TikTok and GDPR in the public sector – what public authorities can learn from the German recommendations for institutions

Key Takeaways

• Any public authority or public entity operating a TikTok account must carry out a thorough assessment of the compliance of such activity with GDPR requirements before deciding to establish a presence on the platform.
• Public institutions acting as data controllers should involve the Data Protection Officer (DPO) in the procedure for assessing the risks associated with the use of TikTok and implementing appropriate measures to protect individuals’ personal data.
• The use of TikTok by public entities raises serious doubts as to the lawfulness of data processing, particularly with regard to the transfer of data to third countries and the protection of the data of underage users.
• Public institutions should provide citizens with alternative channels for access to information that do not require their data to be processed by external entities, such as the TikTok provider.
• Audit of the compliance of social media use with GDPR should be carried out regularly – at least once a year – and its results should be made publicly available.

The issue of data processing in the context of the use of TikTok by public administration units 

Both entities and citizens using large social media platforms usually have limited ability to influence personal data processing and the terms of use. It is precisely in this context that the supervisory authority questions the compatibility of personal data processing in the course of using TikTok with the requirements of European and German data protection law. In particular, it questions whether the processing of data when using TikTok complies with the fundamental principles of data protection set out in Articles 5 and 25 of the GDPR and whether it is based on a valid legal basis pursuant to Article 6 of the GDPR, as well as whether the specific requirements of Article 8 of the GDPR concerning the processing of minors’ data and Articles 13 and 14 of the GDPR regarding transparent information to data subjects are met.

Checklist for the use of TikTok in compliance with data protection

Below we present a checklist for public authorities regarding the use of TikTok. Each institution that carries out activities on TikTok for official purposes should be able to answer the questions indicated in order to determine whether the use of this application in a given case complies with personal data protection provisions.

1. What type of TikTok account is operated by the public authority (personal account, business account)? In this context, the German supervisory authority, by using the term „personal account,” was probably referring to accounts operated by officials or even single-person authorities (in Poland, such an authority is, for example, the President of the Polish Data Protection Authority).
2. If the public authority may in any way be linked to the government, a politician or a political party, has the account operated been classified by TikTok as a „government, politician or political party account” (as described in TikTok's help center; see: https://support.tiktok.com/en/using-tiktok/growing-your-audience/government-politician-and-political-party-accounts)? If so, is the public authority aware of the processing of personal data associated with this account and does it know TikTok's guidelines which, according to the service provider's explanation, „help prevent abuse of certain features”? What was the outcome of any compliance review of this processing with data protection rules?
3. What possible TikTok configurations have been implemented for the account to protect personal data?
4. What so-called creator tools (see: https://support.tiktok.com/en/using-Tik%20Tok/creating-videos/creator-tools-on-Tik%20Tok) are used? To what extent are new or older content related to the account created or enriched on the basis of views, shares and other reactions? What analyses concerning the use of the account are carried out or enabled by TikTok?
5. How does the public authority using TikTok classify responsibilities in the area of personal data protection (data controller, joint controller, data processor)? What roles do in particular the authority, TikTok and any other entities involved play?
6. On what legal bases is the processing of personal data carried out when using TikTok? In particular, how is it ensured that, when cooperating with other companies or institutions, there is a legal basis for data sharing and that their obligations have been defined (separate controller, joint controller, data processor)? If agreements have been concluded pursuant to Article 26 of the GDPR (joint controllership agreement) and Article 28(3) of the GDPR (data processing agreement), they should be retained.
7. How is clarity ensured - from the user's perspective - regarding the obligations specified in point 5 and the scope of personal data processing?
8. Is there a social media communication concept concerning the use of TikTok (the so-called social media use concept; see the requirements at: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/02/Wesentliche-Anforderungen-an-die-beh%C3%B6rdliche-Nutzung-Sozialer-Netzwerke.pdf) which
• defines the purpose or purposes, the nature and scope of the intended use of data,
• includes a justification for the decision to use TikTok, including an explanation of why the purpose or purposes cannot be achieved through alternative channels (necessity),
• defines responsibility for editorial or technical management,
• ensures the exercise of the rights of data subjects in accordance with Article 12 et seq. GDPR, and
• includes a Data Protection Impact Assessment (DPIA) of the planned processing operations in accordance with Article 35 GDPR?
9. Is the concept described in point 8 or the arrangements concerning the topics listed therein reviewed for necessity and scope of the use of the social network on the basis of experience gained? Is this review:
• conducted regularly – at least once a year,
• generally accessible and duly published on the Internet?

In the event that an assessment has been carried out, the methodology used and information about the assessing body should be provided.

10. Are there alternative channels through which citizens can access information published on TikTok without data being processed by third parties? What are these channels, and how is the equivalence of information ensured?
11. Are there alternative options for the interactive participation of interested persons in communication concerning information made available by the public authority on TikTok (e.g. commenting, sharing, rating)? What are these options, and how is the equivalence of content and communication capabilities ensured?
12. What protective measures have been taken to ensure the special protection of children’s personal data, special categories of personal data, and data relating to criminal convictions and offences in accordance with Articles 9 and 10 GDPR?
13. Is there an (up-to-date) records of processing activities (Article 30 GDPR) in relation to the use of TikTok?
14. How is the processing of personal data in a third country identified, and are there sufficient legal safeguards for such processing activities in that third country?

A detailed analysis of the above issues and answers to all questions will make it possible to draw specific conclusions as to whether the activities of a public authority related to the use of the TikTok application are compliant with the GDPR.

TikTok and the GDPR in the public sector – the role of the Data Protection Officer (DPO)

As a rule, any public authority or public body using TikTok as a data controller is required to appoint a Data Protection Officer, except for courts acting in their judicial capacity. The Officer plays a key role in implementing tools and procedures ensuring the security of individuals’ data, and their involvement in assessing the compliance of using social media platforms such as TikTok with the GDPR should be a mandatory element of any decision-making process in this regard.

In practice, this means that before launching a TikTok account, a public institution should carry out – in cooperation with the DPO – an audit of the planned data processing operations and a Data Protection Impact Assessment (DPIA), and properly document the results of these activities and subject them to regular review.

Can an office maintain a TikTok account?

Maintaining a TikTok account by a public institution is possible, but it requires a prior analysis of compliance with the GDPR and fulfilment of a number of conditions concerning data security. A public authority, as a data controller, must be able to demonstrate that the processing of users’ personal data on the platform is carried out in accordance with the principles of lawfulness, proportionality and transparency.

Does a public body have to appoint a Data Protection Officer before joining TikTok?

As a rule, every public authority or public body is required to appoint a Data Protection Officer – except for courts acting in their judicial capacity. The DPO’s involvement in the procedure for assessing the compliance of using TikTok with the GDPR is an essential element of the responsible implementation of this platform in official communications.

What role does the Data Protection Officer play in the use of TikTok?

The DPO should participate in the audit of planned data processing operations, provide opinions on internal procedures, and oversee the conduct of the Data Protection Impact Assessment (DPIA). Their role also includes monitoring the institution’s compliance with GDPR provisions and flagging risks associated with the use of the platform.

Does TikTok process the personal data of users visiting the authority’s profile?

Yes – simply visiting a public authority profile on TikTok triggers the processing of personal data of natural persons by the platform, regardless of whether the visitor has their own account.

Which GDPR provisions are particularly relevant when assessing the use of TikTok?

Of key importance are Articles 5 and 25 of the GDPR, concerning the fundamental principles of data protection and privacy by design, Article 6 of the GDPR, governing the legal bases for processing, and Articles 13 and 14 of the GDPR, which impose information obligations. Also relevant are Article 8 of the GDPR, concerning the protection of minors’ data, and Article 35 of the GDPR, which requires a Data Protection Impact Assessment for high-risk processing operations.

What is the concept of social media use and does an authority need it?

It is an internal document setting out the objectives, scope, and procedure for an institution’s use of a social media platform, including, among other things, the rationale for selecting a given channel and an assessment of its necessity. Preparing such a concept is one of the key requirements identified by the German supervisory authority and constitutes an important element of documenting GDPR compliance.

How can the data of children using TikTok be protected?

A public institution should implement special measures to protect the data of minor users, in accordance with Article 8 of the GDPR, in particular by obtaining parental consent for the processing of the child’s personal data.

What are the consequences for a public institution of using TikTok in a manner that does not comply with the GDPR?

The supervisory authority may impose a fine on the public institution or order it to cease data processing. In addition, certain forms of non-compliance may give rise to liability for damages towards the data subjects.