Tietosuojavaltuutetun toimisto (Finland) - 7732/161/23

From GDPRhub
Tietosuojavaltuutetun toimisto - 7732/161/23
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 46 GDPR
Article 58(2)(f) GDPR
Article 66 GDPR
Article 60 GDPR
Type: Investigation
Outcome: Other Outcome
Started:
Decided:
Published:
Fine: n/a
Parties: Ridetech International BV
Yandex LLC
National Case Number/Name: 7732/161/23
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finnish DPA (in FI)
Initial Contributor: Bernardo Armentano

Based on Articles 66 and 58(2)(f) GDPR, the Finnish DPA issued a temporary ban on the transfers of personal data collected through a taxi service app from Finland to Russia.

English Summary

Facts

Yango is a taxi services mobile app available in the European Economic Area. This app is operated mainly by Ridetech International BV, but also by Yandex Oy. The first company is based in the Netherlands, while the latter is based in Finland. They act as controllers for the processing of personal data carried out through Yango app.

Initially, the lawfulness of personal data processing carried out through the app was being investigated under a cooperation procedure between the Dutch and the Finnish DPA, pursuant to Article 60 GDPR The conclusion of these investigations was that personal data from Yango users were transferred to Russia based on standard contractual clauses (SCCs) pursuant toArticle 46 GDPR.

With regard to the transfers of personal data from Yandex Oy to Yandex LLC, located in the Russian Federation, the Finnish DPA considered itself as the lead competent authority. Upon learning that a law would enter into force in Russia, allowing public authorities of that country to have access to the data of taxi passengers, the Finnish DPA initiated an urgent procedure based on Article 66 GDPR to further investigate the matter.

Holding

The DPA stressed that while SCCs are a valid transfer mechanism, they do not provide the controller an absolute right. On the contrary, it is the controller's duty to ensure that these transfers are in accordance with the general objectives of the GDPR and with Article 8 of the Charter of Fundamental Rights.

The DPA referred to the judgment of the CJEU in the Schrems II case and stated that controllers must assess whether the authorities of third countries can have access to the data they are transferring abroad.

The DPA also highlighted that such transfers had already been reviewed in the cooperation procedure. However, with the new legislation entering into force in September 2023, it considered that Russian authorities would be legally empowered to have very broad access to personal data collected in Finland. In the DPA's view, this constituted a desproportionate limitation to the rights and freedoms of data subjects. Therefore, it held that SCCs were no longer sufficient to ensure an adequate level of protection.

Based on these reasons, the DPA decided that the processing of personal data carried out through Yango app was contrary to Articles 44, 46 and Chapter V GDPR. Moreover, it found that the conditions set for the urgency procedure were met, in accordance with Article 66 GDPR.

The DPA then temporarily prohibited controllers from transferring personal data collected through Yango app from Finland to Russia, based on Article 58(2)(f) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The data protection officer's decision on banning and suspending data transfers

Keywords: data transfers
processing of personal data
urgent procedure

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 7732/161/23

Thing

Data Protection Commissioner's decision for Ridetech International B.V. and Yandex LLC to prohibit and suspend data transfers to the Russian Federation.

Data Controllers

Ridetech International B.V. (Yango taxi service app)

Yandex LLC

Background of the matter

Yango is a taxi service that is operated using a mobile application. Ridetech International B.V., located in the Netherlands, acts as the service provider of the Yango application in the European Economic Area. (formerly Yandex.Taxi B.V.). The matter regarding the Yango application and the legality of personal data transfers has been discussed in the cooperation procedure of the European data protection authorities. According to the report obtained in the case, the personal data of Yango application users will be transferred to the Russian Federation. The Dutch supervisory authority, Autoriteit Persoonsgegevens, has acted as the leading supervisory authority in the case. The Data Protection Commissioner is the supervisory authority involved in the case.

Insofar as this decision concerns the processing of personal data by Yandex LLC located in the Russian Federation, the Data Protection Commissioner is competent under Article 58 of the General Data Protection Regulation.

Cleared up

On May 22, 2019, the Office of the Data Protection Commissioner has requested an explanation from Yandex Oy about which entity acts as the personal data registrar for the Yango application. Yandex Oy has responded to the clarification request on June 28, 2019. According to the report, Ridetech International B.V., located in the Netherlands, acts as the service provider of the Yango application in the European Economic Area. (formerly Yandex.Taxi B.V.). Ridetech International B.V. acts as the data controller for most of the personal data processed in connection with the Yango application. According to the report obtained in the case, Yandex LLC also participates in the processing of personal data in connection with the Yango application. The Data Protection Commissioner considers that this operator should therefore be treated as the data controller in the matter in accordance with the General Data Protection Regulation.

Hearing of interested parties

According to section 34 subsection 1 of the Act on National Administrative Procedure (Administrative Act 434/2003), before the case is resolved, the party concerned must be given an opportunity to be heard and give an explanation of such demands and explanations that may affect the resolution of the case. According to subsection 2, clause 4 of the provision, the case may be decided without a hearing, if the hearing might jeopardize the implementation of the purpose of the decision.

On August 3, 2023, the Data Protection Commissioner has become aware that a law will enter into force in the Russian Federation on September 1, 2023, which gives the authorities a broad right to access the data of taxi passengers. Based on the reasons presented later in this decision, the purpose of this temporary decision is to suspend the transfer of data from Finland to the Russian Federation before the entry into force of said regulation.

According to the data protection commissioner's assessment, the hearing in this matter and the notification of the subsequent decision would take so long that the purpose of the decision would be obstructed and the legal protection of persons using the Yango application in Finland would be seriously compromised. The Data Protection Commissioner considers that hearing the interested party in the case would jeopardize the realization of the purpose of the decision.

Due to the above, the matter is resolved with a temporary decision without consulting the parties, based on Section 34, Subsection 2, Section 4 of the Administrative Law.

Processing of the case in the sanctions panel of the data protection authorized officer's office

According to the second paragraph of Section 14 of the rules of procedure of the Office of the Data Protection Commissioner, the sanctions panel deals with the matter of the prohibition of processing and the suspension of data transfers stipulated in Article 58, Paragraph 2, Subsections f and j of the General Data Protection Regulation.

The Sanctions Board of the Office of the Data Protection Commissioner has discussed the matter in an urgently convened meeting on August 4, 2023. The data protection commissioner has made a decision in the matter after consulting the sanctions panel. The sanctions panel was unanimous in the matter.

Applicable legislation

Transfers of personal data to third countries

Transfers of personal data to third countries or international organizations are regulated in Chapter V of the General Data Protection Regulation. The general principle regarding transfers is stipulated in Article 44 of the said chapter, according to which the transfer of personal data that is processed or is intended to be processed after being transferred to a third country or an international organization is only carried out if the controller and the processor of personal data comply with the conditions established in this chapter and unless other provisions of this regulation otherwise; this also applies to the onward transfer of personal data from the third country or international organization in question to another third country or another international organization. All provisions of this chapter must be applied to ensure that the level of protection of personal data of natural persons guaranteed by this regulation is not compromised.

Article 46 of the General Data Protection Regulation provides for transfers of personal data with the application of appropriate protective measures. According to paragraph 1 of that article, unless a decision has been made in accordance with paragraph 3 of article 45, the controller or personal data processor may transfer personal data to a third country or an international organization only if the controller or personal data processor in question has implemented appropriate protective measures and if the data subjects have enforceable rights and effective legal remedies available to them .

According to paragraph 2 of that article, the appropriate protective measures referred to in paragraph 1 above may be the following, without requiring a special authorization from the supervisory authority: a) a legally binding and enforceable instrument between authorities or public bodies; b) the binding rules for the company under Article 47; c) standard data protection clauses issued by the Commission following the review procedure referred to in Article 93, paragraph 2; d) standard clauses regarding data protection, which are confirmed by the data protection authority and which are approved by the Commission following the review procedure referred to in Article 93(2); e) the approved codes of conduct referred to in Article 40 together with the binding and enforceable commitments of the third-country controller or personal data processor to apply appropriate safeguards, including the rights of data subjects; f) the approved certification mechanism referred to in Article 42 together with binding and enforceable commitments of the third country controller or processor of personal data to apply appropriate safeguards, including the rights of data subjects.

According to paragraph 3 of the article, with the permission of the competent supervisory authority, the appropriate protective measures referred to in paragraph 1 may also include the following in particular: a) contractual clauses between the controller or processor of personal data and the controller, processor or recipient of a third country or international organization; or b) provisions that are included in administrative arrangements between authorities or public bodies and that include enforceable and effective rights of data subjects.

According to paragraph 4 of the article, the supervisory authority must apply the conformity mechanism referred to in article 63 in the cases referred to in paragraph 3 of this article. According to Article 5, approvals issued by a Member State or a supervisory authority pursuant to Article 26(2) of Directive 95/46/EC shall remain valid until the relevant supervisory authority changes them, replaces or revokes them if necessary. Decisions issued by the Commission pursuant to Article 26(4) of Directive 95/46/EC shall remain in force until, if necessary, they are amended, replaced or revoked by a Commission decision issued pursuant to Article 2 of this Article.

Competence of the supervisory authority

Article 56 of the General Data Protection Regulation provides for the competence of the leading supervisory authority. Article 60 of the General Data Protection Regulation provides for cooperation between the leading supervisory authorities and other participating supervisory authorities.

Article 58 of the General Data Protection Regulation provides for the powers of supervisory authorities. According to the said Article 2, sub-paragraph f, the authority can impose a temporary or permanent restriction on processing, including a ban on processing. According to subsection 2 of the said article, the authority can order the suspension of data transfers to a recipient in a third country or to an international organization.

Urgent procedure

According to Article 66 of the General Data Protection Regulation regarding the urgent procedure:

1. If, in exceptional circumstances, the relevant supervisory authority considers that it is necessary to implement urgent measures to protect the rights and freedoms of the data subjects, it may, deviating from the conformity procedure referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt temporary measures intended to produce legal effects on its own in the region and which are valid for a certain period of time, which can be a maximum of three months. The supervisory authority must immediately notify other relevant supervisory authorities, the Data Protection Council and the Commission of such measures and the reasons for their approval.

2. If the supervisory authority has implemented a measure pursuant to paragraph 1 and considers that it is urgent to approve final measures, it may request an urgent opinion or an urgent binding decision from the Data Protection Board, presenting the reasons for requesting such an opinion or decision.

3. Each supervisory authority may, as the case may be, request an urgent opinion or an urgent binding decision from the Data Protection Council if the competent supervisory authority has not taken the necessary measures in a situation where urgent measures must be taken to protect the rights and freedoms of data subjects, presenting the reasons for requesting such an opinion or decision and for taking urgent measures.

4. The urgent statement or urgent binding decision referred to in paragraphs 2 and 3 of this article shall be confirmed, deviating from Article 64 paragraph 3 and Article 65 paragraph 2, within two weeks by a simple majority of the members of the Data Protection Council.

Hearing of interested parties

According to section 34 subsection 1 of the Act on National Administrative Procedure (Administrative Act 434/2003), before the case is resolved, the party concerned must be given an opportunity to be heard and give an explanation of such demands and explanations that may affect the resolution of the case.

According to section 34, subsection 2, subsection 4 of the Administrative Law, the case may be decided without hearing the parties involved, if the hearing may endanger the implementation of the purpose of the decision or the delay in processing the case caused by the hearing causes considerable harm to human health, public safety, or the environment.

Compliance with the order and appeal

Pursuant to section 25 subsection 3 of the Data Protection Act (1050/2018), the decision of the data protection commissioner or deputy data protection commissioner may stipulate that the decision must be followed regardless of an appeal, unless the appeals authority orders otherwise.

A legal question

The matter has to be resolved,

1. Is the processing of personal data in connection with the Yango application contrary to the general principle of Article 44 of the General Data Protection Regulation, Article 46 and the provisions of Chapter V regarding transfers of personal data to third countries,

2. Can the matter be handled in the urgent procedure according to Article 66 of the General Data Protection Regulation; and

3. Should the data controller be prohibited from processing personal data of users of the Yango application pursuant to Article 58(2)(f) of the General Data Protection Regulation and/or ordered to suspend the transfer of personal data collected in connection with the Yango application to a recipient in a third country pursuant to Article 58(2)(j) of the General Data Protection Regulation or to an international organization.

The data protection officer's decision and reasons

Decision

1. The Data Protection Commissioner considers that the processing of personal data in connection with the Yango application is contrary to the general principle of Article 44, Article 46 and Chapter V of the General Data Protection Regulation regarding transfers of personal data to third countries.

2. The Data Protection Commissioner considers that the conditions set for the urgency procedure according to Article 66 of the General Data Protection Regulation are met with the criteria presented in more detail below.

3. The Data Protection Commissioner prohibits the data controller from processing the personal data of Yango application users in order to transfer it from Finland to the Russian Federation pursuant to Article 58(2)(f) of the General Data Protection Regulation.

Pursuant to Article 58(2)(j) and Article 66(1) of the General Data Protection Regulation, the Data Protection Commissioner orders the data controller to suspend the transfer of personal data collected in connection with the Yango application from Finland to the Russian Federation.

The processing ban and the order to suspend data transfers will enter into force on September 1, 2023. It is a temporary decision that is valid for three months, until November 30, 2023.

Pursuant to § 25 subsection 3 of the Data Protection Act (1050/2018), the Data Protection Commissioner orders the data controller to comply with the order regarding the suspension of data transfers despite the appeal.

The Data Protection Commissioner orders the data controller to provide the Data Protection Commissioner's office with information on what measures it will take as a result of this decision by August 25, 2023.

The controller can also provide the data protection commissioner's office with other information that it considers to have an impact on the assessment presented in this decision. Based on this information, the Data Protection Commissioner can reassess the necessity of a processing ban and processing suspension.

Reasoning

Legality of data transfers

The matter regarding the Yango application and the legality of personal data transfers has been discussed in the cooperation procedure of the European data protection authorities. According to the report obtained in the case, the personal data of the users of the Yango application is transferred to Russia based on the protection measures in accordance with Article 46 of the General Data Protection Regulation. Said protective measure is in itself in accordance with the General Data Protection Regulation, so in principle it enables the transfer of personal data also to a third country whose adequate level of data protection has not been decided by the Commission in accordance with Article 45 of the General Data Protection Regulation. However, said protection measures do not create an absolute right for the data controller to transfer data to a third country. The data controller must ensure that data transfers are also in accordance with the general objectives of the General Data Protection Regulation and Article 8 of the Charter of Fundamental Rights of the European Union (CJEU judgment in case C-311/18 – Data Protection Commissioner vs Facebook Ireland and Maximillian Schrems (hereinafter Schrems II), paragraphs 90 –121). Following the judgment of the European Court of Justice in the Schrems II case, such assessment must in particular take into account whether the authorities of the third country have access to the transferred personal data (Schrems II, paragraph 104).

The Court of Justice of the European Union has held in its case law that the competent supervisory authority must suspend or prohibit the transfer of personal data to a third country based on standard data protection clauses issued by the Commission, if this supervisory authority considers, in the light of all the circumstances of this transfer, that these clauses are not or cannot be complied with in this third country and that in Union law, especially in Articles 45 and 46 of the General Data Protection Regulation and the Charter of Fundamental Rights, the protection of the transferred data cannot be ensured by other means, insofar as the controller established in the Union or its personal data processor has not itself suspended or terminated the transfer (Schrems II, paragraph 121). This may be due, for example, to the legislation of a third country.

The activities of said registrars have already been reviewed in the cooperation procedure. However, the new legislation, which will enter into force on September 1, 2023, creates the right for the executive authority of the security services of the Russian Federation to have round-the-clock remote access to databases and information systems used to receive, store, process and send taxi orders. This enables the said authority to have very broad access to personal data collected in Finland.

The European Court of Justice has emphasized in its judgment in the Schrems II case that exceptions and limitations regarding the protection of personal data must be proportionate to the goals pursued and must be implemented within the limits of absolute necessity (including the disclosure of this personal data to the authority (Schrems II, paragraph 171)). Legislation on exceptions and limitations must have clear and detailed provisions on the application of the exception or limitation, and set protective measures regarding exceptions and limitations. Legislation must in particular set conditions for exceptions and limitations to ensure that the protection of personal data is not restricted more than is necessary (Schrems II, paragraph 176). Such conditions often include ex ante control measures to limit the authority's access to the information, such as a separate decision by an independent and independent court on the authority's right to access the information. In the case handled by the data protection commissioner, there are no such protective measures. The national authority would have broad and unrestricted access to data under the regulations coming into force in the Russian Federation.

The Data Protection Commissioner considers that from the above there is a significant and concrete risk that personal data collected from Finland and transferred to the Russian Federation would be processed in a way that does not meet the requirements of the General Data Protection Regulation or the data transfer mechanisms stipulated therein, and would also not be in accordance with the European Charter of Fundamental Rights.

Regarding the processing of the case in an urgent procedure

Matters concerning the processing of personal data that have effects in the territory of several member states (and EEA countries) are dealt with in the so-called cooperation procedure according to Article 60 of the General Data Protection Regulation. The leading supervisory authority is determined in said procedure according to the head office of the data controller defined in Article 4, subsection 16. In the case at hand, the service provider of the Yango application in the European Economic Area is Ridetech International B.V., located in the Netherlands, according to the previously received report. (formerly Yandex.Taxi B.V.). Consequently, the Dutch supervisory authority Autoriteit Persoonsgegevens has acted as the leading supervisory authority in matters concerning the Yango application. Other supervisory authorities participating in the handling and decision of the case in the procedure according to Article 60 are participating supervisory authorities according to the definition of Article 4, paragraph 22. The Data Protection Commissioner has been the supervisory authority involved in the case.

However, according to Article 66, paragraph 1 of the General Data Protection Regulation, the participating supervisory authority may, in exceptional circumstances, deviating from the prescribed procedure, immediately approve temporary measures.

In connection with a telephone conversation with a Helsingin Sanomat reporter on August 3, 2023, the Data Protection Commissioner has received information about the new legislation regarding taxi service providers that will enter into force on September 1, 2023 in the Russian Federation. In December 2022, the Russian Federation has adopted a federal law (Law of the Russian Federation No. 580-FZ, regarding the organization of transportation of passengers and luggage by passenger taxis in the Russian Federation, amending certain regulations of the Russian Federation and recognizing certain regulations as invalid. The law has been approved in the Duma on 22 December 2022, the Federal Council has approved the law 23/12/2022 and the President has signed the law on 29/12/2022. The law can be read on the online service maintained by the Russian authorities: actual.pravo.gov.ru/text.html#pnum=0001202212290039, visited 4/8/2023), which requires the taxi service provider to give the federal security executive for the body or its regional body to access the taxi service's information systems and databases. For the Yango taxi application, such information could be, for example, the addresses where the customer was picked up and taken to.

In accordance with Section 14, Clause 7 of the Law on the Organization of the Transportation of Passengers and Luggage by Passenger Taxis in the Russian Federation, access must be granted to information systems and databases used to receive, store, process and transfer passenger taxi orders in the manner prescribed by the Government of the Russian Federation.

The Government of the Russian Federation has issued a decree on the same issue on July 4, 2023 (Decree of the Government of the Russian Federation N. 1101, issued on July 4, 2023. The decree can be read on the online service maintained by the Russian authorities: http://publication.pravo.gov.ru/document/ 0001202307070021, visited 4 August 2023). The said regulation has given rules according to which the executive body of the security sector must be given access to the taxi service's data. In accordance with paragraph 2 of the rules established by said decree, the passenger taxi order service operating in the online service must offer the executive of the state security service round-the-clock remote access to the information systems and databases used to receive, store, process and send taxi orders.

Both the above-mentioned federal law of the Russian Federation regarding the provision of information and the supplementing decree of the Government of the Russian Federation will enter into force on September 1, 2023.

The Data Protection Commissioner considers that the data controller cannot be considered capable of complying with the protective measures laid down in Article 46 of the General Data Protection Regulation, nor the protective measures laid down elsewhere in the General Data Protection Regulation, nor the right to the protection of personal data according to Article 8 of the EU Charter of Fundamental Rights, especially when organizing the transport of passengers and luggage by passenger taxis in Russia in the federation, the relevant law has entered into force. Since said legislation enters into force on September 1, 2023, the matter must be dealt with in the urgent procedure referred to in Article 66 of the General Data Protection Regulation. It would not be possible to handle the matter in the usual cooperation procedure before the entry into force of the law in question, as it follows from the procedural regulations according to Article 60 of the General Data Protection Regulation that the processing of the draft decision takes at least four weeks.

Based on the reasons presented above, the data protection commissioner considers that the unrestricted access of the national security service of the Russian Federation to the personal data of taxi passengers seriously endangers the basic rights and freedoms of registered users in Finland. The Data Protection Commissioner also emphasizes that such unrestricted access to personal data is contrary to Article 10 of the Finnish Constitution and Article 8 of the Charter of Fundamental Rights of the European Union. Also for this reason, an urgent procedure order is necessary to protect the interests of the registered.

Due to the urgency of the matter, the lack of appropriate protective measures and the risks to the rights and interests of the data subjects, the Data Protection Commissioner considers that the requirements of exceptional circumstances and the need for urgent measures referred to in Article 66 of the General Data Protection Regulation are met in this case.

Further processing of the case and the points to be taken into account

Based on the statement provided by the data controller in April 2022, the main office of the data controller according to Article 4, paragraph 16 of the General Data Protection Regulation is located in the Netherlands. In August 2023, the data protection commissioner's office has received information from the Dutch supervisory authority that several business reorganizations have taken place in Yandex Group.

Taking into account that this decision is about a temporary urgent measure to protect the rights and freedoms of registered users in Finland, in the further investigation of the matter, it is still necessary to assess if and how the business arrangements affect the personal data processed in connection with the Yango application, who or who should be considered the controller. This also has an impact on who is to be considered the competent supervisory authority.

Therefore, the final decision in the matter is made by the leading supervisory authority, the European Data Protection Board or the Data Protection Commissioner as the competent supervisory authority.

Applicable legal provisions

Those mentioned in the decision.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the Helsinki Administrative Court.

The notice of appeal is attached.

Service

The decision is notified in accordance with Sections 60 and 63 of the Administration Act (434/2003).

Learn more about this decision

Chief Inspector Meeri Blomberg

The decision was made by the data protection commissioner Anu Talus.

Distribution

Data Controllers
Dutch supervisory authority
Norwegian supervisory authority
European Data Protection Board
the European Commission
Traficom
Ministry of Transport and Communications
Ministry of Justice