Finnish DPA bans Yango taxi service transfers of personal data from Finland to Russia temporarily
The Finnish Data Protection Authority (DPA) has issued a temporary order to Yandex LLC and Ridetech International B.V. The order demands the suspension of any transfer of customers’ personal data collected via the Yango taxi service to Russia. The order takes effect from 1st September and will likely remain in place until 30th November. This drastic step is deemed necessary due to a legislative reform set to be implemented in Russia that significantly undermines personal data protection when using taxi services.
The Finnish DPA was made aware of this impending legislative reform, which provides the Federal Security Service of Russia with the right to access data processed in taxi operations. Personal data from the Yango taxi application, including a customer’s location and ride address, are at risk. Given this development, the Finnish DPA believes that Yango cannot comply with EU data protection laws following this legislative change, hence the urgent need for a data transfer suspension order.
Yango’s taxi service, operating in Finland and Norway, processes its data via Ridetech International B.V. in the Netherlands. However, it has been revealed that Yango has been transferring personal data to Russia, prompting cooperative action between the Finnish, Norwegian, and Dutch Data Protection Authorities. The Finnish DPA has taken this decision under an urgency procedure stipulated by the EU General Data Protection Regulation (GDPR), enabling immediate provisional measures to protect individuals’ rights and freedoms.
Yango has been given until September to submit any information that could impact the DPA’s assessment of the situation. The company must also keep the Finnish DPA updated on any measures taken based on the order. Failure to comply or change practice could result in a binding order from the European Data Protection Board (EDPB) for Yango to terminate all data transfers.
