The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) on April 1, 2026, imposed a 100 million euro administrative fine on MLU B.V., the Netherlands-based parent company of ride-hailing app Yango, for transferring personal data of Finnish and Norwegian users to Russia without adequate safeguards under the General Data Protection Regulation. The decision, carrying case reference 2025-005323 and signed by AP chair Aleid Wolfsen, also includes an immediate ban on further data transfers from Norwegian and Finnish Yango users to any recipients in Russia.

The fine is among the largest ever issued by a Dutch supervisory authority, and it puts the Dutch regulator - acting as lead authority under the GDPR's One Stop Shop mechanism - squarely at the center of a geopolitically charged enforcement case. It follows a multi-year investigation that began with signals from Finnish and Norwegian privacy regulators and culminated in a formal joint inquiry launched on December 5, 2023.

Background and corporate structure

Yango launched in Finland in November 2018 and in Norway in 2021 as a ride-hailing service under the Yandex corporate umbrella. The app connects passengers wanting to book taxi rides with independent drivers through two mobile applications: "Yango for users" and "Yango Pro for drivers." Ridetech International B.V., an Amsterdam-registered company, was the entity that operated the Yango app within the European Economic Area and held data controller status for users in Finland and Norway.

According to the AP decision, Ridetech was a wholly owned subsidiary of MLU B.V., which was in turn a subsidiary of Yandex N.V. Holding Company until a group restructuring in February 2024. After that restructuring, MLU B.V. became a subsidiary of Y.E. Holding Limited, registered in the United Arab Emirates. Y.E. Holding Limited is itself, as of July 24, 2024, a subsidiary of Y.E. Holding d.o.o. Beograd, registered in Serbia. The ultimate sole shareholder at the top of the chain is Consortium.First, a closed-end mutual investment fund based in Russia - the same consortium that acquired the Russian-based Yandex assets in a deal valued at approximately 475 billion rubles (around 6.2 billion dollars). PPC Land has previously reported on Yandex's divestment of its Russia-based businesses.

Ridetech was formally dissolved on October 24, 2025. MLU B.V. assumed all rights and obligations of Ridetech from that date, which is why the fine was directed at MLU rather than the now-defunct Ridetech. Importantly, the AP's investigation found that despite Ridetech's director formally notifying the authority of the dissolution and claiming that Yango services in Norway and Finland had been stopped, Finnish and Norwegian regulators confirmed that the Yango-brand providers were still registered in both countries' trade registers and that services continued to be offered.

What data was transferred and to whom

The technical picture is detailed in the AP decision. Ridetech transferred personal data to two Russian entities: Yandex.Taxi LLC, the joint controller, and Yandex LLC, which acted as a sub-processor. Until July 15, 2024, Yandex.Taxi LLC was a subsidiary of Ridetech itself. After that date it became a subsidiary of Yandex Technologies LLC, also based in Russia.

The categories of personal data involved were extensive. For passengers, these included phone numbers, email addresses, electronic identification data, geolocation data (GPS and Wi-Fi-based), chat conversations, phone call records, login data, browser details, order specifics, cookies, and banking information. For drivers, the scope was broader still: names, social security numbers, identification numbers, dates of birth, nationality, photos, home addresses, driving licence details (including scans of documents), chat and phone conversations, and bank account data.

According to the AP decision, prior to November 27, 2023, all personal data was stored and processed on servers physically located in Russia. Crucially, encryption keys were also stored in Russia - on the same servers as the encrypted personal data. The AP found this arrangement meant the data could readily be decrypted, rendering the encryption effectively meaningless as a safeguard. The authority noted that this arrangement was also in direct violation of Ridetech's own standard contractual clauses (SCCs) from September 21, 2021, which required encryption keys to be stored exclusively within the EEA or in a jurisdiction with an equivalent level of protection.

From November 27, 2023, Ridetech changed its approach. Personal data from Finnish and Norwegian users was encrypted and stored on Amazon Web Services servers in Frankfurt. Encryption keys were also kept in Frankfurt. However, encrypted personal data continued to be transmitted onward to Yandex.Taxi LLC and Yandex LLC servers in Russia.

Why encryption alone was not enough

The AP's finding on this point is technical and significant. Ridetech argued that pseudonymisation and encryption, combined with encryption keys held in the EU, made it impossible for Russian entities to re-identify users. The authority rejected this. According to the decision, the same individual served as director of both Yandex.Taxi LLC in Russia and MLU B.V. in the Netherlands during a substantial part of the relevant period - from at least September 15, 2020, through May 31, 2024. Because that director held authority over both the data exporter and the Russian data recipient, the AP concluded that it was entirely foreseeable that the encrypted data could be re-identified through that shared executive access. The authority stated that identifying Finnish and Norwegian users would not have required significant cost, time, or effort from Yandex.Taxi LLC.

Put differently: the test is not whether data is technically encrypted, but whether the recipient possesses or can reasonably obtain the means to identify data subjects. When the same person controls both sides of a data transfer, technical barriers count for less.

The wrong set of standard contractual clauses

A further, independent reason for the violation: Ridetech applied SCCs designed for transfers between a data controllerand a processor. The AP found that Yandex.Taxi LLC was actually a joint controller, not a processor, because it co-determined the purposes and means of the data processing - the app's software, which Yandex.Taxi LLC developed and owned, dictated what data was collected and how. Only Yandex.Taxi LLC could modify the software; Ridetech could not. That made the controller-processor SCCs the wrong instrument. The correct SCCs would have been those governing transfers between two controllers. The authority found this an independent ground for non-compliance with Articles 44 and 46 GDPR.

Russian law and the SORM question

The AP decision devotes substantial space to the legal environment in Russia. Both Yandex.Taxi LLC and Yandex LLC are registered in Russia as Internet Communications Organisers (ICOs) under Federal Law No. 149-FZ of July 27, 2006 on Information, Information Technologies and Protection of Information. Under the so-called Yarovaya Law - Federal Law No. 374-FZ and 376-FZ of July 6, 2016 - ICOs must provide certain information to Russian law enforcement and security services and supply encryption keys upon request to enable decryption of communications.

ICOs must also install the System for Operative Investigative Activities (SORM), hardware and software embedded in their infrastructure that enables Russian security services to request data. Crucially, ICOs are prohibited from disclosing any information about SORM or its technical integration. Disclosure carries administrative fines of up to 6 million Russian rubles.

The Russian Taxi Law, which came into force September 1, 2023, adds another layer: taxi providers must maintain logbooks per ride containing departure and arrival addresses, timestamps, vehicle and driver details, customer phone numbers, and payment method, retaining these for at least six months. They are also required to provide Russian security authorities with access to their information systems upon request.

Ridetech argued that these provisions did not apply to Yandex.Taxi LLC's operations, and that the SORM variant applicable to Yandex entities (called HSS ICO) did not grant Russian authorities general and direct access to data. The AP was not persuaded. According to the decision, the authority could not exclude the possibility that Russian authorities had broader de facto access rights than Ridetech claimed - and crucially, Ridetech's own Transfer Impact Assessment acknowledged that Russian authorities hold very wide data access powers and that there is a real risk of abuse and arbitrariness in Russia.

Roskomnadzor is not an independent regulator

A notable legal finding in the decision concerns Russia's data protection regulator, Roskomnadzor. The AP concluded that Roskomnadzor cannot be considered an independent supervisory authority within the meaning of Article 45(2) GDPR - a requirement for recognising adequate protection in a third country. Three reasons were given. First, Roskomnadzor is hierarchically subordinate to Russia's Ministry of Digital Development, Communications and Mass Media. Second, it must simultaneously enforce the Yarovaya Law (an anti-terrorism measure requiring data access by security services) and data protection law - interests that are inherently in conflict. Third, the European Data Protection Supervisor's own analysis established that Roskomnadzor in practice imposes fines and warnings only against private organisations and natural persons, not against government entities. This finding means EEA data subjects whose data flows to Russia lack the enforceable rights and effective remedies required by Article 46(1) GDPR.

The fine calculation

The AP's fine calculation follows the EDPB's Guidelines 04/2022 for calculating administrative fines. The statutory maximum is 4% of global annual revenue, since the violation falls under Article 83(5) GDPR (the higher tier covering cross-border transfer violations). The authority treated the relevant economic entity as the entire Consortium.First group, including IPJSC YANDEX, which is listed on the Moscow Stock Exchange. IPJSC Yandex's 2024 annual revenue amounted to 1,094.6 billion Russian rubles, equivalent to approximately 12.08 billion euros at the exchange rate of March 31, 2026 (100 Russian rubles = 1.07 euros). Four percent of that figure equals a maximum fine of 483.2 million euros.

The authority classified the severity of the violation as "high," meaning the starting point for the fine falls between 20% and 100% of the maximum - a range of 96.6 million to 483.2 million euros. Taking into account the nature, duration, and scope of the breach - which began May 23, 2022 and continues to the present day - the authority set the base amount at 100 million euros. Tens of thousands of users in Norway and Finland had their data transferred. Driver data included social security numbers and photographs, categories the AP highlighted as particularly sensitive. No mitigating or aggravating adjustments were applied, and the final fine was confirmed at 100 million euros, well below the ceiling of 483.2 million euros.

According to the NL Times, AP chair Aleid Wolfsen said: "In Russia, personal data is not as well protected as in Europe. This means the Russian government could potentially access this data. That is why sensitive data from both customers and drivers should have been better protected, especially given the absence of an independent privacy regulator in Russia. We found that this was not done properly, and that is serious."

MLU has announced it will challenge the fine. The company's position, as reported by NL Times, is that "the personal data was stored exclusively within the EU in pseudonymised and encrypted form, making it technically inaccessible to third parties." MLU states it applied all appropriate safeguards in line with European privacy law and cooperated fully with the investigation. MLU has six weeks from the April 1, 2026 decision date to file an objection.

Business model changes already under way

The investigation took place against a backdrop of ongoing restructuring inside Yango. On March 1, 2025, Ridetech shifted to a franchise model for its Finnish and Norwegian operations. Finnish company CABS TEK OY began serving Finnish consumers, while Norwegian company SENTRAL OSLO CABS AS took over Norwegian operations. From March 7, 2025, Ridetech regarded itself as a joint controller alongside these local entities for processing within the EEA.

Ridetech also informed the AP that from March 19, 2025, it discontinued the use of Yandex ID - a Yandex-operated authentication system used previously to register customers and link them to other Yandex services including Yandex Pay. From July 11, 2025, all data streams were routed exclusively through EU-based servers. Ridetech's security team, based in Serbia, conducts regular audits across the group.

Despite these changes, the AP concluded they were insufficient. The violation formally began on May 23, 2022 and the authority found it still ongoing at the time of the decision.

Why this matters for data-driven marketing

Cases of this kind have direct implications for the marketing and ad tech community. As PPC Land has tracked across a series of GDPR enforcement cases, data transfer violations are now among the most aggressively pursued categories of infringement in Europe. The Dutch DPA's prior 290 million euro fine against Uber for sending European driver data to the United States established that ride-hailing platforms handling sensitive user data face particular exposure when transfers are not properly structured. The Yango case shares structural similarities: an app collecting granular location, payment, and identity data from users in multiple EEA countries, routing that data to a third country through intra-group arrangements.

What makes the Yango case technically distinctive is the shared directorship argument. Where most data transfer cases turn on the adequacy of contractual instruments or the sufficiency of encryption, the AP's finding that a single executive controlling both the data exporter and the Russian data recipient effectively neutralises pseudonymisation is a substantive new addition to enforcement doctrine. It echoes the Court of Justice of the European Union's September 2025 ruling in GAR/EDPS (ECLI:EU:C:2025:645), which the AP explicitly cited in the decision on the question of whether recipients possess re-identification means.

The TikTok case before Irish regulators, resulting in a 530 million euro fine for transfers to China, and the Yango case share a common thread: transfers to jurisdictions where security services have legal powers to compel access to personal data, and where no independent supervisory authority capable of protecting EEA data subjects exists. Marketers and ad tech operators using global data pipelines that touch Russia, China, or other third countries without EU adequacy decisions must now contend with the practical reality that encrypting data before transfer does not create a compliance safe harbour if the recipient entity could plausibly re-identify users through organisational means.

The Criteo judgment upheld by France's Conseil d'Etat in March 2026 also reinforced that pseudonymous identifiers can still constitute personal data when re-identification is feasible. The Yango decision adds a scenario where re-identification risk is established not through technical analysis of the data itself, but through the governance and ownership structure of the entities involved.

Timeline

  • May 23, 2022 - The data transfer violation period begins, according to the AP decision. Ridetech transfers Finnish and Norwegian user data to Russia without adequate safeguards under Articles 44 and 46 GDPR.
  • 2021-2022 - The Finnish data protection authority (Tietosuojavaltuutetun toimisto) sends signals to the Dutch AP about potential unlawful data transfers by Ridetech.
  • August 4, 2023 - The Finnish regulator issues an emergency decision under Article 66 GDPR with provisional measures effective September 1 to November 30, 2023, prohibiting transfers from Finland to Russia via the Yango app.
  • August 7, 2023 - The Norwegian regulator (Datatilsynet) notifies Ridetech, Yandex LLC, and Yango Norway AS of its own emergency procedure regarding data transfers from Norway to Russia.
  • August 30, 2023 - Finland's emergency decision of August 4 is suspended.
  • August 31, 2023 - Norway's regulator notifies the parties it will not impose provisional measures but will continue investigating.
  • November 27, 2023 - Ridetech shifts encryption key storage from Russia to AWS servers in Frankfurt, though encrypted personal data continues to flow to Russia.
  • December 5, 2023 - The Dutch AP formally opens its investigation into Ridetech's transfers to Russia.
  • December 18, 2023 - Finnish and Norwegian regulators formally join the Dutch AP investigation.
  • February 2024 - Yandex N.V. group restructuring: MLU B.V. becomes a subsidiary of Y.E. Holding Limited (UAE). PPC Land reported on Yandex's divestment of Russian operations.
  • April 2, 2025 - The AP's International Research department completes its investigation report.
  • April 8, 2025 - The AP notifies Ridetech of its intention to impose enforcement measures and shares the investigation report.
  • June 10, 2025 - Ridetech submits its written response (zienswijze) to the investigation report.
  • June 16, 2025 - Ridetech presents its response orally before the AP.
  • July 11, 2025 - All data streams are routed exclusively through EU-based servers, according to Ridetech.
  • October 24, 2025 - Ridetech is formally dissolved. MLU B.V. assumes all rights and obligations of Ridetech.
  • April 1, 2026 - The Dutch AP issues its formal decision, imposing a 100 million euro fine and an immediate ban on transfers of Norwegian and Finnish Yango user data to Russia.
  • May 8, 2026 - NL Times reports on the fine and MLU's stated intention to challenge it.

Summary

Who: MLU B.V., the Netherlands-registered parent company of ride-hailing app Yango (formerly operating through its subsidiary Ridetech International B.V.), which is ultimately controlled by Russia-based Consortium.First via a chain including Y.E. Holding d.o.o. Beograd (Serbia) and Y.E. Holding Limited (UAE). The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the lead supervisory authority under the GDPR One Stop Shop mechanism.

What: A 100 million euro administrative fine plus an immediate ban on further transfers of Finnish and Norwegian Yango user data to Russia. The AP found violations of Articles 44 and 46 GDPR (cross-border transfer rules) in conjunction with Article 5(1)(a) and Article 5(2) GDPR. The violations involved transferring personal data - including GPS location, social security numbers, driving licence scans, phone records, banking details, and chat conversations of both passengers and drivers - to Yandex.Taxi LLC and Yandex LLC in Russia without adequate safeguards. A secondary violation was the use of controller-processor standard contractual clauses when Yandex.Taxi LLC should have been treated as a joint controller rather than a processor.

When: The violation formally began on May 23, 2022 and was found by the AP to be still ongoing at the date of the decision, April 1, 2026. The AP decision was publicly reported on May 8, 2026.

Where: The Netherlands (lead authority jurisdiction), with data flowing from users in Finland and Norway to recipients in Russia (Yandex.Taxi LLC and Yandex LLC). Personal data was initially processed in Russian data centres; from November 27, 2023, it was stored in Amazon Web Services data centres in Frankfurt before onward transfer to Russia.

Why: Russian law - including the Yarovaya Law, the Russian Taxi Law (in force from September 1, 2023), and the SORM surveillance obligation - requires certain entities such as Yandex.Taxi LLC and Yandex LLC to provide Russian security services with access to data and encryption keys on request. The AP concluded this creates conditions under which EEA data subjects cannot be meaningfully protected, as Roskomnadzor - Russia's data protection regulator - is not an independent authority within the meaning of Article 45(2) GDPR, being subordinate to a government ministry and obliged to enforce legislation that conflicts with privacy interests. The AP also found that shared executive control between the data exporter and the Russian recipient rendered pseudonymisation and encryption insufficient protections in practice.

Share this article
The link has been copied!