European taxi company Yango, part of Russian Yandex group, has been convicted of unauthorized transfer of customer data to Russia.
The decision was issued jointly by the Finnish Office of the Data Protection Ombudsman and the data protection authorities of Norway and the Netherlands.
In a press release, the Finland's Office of the Data Protection Ombudsman states that the penalty fee has been imposed on MLU B.V., registered in the Netherlands, which was responsible for processing Yango's personal data in Europe. MLU is part of the Yandex group.
The investigation originally began already in 2023, when both the Norwegian and Finnish data protection authorities started to investigate whether Yango's customer data was being transferred to Russia and whether customers' personal data was adequately protected.
The investigation revealed that Yango's customer data was transferred to Russia without the safeguards required by the EU's General Data Protection Regulation (GDPR). According to the authorities, MLU could not guarantee that Russian authorities would not have access to its customers' personal data.
European personal data may not be transferred outside the European Union at all if equally strong protection cannot be guaranteed for them in the recipient country (as within the European Union).
Data Protection Ombudsman Anu Talus stated in the press release:
MLU was immediately prohibited from transferring data to Russia. It was also ordered to pay a 100 million euro penalty fee for violating the General Data Protection Regulation. The company can still appeal the imposed penalty fee, but it must immediately cease data transfers.
In a press release, the Finland's Office of the Data Protection Ombudsman states that the penalty fee has been imposed on MLU B.V., registered in the Netherlands, which was responsible for processing Yango's personal data in Europe. MLU is part of the Yandex group.
The investigation originally began already in 2023, when both the Norwegian and Finnish data protection authorities started to investigate whether Yango's customer data was being transferred to Russia and whether customers' personal data was adequately protected.
The investigation revealed that Yango's customer data was transferred to Russia without the safeguards required by the EU's General Data Protection Regulation (GDPR). According to the authorities, MLU could not guarantee that Russian authorities would not have access to its customers' personal data.
European personal data may not be transferred outside the European Union at all if equally strong protection cannot be guaranteed for them in the recipient country (as within the European Union).
Data Protection Ombudsman Anu Talus stated in the press release:
Companies operating in the EU area must guarantee strong protection for personal data by complying with EU data protection rules. It is not permitted to transfer personal data outside the EU if their security cannot be ensured.
MLU was immediately prohibited from transferring data to Russia. It was also ordered to pay a 100 million euro penalty fee for violating the General Data Protection Regulation. The company can still appeal the imposed penalty fee, but it must immediately cease data transfers.
