DPC announces inquiry into TikTok Technology Limited’s transfers of EEA users’ personal data to servers located in China

10th July 2025

The Data Protection Commission (DPC) has today announced that it has opened an inquiry into TikTok Technology Limited’s (TikTok) transfers of EEA users’ personal data to servers located in China. The inquiry follows on from the DPC’s decision of 30 April 2025, which also considered TikTok’s transfers of EEA users’ personal data to China under a separate inquiry. However, during that previous inquiry, TikTok maintained that transfers of EEA users’ personal data to China took place by way of remote access only and that EEA user data were not stored on servers located within China i.e. EEA user data were stored on servers located outside of China and were accessed remotely by TikTok staff from within China. Accordingly, the DPC’s decision of 30 April 2025 did not consider TikTok’s storage of EEA users’ personal data on servers located in China.

However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025, namely that limited EEA user data had in fact been stored on servers in China, contrary to TikTok’s evidence to the previous inquiry.

The DPC’s decision, which issued following the inquiry cooperation procedure with peer EU regulators under the GDPR One Stop Shop mechanism, expressed its deep concern that TikTok had submitted inaccurate information to that inquiry. In its press release issued at the time of the conclusion of that inquiry, the DPC stated that it was taking those developments “very seriously” and was “considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities”. As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok.

The decision to commence the inquiry under section 110 of the Data Protection Act 2018, taken by the Commissioners for Data Protection, Dr. Des Hogan and Mr. Dale Sunderland, was notified to TikTok earlier this week. The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers pursuant to Chapter V of the GDPR.[1]

The inquiry will consider the following provisions of the GDPR: Articles 5(2) (accountability), 13(1)(f) (transparency information in relation to third country transfers), 31 (obligation to cooperate with the supervisory authority) and Chapter V GDPR (compliance with the relevant requirements for third country transfers).

 


[1] The GDPR provides a high level of protection of personal data throughout the EEA and provides data protection rights to individuals. When personal data is transferred outside of the EEA this can impede the ability of individuals to exercise rights and can circumvent that high level of protection. Therefore, it is crucial that the level of protection ensured by the GDPR should not be undermined in the case of such transfers. Accordingly, transfers of personal data can take place only if the conditions laid down in Chapter V of the GDPR are complied with. This ensures that the high level of protection provided within the European Union continues where personal data is transferred to a third country.

Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection (“Adequacy Decision”).

To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay.

Under the GDPR where an organisation (“Data Controller”) intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses. These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.