Over the past several years, data protection authorities across Europe have significantly intensified GDPR enforcement. Major global companies—from social media platforms to AI developers and credit bureaus—have faced substantial investigations, regulatory orders, and unprecedented financial penalties.

This article presents a concise yet comprehensive overview of three notable GDPR enforcement cases involving TikTok (Ireland, 2025), OpenAI (Italy, 2024), and Experian Netherlands (2025). Each case highlights recurring themes in GDPR violations: lack of transparency, unlawful data processing, insufficient safeguards for international transfers, and inadequate protection of minors and consumers.

1. TikTok (Ireland) — May 2025

Violation: Unlawful International Data Transfers

The Irish Data Protection Commission (DPC) conducted a detailed investigation into TikTok after discovering that engineers and staff in China were granted remote access to personal data belonging to users in the EU/EEA.

TikTok failed to demonstrate that these transfers ensured a level of protection “essentially equivalent” to that required by EU law. Additionally, the platform’s privacy policy lacked adequate disclosure regarding:

• The fact that data was being accessed internationally

• The safeguards intended to protect EU users’ data

• The legal basis for such international transfers

These gaps represented clear transparency and compliance failures under the GDPR.

Ruling

The DPC concluded that TikTok had violated GDPR rules concerning:

• Transfers of personal data to third countries without adequate guarantees

• Transparency obligations, by failing to properly inform EU users about data access by entities in China

TikTok was ordered to bring its data-processing operations into full compliance within six months, with a warning that continued non-compliance could lead to suspension of all transfers to China.

Penalty

€530,000,000

Lesson Learned

Organizations must ensure lawful cross-border data transfers, maintain complete transparency on data flows, and clearly implement safeguards when sharing EU data with non-EU jurisdictions.

2. OpenAI (Italy) — December 2024

Violation: Unlawful Processing, Insufficient Transparency & Failure to Protect Minors

The Italian Data Protection Authority (Garante) launched an investigation into ChatGPT’s data practices. It found that OpenAI:

• Processed users’ personal data to train AI models without a valid legal basis

• Failed to notify authorities about a March 2023 data breach

• Did not provide adequate transparency regarding how personal data was collected and used

• Lacked sufficient age-verification mechanisms, exposing minors under 13 to the service

These findings represented breaches of core GDPR requirements.

Ruling

The Garante determined that OpenAI violated multiple GDPR principles, including:

• Lack of a lawful basis for processing

• Failure to comply with information and transparency obligations

• Insufficient safeguards for children and minors

As a corrective measure, OpenAI was ordered to conduct a six-month public awareness campaign in Italy explaining its data practices and user rights.

Penalty

€15,000,000

Lesson Learned

AI companies must secure a lawful basis for processing data, fully disclose how data is used—including for model training—and implement robust protections for minors, especially in widely accessible generative AI systems.

3. Experian Netherlands — October 2025

Violation: Unlawful Collection & Use of Personal Data

Experian Netherlands collected extensive personal data from both public and private sources, including:

• Trade registers

• Telecom companies

• Energy companies

The company failed to adequately inform individuals or obtain valid consent where required. The data was then used for credit scoring and shared with third parties—without meeting GDPR transparency obligations.

Ruling

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) found that Experian had:

• Violated transparency requirements, by not informing individuals how their data would be used

• Lacked a sufficient legal basis for multiple processing activities

Penalty

€2,700,000

Lesson Learned

Organizations handling consumer data must ensure that individuals are informed clearly and accurately, have provided valid consent when necessary, and understand how and where their personal data will be used.

Conclusion: The Global Message of GDPR Enforcement

Across these major cases, several themes consistently emerge:

• Transparency is non-negotiable

• A lawful basis for processing must always be established and documented

• International transfers require strong and demonstrable safeguards

• Special protections for minors are essential

• Regulators are increasingly willing to impose large penalties and corrective orders

As GDPR enforcement continues to intensify across Europe, companies—especially those operating globally—must embed privacy-by-design, maintain rigorous compliance frameworks, and invest in robust governance practices to protect personal data throughout all stages of processing.