Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

TikTok fined €345m for violation of GDPR

TikTok GDPR fine

TikTok faces a hefty €345 million fine for violating the General Data Protection Regulation (GDPR), particularly in its handling of children’s accounts, where it failed to adequately protect underage users’ data from public visibility.

DPC’s Inquiry: Examining TikTok’s Practices

The Irish Data Protection Commission (DPC) wrapped up its investigation into TikTok Technology Limited in September 2023 and examined how TikTok processed children’s data between July 31 and December 31 2020.

This inquiry, which the DPC initiated on its own, aimed to check if TikTok followed the rules outlined in the GDPR while handling personal data of young users of the TikTok platform. Specifically, it looked into:

  1. Platform Settings: Including those that made user data public by default and settings linked to the ‘Family Pairing’ feature.
  2. Age Verification: The age verification process during registration.
  3. Communication with Child Users: How well did TikTok communicate regarding default settings and privacy with child users.

Identified GDPR Violations

The investigation uncovered several GDPR violations committed by TikTok, including setting child users’ accounts to public mode by default, failing to provide clear information to young users, permitting adults using the “family pairing” feature to enable direct messaging for those over 16, and not adequately considering the risks faced by under-13s placed in a public setting on the platform.

DPC’s Preliminary Decision and CSA Objections

Following the investigation, the DPC sent a preliminary decision to all Supervisory Authorities Concerned (CSAs). In this draft decision, the DPC suggested that TikTok violated several GDPR articles, including principles related to the processing of personal data, the responsibility of the controller, transparency and data protection by design and by default.

While most CSAs agreed with these findings, the authorities in Italy and Berlin, acting on behalf of Berlin and Baden-Württemberg, raised objections.

Berlin’s objection centered on the need to add another violation related to the GDPR principle of fairness in dealing with ‘dark patterns.’ Meanwhile, the Italian authority contested the DPC’s conclusion that TikTok complied with Article 25 of the GDPR concerning age verification during the relevant period.

Since there was no consensus among the CSAs regarding these objections, the DPC decided to refer the matter to the European Data Protection Board (EDPB) for resolution under the Article 65 GDPR dispute resolution mechanism.

EDPB’s Binding Decision

On August 2, 2023, the European Data Protection Board issued a binding decision addressing the design practices implemented by TikTok in the context of two pop-up notifications shown to children aged 13-17: the Registration Pop-Up and the Video Posting Pop-Up.

The analysis found that both pop-ups failed to present options to the user in an objective and neutral way.

It directed the DPC to revise its draft decision to include an additional violation related to the GDPR’s fairness principle, as suggested by the Berlin authority. Considering the newly identified violation, the decision also expanded the requirements to bring TikTok’s data processing practices into compliance.

Anu Talus, EDPB Chair, said: “Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests. Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design.

DPC’s Final Decision

The DPC’s final decision, dated September 1, 2023, confirms multiple GDPR violations, including those related to data processing, transparency, and fairness. To address these issues, the DPC issued the following measures:

  1. A reprimand to TikTok.
  2. An order instructing TikTok to rectify its data processing practices within three months from the date of notification of the DPC’s decision.
  3. Imposition of administrative fine totaling €345 million

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top