Finnish DPA bans Yango taxi service transfers of personal data from Finland to Russia temporarily
The Finnish Data Protection Authority has issued an order to Yandex LLC and Ridetech International B.V. to suspend the transfer to Russia of any customers’ personal data that is collected in the Yango taxi service, and to cease the processing of the personal data collected. The temporary order will enter into force on 1 September and will, in principle, remain in force until 30 November. Based on the information received by the Finnish DPA, this order is necessary because of a legislative reform that will enter into force in Russia and which significantly weakens the protection of personal data when using the taxi service.
The Finnish DPA has become aware of a legislative reform that will enter into force in Russia at the beginning of September, under which the Federal Security Service of the Russian Federation will have the right to receive data processed in taxi operations. The information collected in the Yango taxi application may include, for example, a customer’s location information and the address of the taxi ride.
The Finnish DPA considers that it is not possible for Yango to protect personal data as required by EU law following the legislative reform in Russia. Therefore, an order to suspend the transfer of data is necessary.
Yango taxi service operates in Finland and Norway. According to Yango, the personal data of the taxi service is processed by Ridetech International B.V. in the Netherlands, a service provider of the Yango application in the EU. Further, according to information provided by Yango, the company is transferring personal data to Russia.
The data protection authorities of Finland and Norway are cooperating closely with the Dutch Data Protection Authority.
The decision of the Finnish DPA has been taken under an urgent procedure
The decision of the Finnish DPA has been taken under an urgency procedure set out by the EU General Data Protection Regulation (GDPR), which allows actions to be taken exceptional circumstances. Under this procedure, supervisory authorities may immediately adopt provisional measures where necessary to protect the rights and freedoms of persons. Such measures may be valid for a maximum of three months. The order of the Finnish DPA concerns Yango’s operations in Finland.
Yango may submit information to the Finnish DPA before September, if it considers that information to have an impact on the assessment of the matter. In addition, Yango must inform the Finnish DPA of the measures it takes based on the order.
The Finnish DPA may also request the European Data Protection Board (EDPB) to issue a binding order to Yango to terminate the transfer of data if the company does not intend to change its practice.
Decision of the Data Protection Ombudsman (an unofficial translation, PDF)
More information:
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766
From August 10th:
Deputy Data Protection Ombudsman Annina Hautala, annina.hautala(at)om.fi, tel. 029 566 6776
Deputy Data Protection Ombudsman, helja-tuulia.pihamaa(at)om.fi, tel. 029 566 6787