Dutch DPA Fines Taxi App €100M Over Unlawful Transfers of Personal Data to Russia, Despite Use of EU Standard Contractual Clauses

The European Union’s data‑transfer framework has evolved from a paperwork‑centric model to one that demands demonstrable protection measures. While Standard Contractual Clauses remain a cornerstone for lawful cross‑border flows, regulators now scrutinize whether the contractual module aligns with the actual relationship between parties. In the Yango case, the Dutch authority highlighted a misclassification: the Russian affiliate acted as a joint controller, rendering the controller‑processor SCC template ineffective. This nuance illustrates how a seemingly compliant contract can unravel under detailed examination.

Technical safeguards are equally critical. The investigation revealed that encryption keys were housed on servers located in Russia, and a single individual held directorship roles in both the Dutch and Russian entities. Such arrangements elevate the risk of unauthorized access, particularly from Russian public authorities, and breach the GDPR’s requirement for an essentially equivalent level of protection. Companies must therefore adopt robust key‑management practices, enforce strict access controls, and ensure that any shared personnel do not create conflict‑of‑interest scenarios that could compromise data integrity.

Looking ahead, the fine serves as a cautionary benchmark for multinational corporations handling EU personal data. Data protection authorities across the EU are increasingly coordinated, sharing insights and pursuing joint actions against inadequate safeguards. Firms should conduct comprehensive transfer impact assessments, tailor SCCs to reflect true controller relationships, and embed technical and organizational measures that can withstand regulatory audits. By doing so, they not only avoid hefty penalties but also reinforce consumer trust in an era where data privacy is a competitive differentiator.