Hidden GDPR Data Transfer Risks

TikTok is spending €12 billion to store European user data on European soil. The company calls it a "data sovereignty initiative." For CIPP/E candidates, the instinct to treat this as a compliance solution is exactly the kind of reasoning that costs marks. GDPR data transfers are not governed by where a server sits; they are governed by who can access the data stored on it.

What TikTok Is Building

In April 2026, TikTok announced a second €1 billion data centre in Finland, this time in Lahti, following an earlier €1 billion facility in Kouvola. Both are part of Project Clover, TikTok's programme to migrate European user data into a dedicated regional enclave with independent oversight from NCC Group. The company already operates data centres in Norway and Ireland. The stated aim is to store data for over 200 million European users within the EU, under strict access controls.

The investment is real. The question is whether physical residency solves the legal problem. Under the GDPR, it does not; at least not by itself.

Why GDPR Data Transfers Depend on Access, Not Location

Chapter V of the GDPR applies when personal data is disclosed to, or made available to, a recipient in a third country. The EDPB's Guidelines 05/2021 set out three criteria that define a transfer: the exporter is subject to the GDPR, the exporter makes data available to a separate controller or processor, and that recipient is in a third country.

The EDPB is explicit: remote access from a third country counts as making data available. Even viewing data on a screen from outside the EEA constitutes a transfer if a separate entity is doing the viewing. This is the distinction the exam tests. A Finnish data centre does not prevent a Chapter V transfer if ByteDance employees in China retain the ability to access European user data.

The Parent Company Problem

TikTok's European operations are run by TikTok Technology Limited (Ireland) and TikTok Information Technologies UK Limited. ByteDance, the Chinese parent, is a separate legal entity in a third country. If ByteDance personnel can access European user data for engineering, moderation or analytics purposes, each access instance is a potential GDPR data transfer; regardless of where the servers are physically located. The CIPP/E Body of Knowledge (BoK), which defines every domain and topic the IAPP exam covers, maps this directly to Domain III.D.1: understanding the rationale for prohibiting transfers.

How GDPR Data Transfer Mechanisms Apply

Even if a transfer occurs, it can be lawful. The GDPR provides several mechanisms, and the exam expects candidates to know when each one applies.

Adequacy Decisions

The European Commission can determine that a third country provides adequate protection. China has no adequacy decision. That rules out the simplest route for any ByteDance access.

Standard Contractual Clauses and BCRs

Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are the two most common safeguards for intra-group transfers. But since the Schrems II ruling, neither mechanism works in isolation. Exporters must conduct a transfer impact assessment (TIA) to evaluate whether the third country's legal framework undermines the safeguards. The EDPB's Recommendations 01/2020 lay out a six-step process for this assessment, including evaluating government access laws and adopting supplementary measures where necessary.

For transfers to China, that assessment is not straightforward. Chinese national security and intelligence laws grant broad government access powers, and the lack of independent judicial oversight makes supplementary measures difficult to design effectively.

Derogations

Article 49 derogations exist but are narrow. Explicit consent, contractual necessity and public interest all apply only in specific, non-routine situations. The EDPB has stated repeatedly that derogations cannot become the default mechanism for systematic transfers. Domain III.D.6 tests this distinction.

What the Exam Actually Tests

When the CIPP/E exam presents a scenario involving GDPR data transfers, it rarely asks "where is the data stored?" It asks "who has access?" and "what transfer mechanism is in place?" The distinction between physical residency and lawful transfer is one of the most frequently tested concepts in Domain III.D.

The Access Path, Not the Storage Path

TikTok's Project Clover includes access controls monitored by NCC Group. That is a supplementary measure. Whether it is sufficient depends on whether it genuinely prevents access by ByteDance personnel without going through the European data enclave's governance controls. The exam would expect you to evaluate that access path, not simply note the server location.

The EDPS guidance on international transfers reinforces this point: controllers must assess the level of protection in the destination country and put supplementary measures in place where the legal framework falls short. Domain III.D.7 covers transfer impact assessments explicitly, and Domain II.B.3 tests vendor management and third-party sharing obligations; both are live in any TikTok scenario question.

Data localisation is an infrastructure decision. Data sovereignty under GDPR is a legal one. The exam rewards candidates who can tell the difference. If you want to test your transfer analysis under exam conditions, start with the CIPP/E resources at 22academy.com/study.