← All breach guides

TikTok Data Concerns — Exercise Your GDPR Rights

TikTok has been under sustained regulatory scrutiny across Europe for collecting extensive personal data, processing children's data without consent, and transferring EU user data to servers in China accessible to ByteDance employees.

⚖️ Regulatory action: TikTok was fined €345 million by the Irish DPC in 2023 and €14.5 million by the UK ICO for children's data violations.

What happened

2023 EU users affected

Ireland's DPC fined TikTok €345 million for GDPR violations related to children's data — specifically for default public account settings for under-18s and 'Family Pairing' consent failures.

Data exposed:
  • Children's profile data
  • Video content
  • Behavioural data
  • Location data
2022 Alleged affected

Hackers claimed to have accessed TikTok's internal storage and leaked source code and user data samples. TikTok denied any breach of user data.

Data exposed:
  • Alleged: user data, platform source code

What you can do

TikTok collects extensive data including biometric identifiers, precise location, device information, browsing history, and behavioural patterns. EU residents have the right to access all of it — and to demand its deletion.

You have two key rights under GDPR:

Generate your access request

This letter is pre-addressed to TikTok Technology Limited, the official EU data controller for TikTok.

To: TikTok Technology Limited
10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: