TikTok continues to transfer European users' personal data to third countries, including the People's Republic of China, as warned by the Spanish Data Protection Agency (AEPD) this Monday. European authorities have determined that these transfers do not comply with the General Data Protection Regulation (GDPR)
Fine of 530 million euros and corrective measures
In April, Ireland's Data Protection Commission (DPC) imposed a fine of 530 million euros on TikTok after concluding, in coordination with other national authorities such as the AEPD, that the platform violated the GDPR by transferring data outside the European Economic Area. In addition to the financial penalty, the Irish authority agreed to implement corrective measures to limit these transfers.
TikTok appealed the decision in the Irish courts. The case remains in judicial proceedings and the legality of the transfers continues under review.
Provisional Suspension and New Obligations for TikTok
In November 2025, the relevant court has decided to temporarily lift the suspension of transfers while the judicial proceedings are resolved. This provisional suspension is conditional on TikTok complying with specific transparency obligations.
The platform has begun to inform European users about the processing of their personal data and about the existence of the ongoing judicial procedure, according to the AEPD
"The Spanish Data Protection Agency, in coordination with its European counterparts, has stressed that TikTok maintains the transfer of personal data of European users to third countries, including China." - Spokesperson, AEPD
European Monitoring and Coordination
European data protection authorities, within the framework of the European Data Protection Board, have already concluded that these transfers do not comply with the GDPR. The measures adopted by the Irish authority are provisionally suspended, but the assessment made by the supervisory authorities remains in force.
TikTok has designated Ireland as its main establishment in Europe, which implies that the Irish DPC is the main supervisory authority in this matter, in coordination with the other European data protection authorities.
The AEPD participates in the cooperation and coherence mechanisms provided for in European regulations and continues to monitor this procedure within its powers, as it reiterated in its statement.