Day-of-drop · Data Protection Commission · 30 April 2025
DPC TikTok decision: EEA-to-China transfers, what this means for Irish SMEs using US or non-EU vendors
For any Irish SME running vendors whose privacy policy lists a non-EEA sub-processor, whether US cloud, China engineering, or anywhere with no Article 45 adequacy decision, this decision moves from background risk to active homework. The DPC has now confirmed that Standard Contractual Clauses without a documented Transfer Impact Assessment are not a defence, that engineer access from a third country counts as a transfer, and that retention longer than your stated policy is itself a Chapter V breach. The practical homework for Irish SMEs: pull each vendor sub-processor list this week, flag any China, US, or other non-EEA engineering touch, and ask the vendor in writing whether a current Transfer Impact Assessment exists. No TIA on file is now an audit finding.
The Irish reality of this drop
The Data Protection Commission adopted the decision on 30 April 2025 under Article 60 of the General Data Protection Regulation (Regulation (EU) 2016/679), with the DPC acting as lead supervisory authority. The inquiry was conducted under the Data Protection Act 2018 (as amended). The total administrative fine was €485 million plus a six-month suspension order on further transfers if breaches are not remedied.
The legal core is Chapter V GDPR (Articles 44 to 50) on transfers of personal data outside the EEA. The DPC found that TikTok relied on Standard Contractual Clauses for transfers to China but did not put in place supplementary measures sufficient to bring the level of protection up to the EU baseline, did not adequately assess Chinese law under the test in Schrems II (Case C-311/18), and was not transparent about the scale of transfers, including engineering access from China to EEA data. The DPC also found a Chapter V breach in TikTok prior statements to the DPC about the geographic location of EEA user data.
For Irish SMEs this is not about TikTok specifically. The decision sets the operational template that every Irish controller, using any non-EEA vendor or sub-processor, now has to meet. A Transfer Impact Assessment is no longer a "nice to have" for high-risk transfers: it is the artefact the DPC will ask to see. The category exposure runs across CRM, customer support, email marketing, AI tools, and any SaaS where engineering or support sits in the United States, India, or anywhere with no European Commission adequacy decision under Article 45 GDPR.
Compliance Matrix rows updated
Structured delta the matrix re-imports on next refresh. View live matrix.
| Vendor / Category | Field | Was | Now |
|---|---|---|---|
| ai-tools-ireland | gdpr_chapter_v_tia_required | recommended | required (DPC TikTok 2025-04-30 precedent) |
| crm-software-ireland | gdpr_subprocessor_disclosure | optional | required for non-EEA sub-processors |
| email-marketing-software-ireland | gdpr_engineer_access_geo | not_tracked | tracked (DPC counts third-country engineer access as a transfer) |
| customer-support-software-ireland | gdpr_chapter_v_tia_required | recommended | required (DPC TikTok 2025-04-30 precedent) |
Vendor profiles queued for re-verification
These vendor profiles get a re-verification ping from this drop. The weekly verify cron will re-pull each in the next run.
Related surfaces on Vendors and Tenderwatch
Reviewed 14 May 2026 · Next review due 14 August 2026 · 3-month cycle