TikTok's Ex officio investigation by Dutch DPA

€750,000 in fines


TikTok was fined by the Dutch DPA for violating GDPR Article 12(1) by providing its privacy policy solely in English to Dutch users, many of whom are children under the age of 16.

Our analysis

The Dutch Data Protection Authority conducted an investigation into TikTok Inc's processing of personal data. TikTok, a California-based company, operates a mobile app that allows users to create, edit, and share short videos. A large number of Dutch children under the age of 16 use the app. During the AP's investigation, it was found that between May 25, 2018, and July 28, 2020, TikTok only provided its Privacy Policy to Dutch users, including children, in English. This was the case both during the registration process and when users wanted to access the policy while logged in. From July 29, 2020, TikTok began providing its Privacy Policy to Dutch users in Dutch. Additionally, the company provides a separate document designed for Dutch-speaking children.
The AP determined that TikTok violated Article 12(1) of the GDPR between May 25, 2018, and July 28, 2020, by only providing its Privacy Policy in English to Dutch children. This article requires that data controllers take appropriate measures to provide information about the processing of personal data in a concise, transparent, and easily accessible form, using clear and plain language. This is particularly important for information aimed at children. According to the WP29's Guidelines on Transparency, TikTok must understand its target audience and ensure that the information it provides is understandable to them. The company must be aware that a significant portion of its user base consists of children under the age of 16.
The AP emphasized that the requirement of intelligibility means that the controller must provide a translation of the information into the language spoken by the data subjects. This is particularly important when addressing young children to ensure that they can easily understand the information. It is irrelevant that some Dutch children may have a good command of English, as it cannot be assumed that all children in that age group will have the same level of proficiency in the language. TikTok violated the GDPR by failing to provide its Privacy Policy in Dutch to Dutch children during the relevant period amounting to language discontinuity.


TikTok was fined €750,000 by the Dutch Data Protection Authority (AP) for violating Article 12(1) GDPR. The AP can impose a fine of up to €20 million or 4% of the total worldwide annual turnover for such infringements. The infringement was classified as category III with a penalty range of €300,000 to €750,000, with the AP increasing the basic amount of the fine by €225,000 to the maximum of the penalty range due to the gravity and duration of the breach. The breach affected a large number of data subjects, including approximately 830,000 Dutch children under the age of 18 who were less aware of the risks and their rights in relation to the processing of their personal data.


TikTok Inc. and Dutch DPA

Case number

Press release/22 July 2021

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us