In the context of recent media reports regarding access to personal data processed through the “Yandex Go” application (such as: mobile device data, names, phone numbers, email addresses, banking information, and addresses for taxi routes), the National Center for Personal Data Protection (NCPDP) provides the following clarifications and recommendations for data subjects:
– Section 2: Who processes your personal information: To provide you with access to the Sites and Services, your personal information is collected and used by Yandex which may include YANDEX LLC, a company incorporated under Russian law, with a head office registered at 119021, Russia (“YANDEX” LLC), or its affiliates for particular Services or in specific jurisdictions.
– Section 8: Where your Personal information is stored and processed: Yandex stores Personal information in the Russian Federation and in the EEA. … by using the Sites or Services you provide Yandex with your express and unambiguous consent to such transfer, storage, and/or processing of the information in other jurisdictions, including Russia.
Furthermore, in the case of using foreign systems/platforms which are managed or created by non-resident controllers, whose servers are located outside the country, there is an implicit situation of cross-border transfer of personal data collected/processed through these systems/platforms – this causes the mandatory application of the provisions of Article 32 of Law No.133/2011 on personal data protection.
In these circumstances, the cross-border transfer of personal data to States which do not provide an adequate level of protection (such as, for example, the Russian Federation) can befall under the conditions set out in Article 32 para. (5) of the Law No.133/2011 on personal data protection. This article stipulates that transmission of personal data to States which do not provide an adequate level of protection may take place:
- b) with the consent of the data subject, with information on the possible risks that such transfers may involve for the data subject due to the lack of a decision on the adequacy of the level of protection and adequate safeguards;
- i) if the processing takes place on the basis of the standard contract for the cross-border transmission of personal data, developed and approved by the Center, concluded by the controller.
Also, it should be noted that in the case of taxi management platforms owned by non-resident entities but operating and/or having legal effects on the territory of the Republic of Moldova, competent state authorities may encounter obstacles and/or may not be able to exercise effective control over the potentially harmful activities.
Furthermore, in the circumstances described above, including the personal data subject will lose control over his personal data and will be in difficulty to exercise their rights established by the Law No.133/2011 on personal data protection.
In the context of the abovementioned information, as well as considering that personal data were transferred cross-border to States which do not provide an adequate level of protection could be used to the detriment of data subjects or for purposes other than those declared by the data controller, through the Opinion submitted to the Government regarding the Project on legislative initiative No. 252 of July 13, 2023, NCPDP has proposed, among other things:
… in the context of ensuring the effective protection of processed personal data, it would be appropriate to inspect the possibility of establishing a standard regarding the use of automated management systems/platforms managed/maintained/stored within the territory of the Republic of Moldova. Moreover, taking into account the provisions of Article 4 and Article 5 para. (5) letter b) of Law No. 133/2011 on personal data protection, the obligations/rules for processing personal data (such as, for example: the use of national electronic management systems/platforms, as well as the storage of servers within the territory of the Republic of Moldova, without allowing the cross-border transfer of personal data) must be provided for by law.