AP (The Netherlands) - 2025-005323
Netherlands DPA fines Yandex €100M for unlawful data transfers to Russia without adequate safeguards.
Summary
The Dutch Data Protection Authority (DPA) issued a €100 million GDPR fine against Yandex.Taxi LLC and Yandex LLC for transferring personal data of Norwegian and Finnish citizens to Russia without demonstrating adequate safeguards. Despite initial storage in AWS Germany, data was forwarded to Russia, and the DPA found that Russian authorities could compel disclosure under local law, while Russia's supervisory authority lacks independence. The DPA also prohibited MLU B.V. from transferring user data via the Yango app to Russia.
Full text
Help AP (The Netherlands) - 2025-005323: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:22, 12 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 edits Tag: submission [1.0] Revision as of 10:48, 12 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 editsmTag: Visual editNewer edit → Line 95: Line 95: After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded the data to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted.After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded the data to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted. Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country [See C‑311/18, Schrems I, margin 126]. The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of [[Article 45 GDPR#2|Article 45(2) GDPR]], as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities.Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country.<ref>See C‑311/18, Schrems I, margin 126</ref> The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of [[Article 45 GDPR#2|Article 45(2) GDPR]], as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities. The DPA fined the controllers €100,000,000. The DPA considered this a serious violation of the GDPR, as it involved a high number of data subjects and a violation of long duration. In addition, the DPA prohibited MLU B.V from transferring data of Norwegian and Finnish data subjects using the Yango app to Russia.The DPA fined the controllers €100,000,000. The DPA considered this a serious violation of the GDPR, as it involved a high number of data subjects and a violation of long duration. In addition, the DPA prohibited MLU B.V from transferring data of Norwegian and Finnish data subjects using the Yango app to Russia. Revision as of 10:48, 12 May 2026 AP - 2025-005323 Authority: AP (The Netherlands) Jurisdiction: Netherlands Relevant Law: Article 5(1)(a) GDPR Article 5(2) GDPR Article 44 GDPR Article 45(2) GDPR Article 46 GDPR Article 58(2)(f) GDPR Type: Investigation Outcome: Violation Found Started: 05.12.2023 Decided: 01.04.2026 Published: 08.05.2026 Fine: 100,000,000 EUR Parties: MLU B.V. Ridetech Yandex.Taxi LLC and Yandex LLC National Case Number/Name: 2025-005323 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Dutch Original Source: AP (in NL) Initial Contributor: ap The DPA fined a taxi ride app €100,000,000 for transferring personal data of data subjects in Finland and Norway to recipients in Russia without demonstrating that it had implemented appropriate safeguards. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an expedited procedure (Article 66 GDPR). The Finnish DPA stated that the data transfer was unlawful under Articles 44 and 46 GDPR, and prohibited the transfer under Article 58(2)(f) GDPR. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an expedited procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango app in Norway in Finland. The DPA, however, found that the providers of the app were still registered and continued to provide the Yango app to data subjects. The Yango app processed a wide range of categories of personal data of customers and drivers, including contact information, use of the app (conversations, cookies), location, and bank information. For drivers, the app additionally processed data subject’s social security, ID and photos. The data was transferred and stored in Russia until 2023 (including the encryption keys). After 2023, the controller stored the data and encryption keys in the Amazon Web Services (AWS) data centres in Germany. However, the controller continued to transfer data to Russia based on standard contractual clauses. The controllers implemented additional organisational measures such as encrypting the data prohibiting Russian government agencies from accessing data from EEA/EU data subjects. Under Russian law, taxi drivers must keep a record