noyb – the European Center for Digital Rights – has filed complaints against AliExpress, TikTok and WeChat saying all three tech companies have failed to comply with access requests under Article 15 GDPR.
TikTok
noyb filed a complaint with the Hellenic Data Protection Authority on behalf of a TikTok user, alleging violations of the EU General Data Protection Regulation (GDPR) by ByteDance, TikTok’s parent company. The complaint stems from the user’s attempt to access her personal data processed by TikTok. Although the user utilized the platform’s in-app “Download your data” function, the data provided was incomplete, fragmented, and presented in a format that made it difficult to interpret. After submitting a formal request under Article 15 GDPR, TikTok responded by redirecting her to the same download option and its general privacy policy, failing to provide specific, structured, and meaningful data about processing purposes, recipients, data transfers (particularly to third countries like China), or the existence of automated decision-making.
noyb asserts that the data was not supplied in a clear, intelligible, and comprehensive manner as required by Articles 12 and 15 of the GDPR. They also argue that ByteDance, rather than TikTok Technology Ltd. in Ireland or other affiliates, acts as the actual data controller, based on the group’s internal structure and decision-making power. The complaint highlights the complex corporate structure of ByteDance and the influence of its Chinese operations over TikTok’s global data processing. It raises concerns about the possibility of personal data being transferred to China and the lack of transparency about such transfers.
The complaint requests that the HDPA recognize the violations, compel ByteDance to fully comply with the data access request, and consider imposing a fine under GDPR provisions.
AliExpress
A complaint was filed by noyb on behalf of a user against Alibaba.com Singapore E-Commerce, operator of the AliExpress platform. The complaint concerns violations of the GDPR, specifically relating to the user’s right to access personal data under Article 15 and the obligations under Article 12. The complainant attempted to access her personal data through the process outlined by AliExpress, which included downloading a “Copy of Personal Data” file. However, the file was broken and only accessible once, making it unusable for further review or legal purposes. After contacting the company directly via the email listed in its privacy policy, the responses received were either automated or unhelpful, and did not adequately address the user’s request. Furthermore, the company failed to provide key information such as data recipients and safeguards for international data transfers, notably to China. As a result, the complaint alleges that AliExpress breached multiple GDPR provisions by not providing meaningful access, failing to facilitate the data access request, and requiring the user to submit repeated requests. The Belgian Data Protection Authority is identified as the competent authority due to the presence of AliExpress’s European hub in Liège. The complainant has requested an investigation, a formal finding of GDPR violations, an order for compliance, and a fine to be imposed on AliExpress.
A complaint has been filed against Tencent International Service Europe, the European subsidiary responsible for the WeChat app, for failing to respond adequately to a user’s request to access their personal data under the GDPR. The complainant, represented by noyb, attempted to use the official WeChat Data Subject Rights Request Form to inquire whether their personal data was being transferred to China or other third countries. However, Tencent only responded six months later with generic instructions on using an in-app tool, without fulfilling the requirements of Articles 15(1), (2), and (3) GDPR, which demand comprehensive access to personal data and information about data transfers. The company also failed to comply with Article 12 GDPR, which mandates timely, transparent, and effective communication with data subjects regarding their rights. As a result, the complainant has requested that the Dutch Data Protection Authority investigate the matter, issue a declaration of infringement, order Tencent to fulfill the data access request, and consider imposing a fine for non-compliance.
Baburajan Kizhakedath
