[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNEsugyKKiFjTlLi3ZZGHRt_be7xcZGZwKR0T_m5Mulo":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"ee01ee87-90bb-4585-93f8-7eadd13d0369","AP (The Netherlands) - 2025-005323","ap-the-netherlands-2025-005323-ef4179","← Older revision Revision as of 08:13, 13 May 2026 Line 82: Line 82: MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an expedited procedure (Article 66 GDPR). The Finnish DPA stated that the data transfer was unlawful under Articles 44 and 46 GDPR, and prohibited the transfer under [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]]. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an expedited procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango app in Norway in Finland. The DPA, however, found that the providers of the app were still registered and continued to provide the Yango app to data subjects. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an urgency procedure ([[Article 66 GDPR]]). The Finnish DPA stated that the data transfer was unlawful under [[Article 44 GDPR|Articles 44]] and [[Article 46 GDPR|46 GDPR]], and prohibited the transfer under [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]]. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an urgency procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango app in Norway in Finland. The DPA, however, found that the providers of the app were still registered and continued to provide the Yango app to data subjects. The Yango app processed a wide range of categories of personal data of customers and drivers, including contact information, use of the app (conversations, cookies), location, and bank information. For drivers, the app additionally processed data subject’s social security, ID and photos. The data was transferred and stored in Russia until 2023 (including the encryption keys). After 2023, the controller stored the data and encryption keys in the Amazon Web Services (AWS) data centres in Germany. However, the controller continued to transfer data to Russia based on standard contractual clauses. The controllers implemented additional organisational measures such as encrypting the data prohibiting Russian government agencies from accessing data from EEA\u002FEU data subjects. Under Russian law, taxi drivers must keep a record of data related to each taxi ride, retain it for a minimum of six months, and provide the data to competent authorities when requested. The Yango app processed a wide range of categories of personal data of customers and drivers, including contact information, use of the app (conversations, cookies), location, and bank information. For drivers, the app additionally processed data subject’s social security, ID and photos. The data was transferred and stored in Russia until 2023 (including the encryption keys). After 2023, the controller stored the data and encryption keys in the Amazon Web Services (AWS) data centres in Germany. However, the controller continued to transfer data to Russia based on standard contractual clauses. The controllers implemented additional organisational measures such as encrypting the data prohibiting Russian government agencies from accessing data from EEA\u002FEU data subjects. Under Russian law, taxi drivers must keep a record of data related to each taxi ride, retain it for a minimum of six months, and provide the data to competent authorities when requested. Line 91: Line 91: The DPA first stated that Ridetech and Yandex.Taxi LLC were joint controllers, as they jointly determined the purposes and means of processing personal data through the Yango app. The DPA also took into account the fact that the companies belonged to the same group. The DPA first stated that Ridetech and Yandex.Taxi LLC were joint controllers, as they jointly determined the purposes and means of processing personal data through the Yango app. The DPA also took into account the fact that the companies belonged to the same group. The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection. The DPA found a violation of [[Article 44 GDPR|Articles 44]] and [[Article 46 GDPR|46 GDPR]], read in conjunction with [[Article 5 GDPR|Articles 5(1)(a) and (2) GDPR]]. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection. After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted. After November 2023, while the data was first stored in AWS servers in Germany, the data was still forwarded to Russia. The DPA considered that Yandex.Taxi LLC and Yandex LLC (as recipients of the data) had means to reasonably enable them to identify Norwegian and Finnish data subjects. This is because both the recipients and Ridetech (later MLU B.V.) were managed by the same person. The DPA stated that the director had full authority and access to data within the companies, and the companies had a close interdependence. This meant that Yandex.Taxi LLC could identify data subjects in Norway and Finland without needing significant resources, even if the data was pseudonymised and encrypted.","The Dutch Data Protection Authority (DPA), acting as lead authority with Finnish and Norwegian counterparts, determined that Yango (operated by MLU B.V., a Yandex subsidiary) violated GDPR Articles 44 and 46 by transferring personal data from taxi drivers and customers to Russia without appropriate safeguards. The investigation found that encryption keys were stored alongside data in Russian servers until November 2023, and that continued transfers to Russia even after moving encrypted data to AWS Germany were unlawful because Yandex entities had means to identify EEA data subjects.","Dutch DPA finds Yango app unlawfully transferred EEA user data to Russia without proper safeguards","Help AP (The Netherlands) - 2025-005323: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:33, 12 May 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators912 editsm Tag: Visual edit← Older edit Latest revision as of 08:13, 13 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 editsmTag: Visual edit Line 82: Line 82: MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. MLU B.V. is a company under the Yandex group that has its main establishment in the Netherlands. MLU B.V owns the “Yango for users” and “Yango Pro for drivers” apps (“the Yango app”). The Yango app is a platform that connects drivers with customers who wish to book a taxi ride. The case was originally against Ridetech, however, Ridetech was dissolved and MLU B.V. informed the DPA that it was the successor in title to all rights and obligations. Ridetech was established in the Netherlands and provided the Yango app to data subjects in the EEA. Ridetech transferred data from the Yango app to Yandex.Taxi LLC and Yandex LLC, which are both established in Russia. MLU B.V. is the parent company of both Ridetech and Yandex.Taxi LLC, who were considered joint controllers during the investigation. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an expedited procedure (Article 66 GDPR). The Finnish DPA stated that the data transfer was unlawful under Articles 44 and 46 GDPR, and prohibited the transfer under [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]]. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an expedited procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango app in Norway in Finland. The DPA, however, found that the providers of the app were still registered and continued to provide the Yango app to data subjects. In 2021 and 2022, the DPA received a report from the Finnish DPA regarding the controllers (Ridetech at the time) possibly transferring personal data to Russia without appropriate safeguards in place. The Finnish DPA issued a decision on an urgency procedure ([[Article 66 GDPR]]). The Finnish DPA stated that the data transfer was unlawful under [[Article 44 GDPR|Articles 44]] and [[Article 46 GDPR|46 GDPR]], and prohibited the transfer under [[Article 58 GDPR#2f|Article 58(2)(f) GDPR]]. This was a provisional measure valid from September to November 2023. The Norwegian DPA also initiated an urgency procedure in August 2023. As the lead DPA, the Dutch DPA initiated a joint investigation with the Finnish and Norwegian DPAs in December 2023. During its investigations, the controllers claimed in 2025 that it no longer offered services through the Yango app in Norway in Finland. The DPA, however, found that the providers of the app were still registered and continued to provide the Yango app to data subjects. The Yango app processed a wide range of categories of personal data of customers and drivers, including contact information, use of the app (conversations, cookies), location, and bank information. For drivers, the app additionally processed data subject’s social security, ID and photos. The data was transferred and stored in Russia until 2023 (including the encryption keys). After 2023, the controller stored the data and encryption keys in the Amazon Web Services (AWS) data centres in Germany. However, the controller continued to transfer data to Russia based on standard contractual clauses. The controllers implemented additional organisational measures such as encrypting the data prohibiting Russian government agencies from accessing data from EEA\u002FEU data subjects. Under Russian law, taxi drivers must keep a record of data related to each taxi ride, retain it for a minimum of six months, and provide the data to competent authorities when requested.The Yango app processed a wide range of categories of personal data of customers and drivers, including contact information, use of the app (conversations, cookies), location, and bank information. For drivers, the app additionally processed data subject’s social security, ID and photos. The data was transferred and stored in Russia until 2023 (including the encryption keys). After 2023, the controller stored the data and encryption keys in the Amazon Web Services (AWS) data centres in Germany. However, the controller continued to transfer data to Russia based on standard contractual clauses. The controllers implemented additional organisational measures such as encrypting the data prohibiting Russian government agencies from accessing data from EEA\u002FEU data subjects. Under Russian law, taxi drivers must keep a record of data related to each taxi ride, retain it for a minimum of six months, and provide the data to competent authorities when requested. Line 91: Line 91: The DPA first stated that Ridetech and Yandex.Taxi LLC were joint controllers, as they jointly determined the purposes and means of processing personal data through the Yango app. The DPA also took into account the fact that the companies belonged to the same group. The DPA first stated that Ridetech and Yandex.Taxi LLC were joint controllers, as they jointly determined the purposes and means of processing personal data through the Yango app. The DPA also took into account the fact that the companies belonged to the same group. The DPA found a violation of Articles 44 and 46 GDPR, read in conjunction with Articles 5(1)(a) and (2) GDPR. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the same servers as the encryption keys. The DPA noted that the controllers failed to follow its own standard provisions, as they included the obligation to store the encryption keys within the EEA or a country with an equivalent level of protection.The DPA found a violation of [[Article 44 GDPR|Articles 44]] and [[Article 46 GDPR|46 GDPR]], read in conjunction with [[Article 5 GDPR|Articles 5(1)(a) and (2) GDPR]]. This is because the controllers had not implemented appropriate safeguards when transferring data through standard contractual clauses. The DPA made a distinction between the period in which the controller stored the encryption keys in Russia (before November 2023) and in Germany (after November 2023). Before November 2023, the DPA found that the controller did not implement appropriate safeguards, as the personal data was stored in the s","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_2025-005323&diff=51641&oldid=51626","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F1\u002F14\u002FLogoNL.png","2026-05-13T08:13:29+00:00","2026-05-13T10:00:13.094006+00:00",8,[18,21,24,26,28],{"name":19,"type":20},"Yandex","vendor",{"name":22,"type":23},"Yango app","product",{"name":25,"type":20},"MLU B.V.",{"name":27,"type":20},"Ridetech",{"name":29,"type":30},"Amazon Web Services (AWS)","technology","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":31,"icon":33,"name":34,"slug":35},null,"GDPR","gdpr",[37,42,47],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":48},{"id":49,"icon":33,"name":50,"slug":51},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]