[German]The Austrian based European data protection organization noyb filed GDPR complaints against AliExpress, TikTok and WeChat on 17 July 2025. All three tech companies have failed to comply with requests for information under Article 15 GDPR.
Request for GDPR information not answered
noyb sent all three tech companies a request for information in accordance with Article 15 GDPR. The data protection organization wanted to know how the Chinese companies handle personal data. This is not a problem for most large tech companies, as they can process GDPR requests for information automatically on a large scale. In most cases, there is even a function for users to download their own data.
With regard to the GDPR requests for information submitted by noyb, however, this did not work out for the three Chinese companies mentioned. noyb writes that neither TikTok nor AliExpress took the trouble to provide the data subjects with all data in accordance with Article 15 GDPR.
- TikTok only transmitted part of the data in an unstructured form that was impossible to understand.
- AliExpress provided a defective file that could only be opened once.
- WeChat, on the other hand, simply ignored the complainant's request altogether.
The complainants sent TikTok and AliExpress a series of follow-up questions to give the companies another chance. Instead of providing the missing data, both companies simply repeated the content of their privacy policies without any individual information, according to noyb. This made it impossible for complainants to verify whether their data was processed in accordance with the GDPR.
Kleanthi Sardeli, data protection lawyer at noyb says: "ech companies love to collect as much data as possible about their users – but vehemently refuse to give them full access in line with EU law. The GDPR makes it clear that companies must give their users specific information about the data they process. Just because they receive a lot of requests doesn't mean they can refuse to provide information"
Under EU law, data transfers to countries outside the EU are only permitted if the destination country does not undermine data protection. Since Chinese laws do not restrict government access to personal data, EU data cannot realistically be protected.
In January 2025, noyb took legal action against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi for unlawful data transfers to China. During the proceedings, SHEIN, Temu, and Xiaomi provided additional information to the complainants. TikTok, AliExpress, and WeChat, meanwhile, continued to violate the GDPR.
noyb has therefore filed three complaints with the data protection authorities in Belgium, Greece, and the Netherlands. TikTok, AliExpress, and WeChat have violated Articles 12 and 15 of the GDPR. We therefore call on the companies to comply with the complainants' requests for information. We also propose that the data protection authorities impose an administrative fine to prevent similar violations in the future. This penalty can be up to 4% of annual turnover. For AliExpress, for example, this could amount to €147 million (annual turnover of €3.68 billion).
