The Netherlands
Ridetech International B.V.
GDPR enforcement action by Dutch Supervisory Authority for Data Protection (AP) on 2026-04-01.
Case details
- Authority
- Dutch Supervisory Authority for Data Protection (AP)
- Date
- 2026-04-01
- Controller / Processor
- Ridetech International B.V.
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) a), (2) GDPR, Art. 44 GDPR, Art. 46 GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Dutch DPA has imposed a fine of EUR 100,000,000 on Ridetech International B.V. The controller, the operator of the taxi app "Yangoo", has failed to implement adequate guarantees for the transfer of personal data into a third country. In order for the app to function, it was necessary to process personal data, but the servers on which the data was stored were located in the Russian Federation. As there is no adequacy decision for the Russian Federation, the controller needed to implement appropriate safeguards, enforceable data subject rights and effective legal remedies. However, the controller failed to implement these safeguards, as it falsely assumed its role to be that of a processor, using 'processor to processor' clauses in the SCC instead.
Related fines