Yandex Metrica and Data Protection – What Belongs in the Privacy Policy

Yandex Metrica is a Russian web analytics and session recording tool that enables website operators to analyze user behavior. It collects extensive data – from click paths to session recordings to heatmaps – and transfers this to Russia, an unsafe third country without an EU adequacy decision.

Anyone using Yandex Metrica must clearly disclose in the privacy policy what data is collected, for what purposes, on what legal basis and – particularly important – that a third-country transfer to Russia takes place. Without appropriate transparency and legal bases, use violates the GDPR.

A. Purpose and Function of Yandex Metrica

Yandex Metrica combines classic web analytics with advanced session tracking functions:

• Web analytics: Page accesses, time spent, bounce rate, traffic sources
• Session Recording (Webvisor): Recording of mouse movements, clicks, scrolling and keyboard inputs within individual user sessions
• Heatmaps: Visual representation of where and how often users click or scroll
• Form analyzer: Analysis of form interactions and drop-off rates
• Conversion tracking: Tracking of goal conversions and event-based metrics
• Device detection: Capture of browser, operating system, device type, resolution

Data collection takes place via a JavaScript snippet embedded in the HTML code of the website.

B. Mandatory Disclosures when Using Yandex Metrica

Operators of a website that uses Yandex Metrica must address at least the following points in their privacy policy:

1. That Yandex Metrica is used – clear naming of the tool
2. What data is collected – list of data types
3. For what purpose – analysis and optimization of the website
4. To whom the data is transmitted – naming of Yandex LLC
5. Storage duration – cookie lifetime and session data
6. Legal basis – usually consent for cookies and session recording
7. Third-country transfer – explicit reference to Russia as an unsafe third country
8. Objection options – opt-out, cookie rejection, browser settings

C. Provider of Yandex Metrica

Provider: Yandex LLC (Yandex Limited Liability Company)
Country of seat: Russia
Privacy Policy: https://yandex.com/legal/privacy/

Corporate structure after 2022: Following geopolitical events, Yandex has restructured its corporate organization. The successor structures and current responsibilities are complex and should be clarified with Yandex on a case-by-case basis. What remains legally relevant: data is transferred to Russian state territory.

Critical note: Russia as an unsafe third country

Russia is not a third country with an EU adequacy decision. In addition, there is:

• No recognized data protection standards at EU level
• State access options to data under Russian law (e.g. Federal Law No. 152-FZ)
• No effective legal remedies for EU citizens against state interference
• No data protection framework comparable to GDPR

A data transfer to Russia under the GDPR is therefore regularly legally problematic.

D. Data Processing – Workflow in Steps

E. Data Collected by Yandex Metrica

Yandex Metrica collects a wide range of data:

Web server log data

• IP address of the user
• Time and duration of access
• HTTP referrer (source of access)
• User agent (browser, operating system)

Click paths and navigation behavior

• Visited pages within the website
• Sequence and chronological order
• Time spent per page
• Exit page

Device and browser information

• Device type (desktop, tablet, smartphone)
• Screen resolution
• Browser type and version
• Operating system and version

Coarse location data

• Country and city (based on IP geolocation)
• Time zone

Interaction data (session recording, heatmaps)

• Mouse movements and clicks
• Keyboard inputs (possibly sensitive data in forms)
• Scrolling behavior
• Times of interactions

Conversion events and custom events

• Clicks on specific elements
• Form completion and abandonment
• Goal conversions (e.g. purchases, sign-ups)

User profiles and IDs

• Persistent user ID (via cookie or local storage)
• Yandex user ID (if logged in)
• Session ID for session attribution purposes

F. Purposes of Use

Yandex Metrica processes data for the following purposes:

1. General product improvement – understanding how users use the website
2. Statistics and reporting – reports on traffic, conversions and user behavior
3. User profile creation – aggregation of behavior patterns across sessions
4. User-individual product improvement – optimization of the website based on user groups
5. Possibly user-individual marketing – retargeting (depending on Yandex ecosystem integration)

G. Legal Bases for Yandex Metrica

1. Tracking as intervention-intensive processing

Yandex Metrica is a tracking tool used for the purpose of statistics and session recording. The processing is intervention-intensive because:

• Session recording records the entire user behavior
• Mouse movements, clicks and inputs are captured (possibly sensitive data)
• Persistent user IDs are used

2. Required legal bases

a) Consent (Art. 6(1)(a) GDPR + § 25(1) TDDDG)

For cookies and session recording, explicit, informed consent is mandatorily required. This must:

• Be obtained before activation of the tracking (opt-in, not opt-out)
• Be granular (separate consent for session recording vs. web analytics)
• Be easily revocable
• Make the legal basis clear (GDPR Art. 6(1)(a) + TDDDG § 25)

b) Third-country transfer: Standard Contractual Clauses (SCC, Art. 46 GDPR)

The following is required for the transfer to Russia:

• Standard Contractual Clauses (SCC) between website operator and Yandex
• Supplementary measures under Schrems II case law (CJEU C-311/18):
  • Carry out a Transfer Impact Assessment (TIA)
  • Review of access rights in the destination country
  • Possibly encryption on transmission paths or pseudonymisation
• Case-by-case review: Transfer at less invasive times or technical anonymisation

Note: Yandex must (or should) offer SCC. Their availability should be clarified in advance.

c) Issue: Art. 49(1)(a) GDPR (consent for third country)

In theory, third-country transfers could be based on Art. 49(1)(a) GDPR (consent if SCC is insufficient). However, this is only useful for occasional transfers, not for continuous analytics.

H. Special Features and Notes regarding Yandex Metrica

• Unsafe third country Russia: Transfers require a reasoned legal review and regularly SCC + Schrems II case-by-case review (TIA).

• Session recording: Intensity of intervention: The recording of keyboard inputs, mouse movements and scrolling behavior is particularly sensitive in terms of data protection. Masking functions (e.g. for input fields) should be activated.

• DPA availability: It must be clarified whether Yandex offers a Data Processing Agreement (DPA) and under what conditions.

• Responsibility: Depending on the service configuration, Yandex can act as a processor (Art. 28 GDPR) or as a joint controller (Art. 26 GDPR). This should be clarified contractually.

• Setting options:

  • Cookie tracking can be deactivated via browser settings
  • Webvisor (session recording) can be rejected by the user
  • Anonymisation flags may be activated (in the admin area)

• Web analytics vs. session recording: It is legally compliant to use web analytics (IP, click paths, coarse location data). Session recording is regularly only justifiable with additional safeguards (masking, consent, data minimization).

I. FAQ

J. Sample Text Template for the Privacy Policy

### Yandex Metrica

We use **Yandex Metrica**, a web analytics and session recording service provided by 
Yandex LLC (Russia), to analyse and optimise the use of our website.

#### Data Collected
- IP address and user ID
- Pages visited, click paths, time spent
- Device information (browser, operating system, screen resolution)
- Coarse location data (country, city)
- **Session Recording:** mouse movements, clicks, scrolling, keystrokes (masked where applicable)
- Conversion events and custom metrics

#### Legal Basis
- **Consent (Art. 6(1)(a) GDPR, § 25(1) TDDDG)**  
  Your browser cookie and session recording are only activated with your explicit 
  consent.
  
- **Third-country transfer (Art. 46 GDPR – Standard Contractual Clauses)**  
  Your data is transferred to Yandex LLC in Russia. Russia is a country without 
  recognised data protection at EU level. We have concluded Standard Contractual Clauses 
  and, where necessary, carry out a Transfer Impact Assessment to ensure an adequate 
  level of protection.

#### Retention Period
- Analytics cookies: typically 2 years
- Session data: up to 30 days
- User profile: depending on Yandex settings

#### Your Rights
- **Withdrawal of consent** possible at any time
- **Opt-out** by rejecting cookies or via browser settings
- **More information** in the [Yandex privacy policy](https://yandex.com/legal/privacy/)

#### Yandex Data Protection Officer
Contact Yandex using the details in their privacy policy for access and 
erasure requests.

K. Conclusion and Next Steps

The use of Yandex Metrica raises increased data protection requirements due to the third-country transfer to Russia, the lack of an adequacy decision and the intensity of intervention of session recording.

The transfer is not fundamentally prohibited, but requires:

1. Consent before activation (opt-in)
2. Conclude SCC with Yandex (or clarify availability)
3. Carry out a Transfer Impact Assessment (TIA) (Schrems II case-by-case review)
4. Possibly data minimization measures (IP shortening, field masking)
5. Transparency in the privacy policy (sample above)

Their fulfilment in the individual case is to be reviewed by the website operator.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com