2024-09-23

Decision Concerning Illegal International Data Transfer by Ltd "Raidtech Georgia" (Yandex GO/Yandex Pro)

---

Personal Data Protection Service of Georgia inspected Ltd "Raidtech Georgia" (Yandex GO/Yandex Pro) and studied its potential illegal international data transfer to another State. The company provides taxi services "Yandex GO" (passengers) and "Yandex Pro" services (to drivers) to its customers via its application.

The inspection process revealed, that during the internet connection monitoring process, the application was linked to the servers located in the Russian Federation. Ltd "Raidtech Georgia", via its application, has its technical process of personal data processing of customers’/data subjects’ registered from Georgia (drivers/passengers) organized in a way, that during the proper functioning of the system, specifically, during the establishment of the network connection with servers located in the Russian Federation, application device global network address ("IP Address") becomes visible for the servers – consequently, the network address "IP Address" is being transferred (made available) to another State.

It is noteworthy that prior to the inspection, Ltd "Raidtech Georgia" approached the Personal Data Protection Service of Georgia and requested a permit to transfer personal data processed in the territory of Georgia to the Russian Federation. Personal Data Protection Service of Georgia studied the case related to international data transfer (to the Russian Federation) at hand, including, the matter of sufficient protection guarantees of data subjects' rights - as the significant precondition of the international data transfer, and hence considered, that there was no reasonable expectation of proper guarantees of protection of the data subject's rights, including the protection of the principle of data security in the Russian Federation. Hence, according to the decree of the President of the Personal Data Protection Service of Georgia, "Raidtech Georgia" (Yandex GO/Yandex Pro) was not granted permission for the international data transfer to another State (to the Russian Federation).

Having considered all facts noted above, the Personal Data Protection Service of Georgia found that Ltd "Raidtech Georgia", when transferring the personal information of data subjects registered from Georgia (passengers/drivers) internationally via its application, violated the requirements of the Law of Georgia on Personal Data Protection. As a result of the non-compliance, the company was found to violate the Law of Georgia on Personal Data Protection, and a fine of 4,000 GEL was imposed as an administrative penalty. Ltd "Raidtech Georgia" was ordered to stop the transferring of the personal data (global network address/"IP Address") of the customers/data subjects registered from Georgia (passengers/drivers) via its application to the Russian Federation.