The DPC examined how TikTok processed children's data by looking at platform settings for child users, including the Family-Pairing setting; age verification; and transparency information for children.
The investigation focused on the period between 31 July 2020 and 31 December 2020.
The inquiry found that TikTok had breached GDPR by setting child user accounts to public by default, meaning anyone could view the content posted by such a child user.
Further, the 'Family Pairing' setting allowed a non-child user to pair their account with a child account. This allowed the non-child user to enable Direct Messages for child users above the age of 16. However, it did not check if the adult “paired” with the child user was a parent or guardian.
The DPC ruled that this posed severe possible risk to child users.
The DPC has issued a reprimand; an order for TikTok to bring their processing into compliance within three months; and an administrative fine of €345 million.
In a statement, TikTok said that it "respectfully disagreed" with the decision, including the level of fine. It added that the relevant features had already been improved "well before" the inquiry began.
The Data Protection Commission is responsible for standards, inspections, investigation and enforcement of personal data protection.