Is Telegram GDPR compliant?

Image of Iron Brands

Publié le 17 juil. 2025 par Iron Brands

Ce contenu n'est pas encore traduit en français. Vous trouverez ci-dessous la version anglaise.

TL;DR

Telegram offers several privacy-focused features, including end-to-end encryption for Secret Chats, no ads, and cloud-based storage. However, Telegram's GDPR compliance status is nuanced, while the platform supports certain GDPR principles like data access and deletion, its proprietary encryption, unclear jurisdiction, and limited transparency raise concerns about full GDPR alignment.

Telegram’s GDPR Compliance

  1. Data Minimization and No Advertising Telegram claims to collect minimal data and does not monetize user information through ads or profiling, a positive for GDPR compliance.

  2. Right to Access and Deletion Telegram allows users to access and delete their account and data at any time, supporting Article 15 (Access) and Article 17 (Right to Erasure) of the GDPR.

  3. Data Storage Location & Legal Jurisdiction Telegram’s legal headquarters is in Dubai, and its infrastructure is not clearly located within the EU. This raises concerns about cross-border data transfers and compliance with GDPR's data residency and adequacy requirements.

  4. Lack of a Public Data Processing Agreement (DPA) Unlike many cloud services, Telegram does not publish or offer a DPA, making it unsuitable for businesses that need to document third-party processing under GDPR.

  5. Encryption Protocol Transparency While Secret Chats are end-to-end encrypted, regular cloud chats use Telegram’s proprietary MTProto encryption protocol, which is not fully open-source and lacks independent audits — a concern for GDPR's emphasis on transparency and accountability.

  6. Ambiguity Around Subprocessors and Data Controllers Telegram hasn’t fully disclosed who processes its data, or where servers are hosted. Under GDPR, data controllers must identify subprocessors and ensure they uphold GDPR standards — Telegram does not do this publicly.

Who Should Be Cautious?

Individuals Seeking Private Messaging Privacy-focused users may find Telegram appealing, especially with Secret Chats. However, those who prioritize full regulatory compliance (e.g., lawyers, journalists) may prefer apps like Signal.

Businesses, Developers, and Data Controllers Due to the lack of a DPA and limited GDPR assurances, Telegram is not recommended for business communications involving personal data or for platforms operating under EU jurisdiction.

User Feedback & Community Concerns Telegram receives high marks for usability and privacy features. Still, privacy experts caution against assuming full GDPR compliance due to:

Opaque infrastructure

Proprietary encryption

Limited corporate transparency

Compared to competitors like Signal (fully open-source, strongly aligned with GDPR), Telegram remains more of a “privacy-by-design” tool than a GDPR-compliant one.

Final Thoughts

Telegram provides strong privacy protections for individuals, especially with its no-ads policy and optional Secret Chats. However, its GDPR compliance is incomplete, particularly for professional or regulated environments. While it supports user control and avoids aggressive data collection, the lack of transparent infrastructure, formal DPAs, and data export tools means it falls short of full GDPR compliance.

GA4 est complexe. Essayez Simple Analytics

GA4, c'est comme être assis dans le cockpit d'un avion sans licence de pilote

Commencer gratuitement maintenant