DPC Opens Inquiry into Infinite Styles Services Co. Ltd. (SHEIN Ireland)

The Data Protection Commission (DPC) has opened an inquiry into Infinite Styles Services Co. Ltd. (SHEIN Ireland) under section 110 of the Data Protection Act 2018.

The inquiry concerns SHEIN Ireland’s transfers of personal data of EU/EEA data subjects to China. The DPC will examine and assess the extent to which SHEIN Ireland has complied with its relevant obligations under the GDPR in relation to these transfers, including:

• the principles contained in Article 5 GDPR, (relating to processing of personal data)
• the transparency obligations contained in Article 13 GDPR, and
• the requirements of Chapter V for transfers of personal data to third countries [1]    

The DPC's decision to commence the inquiry was issued to SHEIN Ireland on Thursday, 30 April 2026. 

On announcing the commencement of the inquiry, Deputy Commissioner Graham Doyle said:

“When an individual’s personal data is transferred to a country outside the EU, the GDPR requires that this personal data is afforded essentially the same protections as it would within the EU.   

Recent regulatory action by the DPC, together with complaints to other European supervisory authorities, has brought data transfers to China, in particular, into focus. The inquiry is an important strategic priority for the DPC and we intend to cooperate closely with our peer European Supervisory Authorities as part of the investigation.”

Background Information

[1] The GDPR provides a high level of protection of personal data throughout the EEA and provides data protection rights to individuals. When personal data is transferred outside of the EEA this can impede the ability of individuals to exercise rights and can circumvent that high level of protection. Therefore, it is crucial that the level of protection ensured by the GDPR should not be undermined in the case of such transfers. Accordingly, transfers of personal data can take place only if the conditions laid down in Chapter V of the GDPR are complied with. This ensures that the high level of protection provided within the European Union continues where personal data is transferred to a third country.

Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection (“Adequacy Decision”).

To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Brazil, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay.

Under the GDPR where an organisation intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses. These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.