AP (The Netherlands) - 2025-005323

Summary

The Dutch Data Protection Authority (AP) fined MLU B.V. (Yango taxi app operator) €100 million for transferring personal data of users in Finland and Norway to Russia without implementing appropriate safeguards as required by GDPR. The investigation, initiated jointly with Finnish and Norwegian DPAs in December 2023, found that Yango continued operating and transferring sensitive customer and driver data (location, banking, IDs) to Russian entities despite claims of service cessation. Although data storage moved to AWS in Germany after 2023, unlawful transfers based on standard contractual clauses persisted.

Full text

Help AP (The Netherlands) - 2025-005323: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:22, 12 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:22, 12 May 2026 AP - 2025-005323 Authority: AP (The Netherlands) Jurisdiction: Netherlands Relevant Law: Article 5(1)(a) GDPR Article 5(2) GDPR Article 44 GDPR Article 45(2) GDPR Article 46 GDPR Article 58(2)(f) GDPR Type: Investigation Outcome: Violation Found Started: 05.12.2023 Decided: 01.04.2026 Published: 08.05.2026 Fine: 100,000,000 EUR Parties: MLU B.V. Ridetech Yandex.Taxi LLC and Yandex LLC National Case Number/Name: 2025-005323 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Dutch Original Source: AP (in NL) Initial Contributor: ap The DPA fined a taxi ride app €100,000,000 for transferring personal data of data subjects in Finland and Norway to recipients in Russia without demonstrating that it had implemented appropriate safeguards. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an expedited procedure (Article 66 GDPR). The Finnish DPA stated that the data transfer was unlawful under Articles 44 and 46 GDPR, and prohibited the transfer under Article 58(2)(f) GDPR. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an expedited procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango app in Norway in Finland. The DPA, however, found that the providers of the app were still registered and continued to provide the Yango app to data subjects. The Yango app processed a wide range of categories of personal data of customers and drivers, including contact information, use of the app (conversations, cookies), location, and bank information. For drivers, the app additionally processed data subject’s social security, ID and photos. The data was transferred and stored in Russia until 2023 (including the encryption keys). After 2023, the controller stored the data and encryption keys in the Amazon Web Services (AWS) data centres in Germany. However, the controller continued to transfer data to Russia based on standard contractual clauses. The controllers implemented additional organisational measures such as encrypting the data prohibiting Russian government agencies from accessing data from EEA/EU data subjects. Under Russian law, taxi drivers must keep a record of data related to each taxi ride, retain it for a minimum of six months, and provide the data to competent authorities when requested. Ridetech argued that Yandex.Taxi LLC was a processor and not a joint controller, as it was simply a software provider. In addition, Ridetech argued that it did not unlawfully transfer the data, as it implemented appropriate technical and organisational measures. Finally, it denied that Yandex.Taxi LLC was required to grant general and direct access to their information systems to Russian authorities under national law. Holding The DPA first stated that Ridetech and Yandex.Taxi LLC were joint controllers, as they jointly determined the purposes and means of processing personal data through the Yango app. The DPA also took into account the fact that the companies belonged to the same group. The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection. After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded the data to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted. Finally, the DPA stated that while Russian law applies mostly to data subjects in Russian territory, it is still possible for Russian authorities to request Yandex.Taxi LLC to provide data of EEA data subjects if they (temporarily) stay in Russia or possess a phone number from a Russian telecom provider. This means that standard contractual clauses may be insufficient to ensure, in practice, the effective protection of personal data transferred to a third country [See C‑311/18, Schrems I, margin 126]. The DPA noted that Russian supervisory authority could not be considered an independent supervisory authority within the meaning of Article 45(2) GDPR, as it part of the Ministry of Digital Development. Therefore, the controllers failed to demonstrate that it had set appropriate safeguards to prevent Yandex.Taxi LLC and Yandex LLC from making the data of Norwegian and Finnish data subjects accessible to Russian authorities. The DPA fined the controllers €100,000,000. The DPA considered this a serious violation of the GDPR, as it involved a high number of data subjects and a violation of long duration. In addition, the DPA prohibited MLU B.V from transferring data of Norwegian and Finnish data subjects using the Yango app to Russia. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. 1 Dutch Data Protection Authority P.O. Box 93374, 2509 AJ The Hague Hoge Nieuwstraat 8, 2514 EL The Hague T 070 8888 500 autoriteitpersoonsgegevens.nl Confidential/Registered MLU B.V. Attn: Mr. [CONFIDENTIAL] P.O. Box 40198 8004 DD ZWOLLE Date 1 April 2026 Our reference 2025-005323 Contact

Entities