Over the past several years, data protection authorities across Europe have significantly intensified GDPR enforcement. Major global companies—from social media platforms to AI developers and credit bureaus—have faced substantial investigations, regulatory orders, and unprecedented financial penalties.
This article presents a concise yet comprehensive overview of three notable GDPR enforcement cases involving TikTok (Ireland, 2025), OpenAI (Italy, 2024), and Experian Netherlands (2025). Each case highlights recurring themes in GDPR violations: lack of transparency, unlawful data processing, insufficient safeguards for international transfers, and inadequate protection of minors and consumers.
1. TikTok (Ireland) — May 2025
Violation: Unlawful International Data Transfers
The Irish Data Protection Commission (DPC) conducted a detailed investigation into TikTok after discovering that engineers and staff in China were granted remote access to personal data belonging to users in the EU/EEA.
TikTok failed to demonstrate that these transfers ensured a level of protection “essentially equivalent” to that required by EU law. Additionally, the platform’s privacy policy lacked adequate disclosure regarding:
- The fact that data was being accessed internationally
- The safeguards intended to protect EU users’ data
- The legal basis for such international transfers
These gaps represented clear transparency and compliance failures under the GDPR.
Ruling
The DPC concluded that TikTok had violated GDPR rules concerning:
- Transfers of personal data to third countries without adequate guarantees
- Transparency obligations, by failing to properly inform EU users about data access by entities in China
TikTok was ordered to bring its data-processing operations into full compliance within six months, with a warning that continued non-compliance could lead to suspension of all transfers to China.
Penalty
€530,000,000
Lesson Learned
Organizations must ensure lawful cross-border data transfers, maintain complete transparency on data flows, and clearly implement safeguards when sharing EU data with non-EU jurisdictions.
2. OpenAI (Italy) — December 2024
Violation: Unlawful Processing, Insufficient Transparency & Failure to Protect Minors
The Italian Data Protection Authority (Garante) launched an investigation into ChatGPT’s data practices. It found that OpenAI:
- Processed users’ personal data to train AI models without a valid legal basis
- Failed to notify authorities about a March 2023 data breach
- Did not provide adequate transparency regarding how personal data was collected and used
- Lacked sufficient age-verification mechanisms, exposing minors under 13 to the service
These findings represented breaches of core GDPR requirements.
Ruling
The Garante determined that OpenAI violated multiple GDPR principles, including:
- Lack of a lawful basis for processing
- Failure to comply with information and transparency obligations
- Insufficient safeguards for children and minors
As a corrective measure, OpenAI was ordered to conduct a six-month public awareness campaign in Italy explaining its data practices and user rights.
Penalty
€15,000,000
Lesson Learned
AI companies must secure a lawful basis for processing data, fully disclose how data is used—including for model training—and implement robust protections for minors, especially in widely accessible generative AI systems.
3. Experian Netherlands — October 2025
Violation: Unlawful Collection & Use of Personal Data
Experian Netherlands collected extensive personal data from both public and private sources, including:
- Trade registers
- Telecom companies
- Energy companies
The company failed to adequately inform individuals or obtain valid consent where required. The data was then used for credit scoring and shared with third parties—without meeting GDPR transparency obligations.
Ruling
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) found that Experian had:
- Violated transparency requirements, by not informing individuals how their data would be used
- Lacked a sufficient legal basis for multiple processing activities
Penalty
€2,700,000
Lesson Learned
Organizations handling consumer data must ensure that individuals are informed clearly and accurately, have provided valid consent when necessary, and understand how and where their personal data will be used.
Conclusion: The Global Message of GDPR Enforcement
Across these major cases, several themes consistently emerge:
- Transparency is non-negotiable
- A lawful basis for processing must always be established and documented
- International transfers require strong and demonstrable safeguards
- Special protections for minors are essential
- Regulators are increasingly willing to impose large penalties and corrective orders
As GDPR enforcement continues to intensify across Europe, companies—especially those operating globally—must embed privacy-by-design, maintain rigorous compliance frameworks, and invest in robust governance practices to protect personal data throughout all stages of processing.