legal basis

Articles: 5(1)(d), 32(1), 32(4), 33(1)

DPC Reference: IN-18-11-4

Decision Date: 12 August 2020

This inquiry was commenced in respect of 71 personal data breaches notified by Tusla to the DPC. The decision considered a broad range of Tusla’s processing operations and the findings included:

  • Five distinct findings of infringements of Article 32(1) of the GDPR in respect of Tusla’s obligation implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its various processing operations.

  • A finding that Tusla infringed Article 32(4) of the GDPR by failing to take steps to ensure that any natural person acting under their authority does not process personal data except on instructions from Tusla.

  • A finding that Tusla infringed Article 5(1)(d) of the GDPR on the four occasions by failing to ensure that the personal data that it processed was accurate and, where necessary, kept up to date.

  • A finding that Tusla infringed Article 33(1) of the GDPR on 8 occasions by failing to notify the personal data breaches without undue delay.

The corrective powers exercised:

  • The decision imposed two distinct administrative fines on Tusla for its infringements of Article 32(1) and Article 33(1) in circumstances where some of the processing operations under consideration were not “the same or linked processing operations” within the meaning of Article 83(3) of the GDPR. The amount of the fines were €50,000 and €35,000 respectively.

  • The decision ordered Tusla to bring its processing operations identified in the decision into compliance with Article 32(1) of the GDPR by implementing appropriate organisational measures to ensure a level of security appropriate to the risks.

  • The decision issued a reprimand to Tusla regarding its infringements of Articles 5(1)(d), 32(1), 32(4), and 33(1) of the GDPR

Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into a Consultancy Provider

Area: Health sector - private

Topic: Data security

Articles: 5(1)(a), 32(1)

DPC Reference: IN-20-4-8

Decision Date: 24 January 2022

This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) reported to the Data Protection Commission on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims. The personal data breach occurred when a Consultancy Provider sent an unencrypted USB storage device, containing personal data to PIAB, despite PIAB expressly stating the data was not to be sent. The Inquiry considered whether the Consultancy Provider had complied with its obligation to implement an appropriate level of security under Article 32 GDPR.

  • The decision found that the Consultancy Provider had infringed Article 32(1) GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data.

The corrective powers exercised:

  • The decision issued the Consultancy Provider with a reprimand in respect of the infringement.
Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Virtue Integrated Elder Care Ltd (VIEC)

Area: Health sector - private

Topic: Data protection by design and default

Articles: 5(1)(f), 32(1)

DPC Reference: IN-21-2-5

Decision Date: 20 December 2022

The inquiry was commenced after VIEC notified a personal data breach to the DPC on 19 August 2020. VIEC operates and manages five nursing homes on the Southside of Dublin and in County Louth. The data breach notification concerned an unknown actor who gained access to a VIEC manager email account by way of a phishing attack and set up mail forwarding rules to an external account. As a result of this, the personal data of residents, including special category data such as health and biometric data, was accessed by the unknown actor.

The decision considered whether VIEC had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether VIEC had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that VIEC had infringed its obligations under Articles 5(1) and 32(1) GDPR. The processing by VIEC of personal and special category data on its email system prior to the phishing attack, without adequate security measures, placed such data at risk of being unlawfully accessed.

Corrective Powers Exercised:

  • The decision issued VIEC with a reprimand in respect of the infringements.
  • The decision ordered VIEC to bring its processing by into compliance with Articles 5(1)(f) and 32(1) of the GDPR.
  • The decision imposed an administrative fine on VIEC in the amount of €100,000 in respect of the infringement of Article 5(1)(f) GDPR.
Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Kerry County Council

Area: Public authority

Topic: CCTV - LED

Articles: 5(1)(a)

DPC Reference: 02-SIU-2018

Decision Date: 25 March 2020

This inquiry is one of a number of own-volition inquiries into a broad range of issues pertaining to surveillance technologies deployed by State authorities. The findings made in the decision include:

  • A finding that the Litter Pollution Act 1997, the Waste Management Act 1996, and the Local Government Act 2001 do not provide a lawful basis for Kerry County Council’s use of CCTV to detect litter offences. The DPC comprehensively considered these Acts and found that they do not regulate this processing of personal data as is required by the Law Enforcement Directive, as transposed by the Data Protection Act 2018. Furthermore, the decision found that the Acts do not to meet the standards of clarity, precision, and foreseeability in respect of such processing as required by the case-law of the Court of Justice and the European Court of Human Rights.
  • The other findings in the decision include infringements relating to appropriate signage and general transparency, the lack of written rules or guidelines governing staff access to the CCTV, the use of smartphones or other recording devices in the CCTV monitoring room, the practice of sharing login details for accessing CCTV footage, auditing the audit trails of CCTV footage, and the requirement for Data Protection Impact Assessments, amongst others.

The corrective powers exercised:

  • A temporary ban on the processing of personal data through the CCTV cameras at the five locations used for detecting and taking enforcement action against those engaged in littering and the CCTV cameras at Amenity Walk.
  • An order to Kerry County Council to bring its processing of personal data into compliance taking certain action specified in the decision.
  • A reprimand in respect of Kerry County Council’s infringements.
Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Allianz plc

Area: Insurance

Topic: Data protection by design and default

Articles: 32(1)

DPC Reference: IN-21-2-1

Decision Date: 28 June 2022

This decision arose from an own-volition inquiry commenced by the DPC pursuant to section 110 of the Data Protection Act 2018 to consider whether Allianz had complied with the GDPR in relation to its processing operations.

The inquiry was initiated after Allianz had notified 49 personal data breaches to the DPC between 25 June 2020 to 31 December 2020. In total approximately 60 data subjects were affected by the personal data breaches.

The decision considered whether Allianz had complied with Article 32(1) GDPR and in particular whether Allianz had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that Allianz had complied with its obligations under Article 32(1) GDPR. It was held Allianz had implemented policies, which were specifically tailored to the risks associated with the processing. Allianz also provided repeated training to sectors of the business, which were the most susceptible to personal data breaches of this kind. Allianz also took proactive measures to counter the increasing risk profile of some business units by implementing additional security measures after some personal data breaches occurred. These measures included an External Email Warning Tool and increased spot checks in the post room.

Accordingly, no corrective powers were exercised in this decision.

Download full decision (PDF)

Decisions

Filters

[Reset]

Inquiry into Centric Health Ltd. (“Centric”) - February 2023

Area: Health , Garda

Topic: DS Rights

Articles: 5(1)(a)

DPC Reference: IN-21-2-4

Decision Date: 23 February 2023

The DPC commenced the Inquiry following a ransomware attack affecting patient data held on Centric’s patient administration system which was notified to the DPC on 5 December 2019. As a result of this, 70,000 data subjects were affected by of access to, unauthorised alteration of, and loss of availability of their personal and special category data. Of these, 2,500 patients were permanently affected as their data was deleted with no backup available.

The decision considered whether Centric had complied with Articles 5(1)(f), 5(2) and 32(1) GDPR and, in particular, whether Centric had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that Centric had infringed its obligations under Articles 5(1), 5(2) and 32(1) GDPR and that the processing by Centric within its Patient Administration System failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The corrective powers exercised:

  • The decision issued Centric with a reprimand in respect of the infringements.
  • The decision imposed an administrative fine on Centric in the amount of €275,000 in respect of the infringement of Article 5(1)(f) GDPR.
  • The decision imposed an administrative fine on Centric in the amount of €50,000 in respect of the infringement of Article 5(2) GDPR.
  • The decision imposed an administrative fine on Centric in the amount of €135,000 in respect of the infringement of Article 32(1) GDPR.
Download full decision (PDF)