The Spanish Data Protection Authority (Agencia Española de Protección de Datos or AEPD) has issued a public warning and clear user guidance regarding ongoing transfers of personal data by the social media platform TikTok from European Union users to third countries, including the People’s Republic of China. This advisory comes amid a high-profile legal and regulatory dispute over whether such transfers comply with EU data protection law, particularly the General Data Protection Regulation (GDPR).
The AEPD’s communication aims to ensure that users—especially younger and more vulnerable groups—understand the potential privacy implications of how their data is processed and where it may be sent.
Legality of International Data Transfers
European privacy authorities have already examined TikTok’s international data flow practices and determined that they do not comply with the GDPR. In April 2025, the Irish Data Protection Commission (DPC), acting as TikTok’s lead supervisory authority in the EU, fined the platform €530 million for failing to provide adequate safeguards for transfers of European user data to third countries outside the EU. This fine was imposed after a coordinated investigation with other EU data protection authorities, including the AEPD.
TikTok challenged the DPC’s decision in Irish courts and, in November 2025, an Irish tribunal temporarily lifted the suspension of data transfers while the judicial process continues. However, this interim measure does not constitute a final legal endorsement of the transfers’ lawfulness. European regulators maintain that the underlying regulatory findings remain valid and that the legality of transfers under GDPR continues to be reviewed.
What the AEPD Is Telling Users
In its advisory, the AEPD confirms that:
- TikTok continues to transfer personal data of European users to third countries, including China.
- The transfers were previously found to violate GDPR requirements for adequate protection of personal data outside the EU.
- Even though enforcement measures tied to the Irish decision are temporarily suspended, the GDPR compliance assessment by EU authorities is still in effect and subject to judicial review.
The AEPD underscores the importance of transparent communication, noting that TikTok has begun informing European users about how their data is treated and about the ongoing legal process. This step reflects court conditions imposed on TikTok’s temporary reprieve from suspension of transfers.
User Recommendations from the AEPD
To help individuals better protect their privacy, the AEPD offers four practical recommendations for users of digital services such as TikTok:
- Read privacy notices carefully: Users should review notifications and privacy policies to understand what personal data is collected, how it is processed, and where it may be transferred.
- Review application permissions: Check and adjust app permissions—such as access to camera, microphone, contacts, and location—to minimize unnecessary data exposure.
- Reconsider continued use: Evaluate whether to continue using a service when personal data is being transferred to countries that do not provide a level of protection equivalent to EU standards.
- Be cautious with shared content: Exercise prudence in what personal information is shared through apps and social networks, particularly sensitive data.
Special Attention for Younger Users
The AEPD highlights that younger users—who make up a significant portion of TikTok’s audience—may be less aware of data privacy risks. It stresses the need for clear and accessible privacy information so that young people can make informed decisions about their digital habits and the services they use.
Cooperation Across European Data Protection Authorities
Under the GDPR’s framework for cross-border data protection supervision, TikTok designated Ireland as its main establishment in Europe. This means the Irish DPC plays the primary role in overseeing GDPR compliance for TikTok, working with other European regulators such as the AEPD through cooperation and consistency mechanisms.
The AEPD remains active in this coordinated supervision and continues to monitor the legal proceedings, reflecting its commitment to enforcing EU data protection standards and ensuring that European users’ rights are upheld.
Why This Matters for European Users
International data transfers must comply with stringent legal safeguards under the GDPR. Transfers to countries without an “adequacy decision” from the European Commission—such as China—require additional contractual or technical measures to ensure protections are essentially equivalent to EU standards. In TikTok’s case, regulators have concluded that such equivalence has not been demonstrated.
When personal data can be accessed from jurisdictions with different data governance regimes, users may face increased privacy and security risks. These risks arise because national laws in some countries can grant authorities broad powers to access data held by private companies for national security or law enforcement purposes.
Privacy Compliance Implementations to Satisfy AEDP
Users concerned about data transfers and privacy can take additional steps beyond reviewing privacy notices and permissions. These include:
- Adjusting privacy settings to limit data sharing and personalization.
- Using two-factor authentication to secure accounts.
- Regularly auditing connected devices and third-party integrations.
- Monitoring regulatory updates from the AEPD and other EU data protection authorities.
Understanding how digital services process personal data empowers users to make informed decisions about their digital footprint and trust relationships with technology providers.
AEPD Advisory
The AEPD’s advisory on TikTok’s data transfers serves as a reminder that data protection is a cornerstone of digital rights in Europe. As legal proceedings continue and regulatory scrutiny intensifies, users should stay informed, exercise caution, and insist on transparency from digital platforms. Privacy is not only a legal obligation for companies but a fundamental right that users can actively protect through awareness and proactive controls.
