The investigation focuses on Shein’s Irish company, Infinite Styles Services Co. Ltd, and formally began on April 30. The DPC will assess whether the company meets the requirements of GDPR regarding transparency, personal data processing, and specifically the regulations surrounding the transfer of personal data to third countries. According to GDPR, personal data sent outside the EU must be given protection equivalent to that which applies within the union.
When an individual’s personal data is transferred to a country outside the EU, GDPR requires that it be given substantially the same protection as it would have within the EU, says Graham Doyle, Deputy Commissioner at the DPC.
He further explains the background to the authority’s prioritization:
Previous supervisory actions from the DPC, along with complaints to other European supervisory authorities, have particularly focused on data transfers to China.
The DPC acts as the lead EU regulator for Shein because the company established its headquarters for the EMEA region (Europe, the Middle East, and Africa) in Dublin in 2023. This is the first privacy review of the company since its establishment. The DPC has the power to issue sanction fees and fined Tiktok €530 million last year for similar violations regarding data transfers to China.
Shein states via a spokesperson that they are cooperating with the Irish authority.
We take our data protection obligations extremely seriously and are fully committed to complying with GDPR and all applicable data protection laws, says the company’s spokesperson and continues:
We have been in active dialogue with the DPC in recent months regarding our approach to data protection. We look forward to presenting that work as part of this process.
The DPC announces that it intends to collaborate with other European supervisory authorities during the review.