Telegram can share your personal data with its parent company and affiliates in the British Virgin Islands and Dubai, using standard contractual clauses as the legal mechanism for EEA data transfers.
This analysis describes what Telegram's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your personal data may be transferred to entities in jurisdictions that do not have EU adequacy decisions, meaning the legal protection depends on the quality and enforcement of the standard contractual clauses in place.
Interpretive note: The adequacy of the standard contractual clauses for transfers to BVI and UAE depends on undisclosed transfer impact assessments and supplementary measures that are not described in the policy, creating uncertainty about practical compliance with GDPR Chapter V.
EEA and UK users' personal data may be shared with Telegram group companies in the British Virgin Islands and Dubai, neither of which has an EU adequacy decision, relying solely on standard contractual clauses as a safeguard that cannot be independently verified by users.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Loyalty and partner program companies. We share information with our loyalty and partner program companies, like Ulta Beauty and Marriott.
Monitoring
Telegram has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To provide, improve and support our Services, we may share your personal data with: (1) our parent company, Telegram Group Inc, located in the British Virgin Islands, (2) Telegraph Inc., a group member also located in the BVI; and (3) Telegram FZ-LLC, a group member located in Dubai. We will implement appropriate safeguards to protect the security and integrity of that personal data. This will take the form of standard contract clauses approved by the European Commission in an agreement between us and our relevant group companies.— Excerpt from Telegram's Telegram Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V on international data transfers, specifically Articles 44-46. Neither the British Virgin Islands nor the UAE (Dubai) hold EU adequacy decisions, meaning standard contractual clauses are the applicable transfer mechanism. Post-Schrems II (Case C-311/18), transfers using SCCs require a transfer impact assessment (TIA) to verify that the destination jurisdiction's law does not undermine the protections afforded by the SCCs. Relevant enforcement authorities are EEA member state data protection authorities and the UK ICO for UK GDPR purposes. GOVERNANCE EXPOSURE: Medium. The policy asserts that SCCs are in place but does not describe whether transfer impact assessments have been conducted for BVI or UAE transfers, nor what supplementary measures (if any) are applied. The BVI's legal framework provides limited data protection, and the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection is relatively new with uncertain equivalence to GDPR standards. This creates ongoing compliance exposure for organizations relying on Telegram for data processing. JURISDICTION FLAGS: EEA and UK users face the highest exposure. UK GDPR's international transfer framework post-Brexit requires separate assessment using UK International Data Transfer Agreements (IDTAs) or addenda, which the policy does not specifically address for UK users. Organizations in highly regulated sectors transferring employee or client data over Telegram should assess whether these transfers are compatible with their own data export obligations. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request Telegram's data processing agreement and SCC documentation, as well as any available TIA summaries, as part of vendor due diligence. The absence of publicly available TIA documentation is a gap for vendors conducting thorough GDPR Article 28 assessments. COMPLIANCE CONSIDERATIONS: Data protection officers should verify that Telegram's SCC implementation uses current European Commission standard contractual clauses (2021 versions) and that UK users are covered by appropriate transfer mechanisms. The policy's reference to contacting the EEA representative for more information on SCCs is the recommended action for compliance teams requiring documentation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your personal data may be transferred to entities in jurisdictions that do not have EU adequacy decisions, meaning the legal protection depends on the quality and enforcement of the standard contractual clauses in place.
EEA and UK users' personal data may be shared with Telegram group companies in the British Virgin Islands and Dubai, neither of which has an EU adequacy decision, relying solely on standard contractual clauses as a safeguard that cannot be independently verified by users.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Telegram.