As explained in our privacy policy, TikTok provides certain entities in our corporate group located in China remote access to some personal data of our EEA users.
These data transfers by way of remote access are subject to controls and are necessary to provide important functions.
On 30 April 2025, the Irish Data Protection Commission (DPC) decided that TikTok had breached the GDPR by transferring data to China between 2020-2023 without having properly demonstrated, verified and guaranteed a level of protection for that data that was essentially equivalent to that guaranteed within the EU.
The DPC ordered TikTok to bring the remote access into compliance with the GDPR within six months. The decision also includes an order suspending the remote access if processing is not brought into compliance within this time frame. You can read the DPC’s decision here.
TikTok strongly disagrees with the DPC and is fully appealing its decision to the High Court of Ireland. On 14 November 2025, as part of that process, the High Court put the DPC’s decision on hold, subject to this notification to users, until the outcome of TikTok’s appeal and allowing transfers of EEA users’ data to China to continue in the meantime.
TikTok takes data protection and user privacy very seriously. We have implemented the industry-leading initiative, Project Clover – a €12bn investment in European data security we believe provides unmatched safeguards for European user data:
- TikTok has engaged with NCC Group to independently oversee, check, and verify our data controls and protections, monitor data flows, provide independent verification and report any anomalies.
- Our European user data is now stored by default in a dedicated European data enclave, currently hosted across data centres in Norway, Ireland and the United States.
- Strict access controls enforced by security gateways ensure that employees in China have no access to restricted European user data, such as phone numbers or IP addresses, stored in our European enclave.
- Advanced privacy-enhancing technologies de-identify certain data, that needs to flow globally to operate a global platform, further protecting data.
TikTok outlined details of Project Clover to the DPC during its investigation. In its decision, the DPC did not accept TikTok’s position that these measures address the concerns raised by the DPC.
TikTok disputes that the DPC engaged with Project Clover. These matters will now be decided as part of TikTok’s appeal against the DPC’s decision.
You can find out more information about TikTok’s data transfers in our privacy notice.
