On 8 May 2026, the Dutch Autoriteit Persoonsgegevens fined MLU B.V. €100 million after finding that the European version of the Yango taxi app transferred personal data from Norway and Finland to Russia without adequate GDPR protection. That headline matters well beyond ride-hailing. For boards, the point is simple: if personal data can be accessed from a high-risk jurisdiction, the problem is not solved by a contract, a group chart, or a vendor assurance slide. It is a governance issue.
The AP says Yango stored a large volume of customer and driver data on servers in Russia, including driving licence scans, home addresses, contact details, account numbers, precise locations, trip data, images, chat content and social security numbers. The case was investigated with the Norwegian and Finnish authorities because the affected people were in those countries while MLU, the entity behind the app in Europe, is based in the Netherlands.
What the AP found
According to the AP notice, MLU failed to ensure that personal data transferred to Russia was protected to a standard equivalent to Europe. AP chair Aleid Wolfsen said the absence of an independent Russian data protection authority increased the risk that the Russian state could gain access to the data. The regulator tied the failings to real-world safety risk and a substantive compliance failure.
That point is worth dwelling on. This was not a narrow dispute about paperwork wording. It was about the destination environment. Under Article 44 and Article 46 GDPR, organisations can move personal data outside the EEA only where the transfer mechanism and the facts on the ground preserve an essentially equivalent level of protection. If local law gives security services broad access, the transfer assessment changes.
Why this is a board-level warning
The clearest signal comes from an earlier Norwegian supervisory letter in the same Yango matter. In August 2023, Datatilsynet said transfers connected to the app were contrary to GDPR Chapter V and pointed to Russian rules requiring 24/7 remote access for state security bodies to taxi-service databases from 1 September 2023. Datatilsynet expressly cited Article 44, Article 46 and the Schrems II standard on third-country access to personal data.
That is why this fine belongs on a board agenda. Many businesses still treat international transfers as a legal annex handled once during procurement. In practice, the risk often sits elsewhere: support engineers in another jurisdiction, a parent company with back-end access, a shared analytics environment, or a vendor that quietly routes data to an affiliate. If the real access path is not mapped, the transfer assessment is fantasy.
Measured Collective’s earlier piece on transfer guidance makes the same point from a UK angle: the question is not whether a transfer clause exists, but whether the organisation has tested how data actually moves and who can reach it.
What organisations should check now
- Map actual access, not merely the formal hosting location. Ask where support, development, analytics and fraud teams can view or pull personal data.
- Review vendor and group-company onward transfers. A UK or EU contract does not help much if the recipient can still expose the data elsewhere in the chain.
- Re-run transfer risk assessments where the destination country creates surveillance or enforcement risk. Document why your safeguards still work, or stop the flow.
- Escalate sensitive combinations to leadership. Location data, travel history, identity documents and employee records should not move to high-risk jurisdictions without legal sign-off and operational controls.
Why the lesson goes beyond taxi apps
Most companies are not running a taxi platform in Finland or Norway. That misses the point. The same legal question appears when HR systems are supported from overseas, when SaaS vendors use offshore engineering teams, or when group companies pool customer records for analytics. Once regulators conclude that the destination regime can cut through your safeguards, the compliance story changes fast. The legal risk can then turn into customer-notice risk, employment risk, procurement risk and, as our piece on cross-border lawsuits shows, litigation risk as well.
MLU may challenge the fine. Even so, the AP’s message is already clear on 8 May 2026: if your organisation transfers personal data into an environment where state access risk cannot be credibly controlled, regulators will not treat standard clauses as a magic shield. They will ask what the board knew, what the organisation checked, and why the transfer was allowed to continue.
If your team needs a practical grounding before reviewing transfer governance, the GDPR Essentials course covers GDPR principles, lawful bases, data subject rights and the accountability habits that stop this sort of problem becoming a headline.
Sources
- Dutch AP notice
- Norwegian Datatilsynet letter
- GDPR Article 44
- GDPR Article 46
- Schrems II judgment
- NL Times report
