TikTok is facing fresh scrutiny after Ireland’s Data Protection Commission (DPC) announced a formal inquiry into the company’s alleged transfer of European users’ personal data to servers in China.
In a press release published today, the DPC said it had decided to launch the inquiry following revelations that TikTok had allegedly stored limited EEA user data in China – despite previously claiming the data was only accessed remotely from that country.
“This issue was discovered by TikTok in February 2025,” the Commission stated, “and brought to the DPC’s attention in April 2025.”
The regulator said it was “deeply concerned” that inaccurate information had been submitted to a previous inquiry concluded earlier this year, and that it was “taking those developments very seriously.”
The original April 30th decision by the DPC, which resulted in a €530 million fine and corrective measures for TikTok, had examined transfers of EEA user data to China. However, it relied on assurances from TikTok that “EEA user data were not stored on servers located within China.”
In that previous case, TikTok had asserted that staff in China accessed EEA data remotely, but that the data itself was stored on servers located outside of China.
The newly announced inquiry will now investigate whether TikTok has complied with its obligations under the General Data Protection Regulation (GDPR), including the legality of transferring and storing EEA data in China.
According to the DPC, the inquiry will assess TikTok’s conduct under several provisions of GDPR: Article 5(2) (accountability), Article 13(1)(f) (transparency on international transfers), Article 31 (duty to cooperate with regulators), and the requirements of Chapter V, which governs transfers to third countries.
The decision to initiate the inquiry was made under section 110 of the Data Protection Act 2018 by Commissioners for Data Protection Dr. Des Hogan and Mr. Dale Sunderland, and was formally communicated to TikTok earlier this week.
Gript has contacted TikTok for comment.
“Our teams proactively discovered this issue through the comprehensive monitoring TikTok implemented under Project Clover,” a spokesperson for the company said.
“We promptly deleted this minimal amount of data from the servers and informed the DPC. Our proactive report to the DPC underscores our commitment to transparency and data security.”
Under GDPR, companies transferring personal data outside of the European Economic Area (EEA) must ensure that the destination country provides a level of protection “essentially equivalent” to that of the EU.
Only a limited number of countries have received “Adequacy Decisions” from the European Commission – legally recognising that they meet this standard. China is not one of them.
In cases where an Adequacy Decision is not in place, companies must rely on other safeguards, such as Standard Contractual Clauses, and are required to verify that those mechanisms offer adequate protection.
The GDPR rules aim to prevent personal data from being used or accessed in jurisdictions where privacy standards do not match those guaranteed in the EU.