[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjINqpDiyE6sfMEEylLzoiQkY9DG-TnPpa9dKLu4pbAw":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"c64e82a3-1432-484d-9fe8-777729103e89","AP (The Netherlands) - 2025-005323","ap-the-netherlands-2025-005323-7249c9","Holding ← Older revision Revision as of 14:33, 12 May 2026 Line 93: Line 93: The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection. The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection. After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded the data to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted. After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted. Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country. See C‑311\u002F18, Schrems I, margin 126 The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of [[Article 45 GDPR#2|Article 45(2) GDPR]], as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities. Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country. See C‑311\u002F18, Schrems I, margin 126 The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of [[Article 45 GDPR#2|Article 45(2) GDPR]], as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities.","The Dutch Data Protection Authority (DPA) found violations of GDPR Articles 44, 46, 5(1)(a), and (2) against controllers transferring personal data of Norwegian and Finnish subjects to Russia through Yandex entities. The violations stem from storing encryption keys on the same servers as personal data (pre-November 2023) and continuing data transfers to Russia despite relocating storage to AWS Germany. The DPA determined that standard contractual clauses were insufficient given Russian authorities' ability to compel data access and the lack of independent supervisory oversight in Russia.","Netherlands DPA finds GDPR violations in data transfers to Russia via inadequate safeguards","Help AP (The Netherlands) - 2025-005323: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editNewer edit →VisualWikitext Revision as of 10:48, 12 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 editsmTag: Visual edit← Older edit Revision as of 14:33, 12 May 2026 view source Mba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators912 editsm Tag: Visual editNewer edit → Line 93: Line 93: The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection.The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection. After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded the data to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted.After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted. Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country.\u003Cref>See C‑311\u002F18, Schrems I, margin 126\u003C\u002Fref> The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of [[Article 45 GDPR#2|Article 45(2) GDPR]], as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities.Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country.\u003Cref>See C‑311\u002F18, Schrems I, margin 126\u003C\u002Fref> The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of [[Article 45 GDPR#2|Article 45(2) GDPR]], as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities. Revision as of 14:33, 12 May 2026 AP - 2025-005323 Authority: AP (The Netherlands) Jurisdiction: Netherlands Relevant Law: Article 5(1)(a) GDPR Article 5(2) GDPR Article 44 GDPR Article 45(2) GDPR Article 46 GDPR Article 58(2)(f) GDPR Type: Investigation Outcome: Violation Found Started: 05.12.2023 Decided: 01.04.2026 Published: 08.05.2026 Fine: 100,000,000 EUR Parties: MLU B.V. Ridetech Yandex.Taxi LLC and Yandex LLC National Case Number\u002FName: 2025-005323 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Dutch Original Source: AP (in NL) Initial Contributor: ap The DPA fined a taxi ride app €100,000,000 for transferring personal data of data subjects in Finland and Norway to recipients in Russia without demonstrating that it had implemented appropriate safeguards. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an expedited procedure (Article 66 GDPR). The Finnish DPA stated that the data transfer was unlawful under Articles 44 and 46 GDPR, and prohibited the transfer under Article 58(2)(f) GDPR. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an expedited procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_2025-005323&diff=51626&oldid=51623","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F1\u002F14\u002FLogoNL.png","2026-05-12T14:33:15+00:00","2026-05-12T16:00:12.95808+00:00",8,[18,21,24,27],{"name":19,"type":20},"Yandex","vendor",{"name":22,"type":23},"Yandex.Taxi","product",{"name":25,"type":26},"Standard Contractual Clauses (SCCs)","technology",{"name":28,"type":23},"AWS","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":29,"icon":31,"name":32,"slug":33},null,"GDPR","gdpr",[35,40,45],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":46},{"id":47,"icon":31,"name":48,"slug":49},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]