Changeflow GovPing Data Protection DPC Inquiry into TikTok Data Transfers to China
Priority review Enforcement Added Final

DPC Inquiry into TikTok Data Transfers to China

Favicon for www.dataprotection.ie DPC Press Releases (Ireland DPA)
Filed July 10th, 2025
Detected February 11th, 2026
Email

Summary

The Irish Data Protection Commission (DPC) has opened an inquiry into TikTok Technology Limited regarding the transfer of EEA users' personal data to servers in China. This follows TikTok's admission that limited data was stored in China, contrary to previous evidence provided to the DPC.

View original document View source feed page

What changed

The Irish Data Protection Commission (DPC) has initiated a new inquiry into TikTok Technology Limited concerning the transfer of personal data of EEA users to servers located in China. This action stems from TikTok's recent disclosure that limited user data had, in fact, been stored on servers in China, contradicting earlier statements made to the DPC during a previous inquiry. The inquiry will examine TikTok's compliance with relevant GDPR provisions, including accountability, transparency regarding third-country transfers, cooperation with supervisory authorities, and the lawfulness of these transfers under Chapter V of the GDPR.

This development signifies a serious concern for TikTok, as the DPC is investigating potential breaches of data protection obligations. Regulated entities, particularly technology companies handling cross-border data transfers, should note the DPC's stringent approach to data transfer compliance and the potential for significant regulatory action if inaccurate information is provided or if transfer safeguards are found to be inadequate. While no specific compliance deadline or penalty is mentioned in this announcement, the inquiry itself indicates a heightened risk of future enforcement measures and potential sanctions.

What to do next

  1. Review internal data transfer policies and procedures for compliance with GDPR Chapter V.
  2. Ensure all evidence and statements provided to data protection authorities are accurate and complete.
  3. Assess the lawfulness of personal data transfers to third countries, particularly China, and ensure appropriate safeguards are in place.

Source document (simplified)

News & Media

DPC announces inquiry into TikTok Technology Limited’s transfers of EEA users’ personal data to servers located in China

10th July 2025

The Data Protection Commission (DPC) has today announced that it has opened an inquiry into TikTok Technology Limited’s (TikTok) transfers of EEA users’ personal data to servers located in China. The inquiry follows on from the DPC’s decision of 30 April 2025, which also considered TikTok’s transfers of EEA users’ personal data to China under a separate inquiry. However, during that previous inquiry, TikTok maintained that transfers of EEA users’ personal data to China took place by way of remote access only and that EEA user data were not stored on servers located within China i.e. EEA user data were stored on servers located outside of China and were accessed remotely by TikTok staff from within China. Accordingly, the DPC’s decision of 30 April 2025 did not consider TikTok’s storage of EEA users’ personal data on servers located in China.

However, in April 2025, TikTok informed the DPC of an issue that it had discovered in February 2025, namely that limited EEA user data had in fact been stored on servers in China, contrary to TikTok’s evidence to the previous inquiry.

The DPC’s decision, which issued following the inquiry cooperation procedure with peer EU regulators under the GDPR One Stop Shop mechanism, expressed its deep concern that TikTok had submitted inaccurate information to that inquiry. In its press release issued at the time of the conclusion of that inquiry, the DPC stated that it was taking those developments “very seriously” and was “considering what further regulatory action may be warranted, in consultation with our peer EU Data Protection Authorities”. As a result of that consideration, the DPC has now decided to open this new inquiry into TikTok.

The decision to commence the inquiry under section 110 of the Data Protection Act 2018, taken by the Commissioners for Data Protection, Dr. Des Hogan and Mr. Dale Sunderland, was notified to TikTok earlier this week. The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers pursuant to Chapter V of the GDPR. [1]

The inquiry will consider the following provisions of the GDPR: Articles 5(2) (accountability), 13(1)(f) (transparency information in relation to third country transfers), 31 (obligation to cooperate with the supervisory authority) and Chapter V GDPR (compliance with the relevant requirements for third country transfers).

[1] The GDPR provides a high level of protection of personal data throughout the EEA and provides data protection rights to individuals. When personal data is transferred outside of the EEA this can impede the ability of individuals to exercise rights and can circumvent that high level of protection. Therefore, it is crucial that the level of protection ensured by the GDPR should not be undermined in the case of such transfers. Accordingly, transfers of personal data can take place only if the conditions laid down in Chapter V of the GDPR are complied with. This ensures that the high level of protection provided within the European Union continues where personal data is transferred to a third country.

Article 45(1) GDPR provides that a transfer of personal data to a third country may be authorised by a decision of the European Commission to the effect that the third country, a territory or one or more specified sectors within that third country, ensures an adequate level of protection (“Adequacy Decision”).

To-date, the European Commission has made Adequacy Decisions in respect of Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, USA and Uruguay.

Under the GDPR where an organisation (“Data Controller”) intends to transfer personal data outside the EU/ EEA to a third country and where no Adequacy Decision exists between the EU and that third country, such transfers can only occur if other applicable provisions of the GDPR (Chapter V) are met such as Standard Contractual Clauses. These provisions place the responsibility on the organisation to verify, guarantee and demonstrate that the law and practices of that country guarantees a level of protection essentially equivalent to that guaranteed within EU.

Related changes

Favicon for www.priv.gc.ca Privacy Commissioner of Canada ArriveCAN App Investigation Report
Routine Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.pcpd.org.hk Hong Kong PCPD Arrests Two for Suspected Doxxing
Urgent Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Global Privacy Authorities Joint Statement on AI-Generated Imagery
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection
Favicon for www.pcpd.org.hk Privacy Commissioner Reports 2025 Work and Data Security Incidents
Priority review Mar 13, 2026 PCPD Media Statements (HK) Data Protection

Source

Favicon for www.dataprotection.ie
DPC Press Releases (Ireland DPA) dataprotection.ie/en/news-media/press-releases
Data Protection
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various DPAs (CNIL, BfDI, AEPD, etc.)
Filed
July 10th, 2025
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Geographic scope
EU-wide

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
GDPR International Data Transfers

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Data Protection alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when DPC Press Releases (Ireland DPA) publishes new changes.

Free. Unsubscribe anytime.