On April 1, 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a €100 million fine on MLU B.V., the Dutch operator of the Yango taxi app. The AP found that personal data of EU users was unlawfully transferred to affiliated entities in Russia, despite the formal use of the EU Standard Contractual Clauses (SCCs).
The decision highlights, once again, that SCCs alone are not sufficient if they are not correctly structured and supported by effective technical and organizational measures.
Key Facts
- In 2020–2021, the Finnish and Norwegian data protection authorities alerted the AP of potential transfers of Yango user data from the Netherlands to Russia by the group’s Dutch operator, then known as Ridetech.
- Although SCCs were in place, the AP launched a detailed investigation into the group’s data transfer arrangements.
- During the investigation, Ridetech was dissolved. Its rights and obligations were assumed by MLU B.V., which is ultimately owned by entities based in Russia, Serbia, and the UAE.
- The AP reviewed both the contractual setup (including the SCCs) and the technical and organizational measures (TOMs) implemented to protect EU personal data transferred to Russia.
What the AP Found
The AP identified several critical deficiencies:
- Incorrect use of the SCCs: Ridetech relied on an SCC module applicable to controller‑processor relationships when transferring data to a Russian group entity providing a SaaS solution. The AP concluded that the Russian entity should instead be treated as a joint controller, rendering the SCCs ineffective.
- Insufficient safeguards for transfers to Russia: The AP found that the TOMs failed to ensure an essentially equivalent level of protection, in particular because:
-
- For a period of time, encryption keys were stored on servers in Russia, increasing re‑identification risks.
- The same individual was a director of both the Dutch and Russian entities, creating practical access risks to encryption keys regardless of their nominal location.
- The Russian entities could not demonstrate that effective safeguards were in place to prevent access by Russian public authorities to EU personal data.
Based on these findings, the AP concluded that the data transfers were unlawful, notwithstanding the formal implementation of SCCs, and imposed the fine on MLU B.V. as Ridetech’s legal successor.
Why This Matters
This decision reinforces several core principles for international data transfers:
- SCCs must reflect reality. The chosen SCC module must accurately match the actual roles of the exporting and importing parties.
- Safeguards must be effective in practice. Encryption, key management, and access controls must withstand scrutiny in light of the legal environment of the destination country.
- High‑risk jurisdictions demand heightened care. Transfers to countries where public authority access is a concern require particularly robust, demonstrable protections.
For multinational groups, the case is a clear reminder that intra‑group SCCs are not a “set‑and‑forget” solution.
If you have questions about this decision or about structuring lawful international data transfers, the Alston & Bird Privacy, Cyber & Data Strategy team is available to help.
