DPC Opens GDPR Inquiry into TikTok’s Transfers of EEA Data to China
The Data Protection Commission (DPC) has opened a new inquiry into TikTok Technology Limited regarding the transfer of personal data of European Economic Area (EEA) users to servers located in China. This inquiry follows a previous investigation concluded on April 30, 2025, which examined TikTok’s data transfers to China. At that time, TikTok claimed that EEA user data were only accessed remotely from China but were not stored on Chinese servers.
However, TikTok later disclosed that some EEA user data had been stored on servers in China, contradicting its earlier statements. This revelation raised serious concerns about the accuracy of the information provided by TikTok during the earlier inquiry. The DPC, in cooperation with other EU data protection authorities under the GDPR One Stop Shop mechanism, expressed strong concern about this misinformation and considered further regulatory actions.
The current inquiry, initiated under section 110 of the Data Protection Act 2018, aims to assess whether TikTok complied with its obligations under the General Data Protection Regulation (GDPR), particularly regarding the legality of transferring personal data outside the EEA. The investigation will focus on TikTok’s adherence to GDPR principles such as accountability, transparency about third-country transfers, cooperation with supervisory authorities, and compliance with Chapter V requirements for international data transfers.
Under the GDPR, personal data transfers outside the EEA are only lawful if the receiving country ensures an adequate level of data protection or if appropriate safeguards, such as Standard Contractual Clauses, are in place. Since China does not have an adequacy decision from the European Commission, TikTok must demonstrate that its transfers meet these strict conditions. The inquiry will determine if TikTok’s data handling practices align with these legal requirements.