Telegram can share your personal data with its parent company and affiliates in the British Virgin Islands and Dubai, using standard contractual clauses as the legal mechanism for EEA data transfers.
This analysis describes what Telegram's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your personal data may be transferred to entities in jurisdictions that do not have EU adequacy decisions, meaning the legal protection depends on the quality and enforcement of the standard contractual clauses in place.
Interpretive note: The adequacy of the standard contractual clauses for transfers to BVI and UAE depends on undisclosed transfer impact assessments and supplementary measures that are not described in the policy, creating uncertainty about practical compliance with GDPR Chapter V.
EEA and UK users' personal data may be shared with Telegram group companies in the British Virgin Islands and Dubai, neither of which has an EU adequacy decision, relying solely on standard contractual clauses as a safeguard that cannot be independently verified by users.
How other platforms handle this
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
We process personal data you provide to Oura to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third-party services like Google Health Connect and Apple HealthKit, or those of our partners. Oura takes measures to...
Creators: when you subscribe to a Creator's publication, we provide them the information necessary (including your name and email address) to provide you their publication(s). Please note that Creators control their own publications; accordingly, when you interact with a Creator's publication in a w...
Monitoring
Telegram has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"To provide, improve and support our Services, we may share your personal data with: (1) our parent company, Telegram Group Inc, located in the British Virgin Islands, (2) Telegraph Inc., a group member also located in the BVI; and (3) Telegram FZ-LLC, a group member located in Dubai. We will implement appropriate safeguards to protect the security and integrity of that personal data. This will take the form of standard contract clauses approved by the European Commission in an agreement between us and our relevant group companies.— Excerpt from Telegram's Telegram Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V on international data transfers, specifically Articles 44-46. Neither the British Virgin Islands nor the UAE (Dubai) hold EU adequacy decisions, meaning standard contractual clauses are the applicable transfer mechanism. Post-Schrems II (Case C-311/18), transfers using SCCs require a transfer impact assessment (TIA) to verify that the destination jurisdiction's law does not undermine the protections afforded by the SCCs. Relevant enforcement authorities are EEA member state data protection authorities and the UK ICO for UK GDPR purposes. GOVERNANCE EXPOSURE: Medium. The policy asserts that SCCs are in place but does not describe whether transfer impact assessments have been conducted for BVI or UAE transfers, nor what supplementary measures (if any) are applied. The BVI's legal framework provides limited data protection, and the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection is relatively new with uncertain equivalence to GDPR standards. This creates ongoing compliance exposure for organizations relying on Telegram for data processing. JURISDICTION FLAGS: EEA and UK users face the highest exposure. UK GDPR's international transfer framework post-Brexit requires separate assessment using UK International Data Transfer Agreements (IDTAs) or addenda, which the policy does not specifically address for UK users. Organizations in highly regulated sectors transferring employee or client data over Telegram should assess whether these transfers are compatible with their own data export obligations. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request Telegram's data processing agreement and SCC documentation, as well as any available TIA summaries, as part of vendor due diligence. The absence of publicly available TIA documentation is a gap for vendors conducting thorough GDPR Article 28 assessments. COMPLIANCE CONSIDERATIONS: Data protection officers should verify that Telegram's SCC implementation uses current European Commission standard contractual clauses (2021 versions) and that UK users are covered by appropriate transfer mechanisms. The policy's reference to contacting the EEA representative for more information on SCCs is the recommended action for compliance teams requiring documentation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your personal data may be transferred to entities in jurisdictions that do not have EU adequacy decisions, meaning the legal protection depends on the quality and enforcement of the standard contractual clauses in place.
EEA and UK users' personal data may be shared with Telegram group companies in the British Virgin Islands and Dubai, neither of which has an EU adequacy decision, relying solely on standard contractual clauses as a safeguard that cannot be independently verified by users.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Telegram.