1. The Transfer of Data to a Payment Agent for the Purpose of Debt Collection without Separate Consent is Deemed Lawful if Expressly Provided for by Law (Decision of the Ramenskoye City Court of the Moscow Region dated February 10, 2025, in Case No. 2-10577/2024 (UID: 50RS0039-01-2024-017194-36))
Case Summary:
A plaintiff challenged the processing of his personal data by a regional solid waste management operator (SWM Operator) and a unified information and billing center (EIRC). The defendants used his data to calculate utility charges, generate a consolidated payment document, and file a lawsuit to collect the debt. The plaintiff did not consent to the processing and transfer of his data, believing that such actions violated his rights as a data subject. The plaintiff sought a ruling that the actions of both defendants were unlawful, a prohibition on further transfer of data to third parties, an order requiring the EIRC to destroy his data, and compensation for moral damages in the total amount of 450,000 rubles.
The court’s position:
The court dismissed the claim, citing Part 16 of Article 155 of the Housing Code of the Russian Federation, which explicitly excludes the need for consent when transferring personal data for the collection of utility payments. The transfer of data from the Waste Management Operator to the EIRC and the subsequent filing of a lawsuit to collect the debt were classified not as unlawful disclosure, but as a lawful collection mechanism permitted by law.
Furthermore, the plaintiff failed to prove an actual violation of his rights: the payment document he submitted was issued to another person, and filing a lawsuit to collect a debt containing personal data does not in itself constitute a violation – it falls under the creditor’s right to judicial protection. Where there is a direct legal basis, data processing without consent is deemed lawful.
Lidings Comment:
For retail and FMCG, this ruling establishes an important rule: the transfer of personal data to payment agents, debt collectors, and BNPL services for the purpose of collecting payments and recovering debts is lawful without separate consent if it is expressly provided for by law or contract. The DPO must ensure a clear distinction between processing purposes in information systems – separating the payment and debt management processes from marketing – and the information security department is required to establish secure data transfer channels to partners with access logging and control over the scope of disclosed information. Contracts with consumers and payment agents should include provisions permitting such transfers without additional consent, and in the event of claims, promptly cite the legal basis, which reduces reputational and litigation risks.
2. A Lawsuit Against a Marketplace Regarding the Transfer of Buyers’ Personal Data Cannot be Recognized as an Appropriate Means of Protection (Decision of the Moscow Commercial Court dated March 24, 2025, in Case No. A40-144888/2024)
Case Summary:
The seller entered into a service agreement with the marketplace. The goods ordered by the buyers were delivered to pickup points, but the buyers did not show up to collect them and refused to accept the goods. The marketplace refunded the buyers but did not deduct the costs of delivery and return of the goods. Previously, the court had already denied the seller’s claim for reimbursement of these costs from the marketplace itself, stating that the proper defendants were the buyers themselves. To file claims against the buyers, the seller needed their personal data (full name, registered address, passport details or TIN, date and place of birth). The seller filed a separate lawsuit asking the court to order the marketplace to provide this data and to impose a daily penalty for each day the decision was not enforced.
The court’s position:
The court dismissed the claim, noting that no evidence had been presented of the buyers’ consent to the transfer of their personal data to the seller for the purpose of asserting financial claims. Placing an order on the marketplace does not in itself constitute such consent, and the Personal Data Law prohibits the operator from disclosing data to third parties without the data subject’s consent, unless otherwise provided by federal law.
Furthermore, the remedy chosen by the plaintiff – an independent claim for an order to provide personal data - is not provided for under Article 12 of the Civil Code of the Russian Federation. When filing a claim against a specific buyer, the seller has the right to file a motion to compel the production of evidence pursuant to Article 66 of the Arbitration Procedure Code of the Russian Federation, provided the seller can demonstrate the impossibility of obtaining such evidence independently. The court also noted that it had previously been established in Case No. A40-26451/2024 that withholding the cost of delivery from the buyer is a right, not an obligation, of the marketplace, and that attempting to shift the resolution of this issue onto the marketplace through a claim for the provision of data was deemed an improper remedy.
Lidings Comment:
The ruling confirms that marketplaces are not obligated to disclose buyers’ personal data without their explicit consent, and a standalone claim for the provision of such data is not an appropriate remedy. When entering into a contract with an e-commerce platform, the DPO must develop mechanisms for compensating logistics costs that do not require access to end-buyers’ personal data, while the information security department must implement a procedure for the minimum necessary disclosure of data upon receipt of justified requests and ensure verification of their legitimacy. If the data is nevertheless necessary for legal proceedings, the proper tool remains a motion to compel the production of evidence; at the same time, loyalty programs and online marketplaces should include provisions for obtaining the buyer’s consent to transfer their data for the purpose of dispute resolution.
3. Withdrawal of Consent to the Processing of Personal Data does not Terminate Such Processing if there are Existing Contracts or Legal Requirements: Decision Based on a Bank Case (Decision of the Aleksinsky City Court of the Tula Region dated February 25, 2025, in Case No. 2-261/2025)
Case Summary:
A citizen demanded that a bank completely cease processing his personal and biometric data. The bank refused, citing the existence of open accounts, outstanding debt under a terminated loan agreement, the seizure of accounts by bailiffs, and the obligation to retain data for at least five years pursuant to Federal Law No. 115-FZ of August 7, 2001 “On Combating the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism” (Law No.115-FZ). The plaintiff deemed the refusal unlawful and filed a lawsuit seeking the cessation of processing, compensation for moral damages, and reimbursement of legal costs.
The court’s position:
The court dismissed the claim in its entirety, recognizing that the bank had independent legal grounds to continue processing the data. Data processing without consent is permitted if it is necessary for the performance of a contract to which the individual is a party (clause 5, part 1, Article 6 of Federal Law No. 152-FZ of July 27, 2006, “On Personal Data”), and the existence of active accounts and outstanding credit obligations provided the bank with such grounds. Furthermore, Law No. 115-FZ mandatorily requires the retention of documents obtained during customer identification for at least five years after the termination of the relationship, which also serves as a legal basis for processing regardless of the customer’s consent. Withdrawal of consent in such a situation does not entail an obligation to cease processing.
Lidings Comment:
This ruling confirms that withdrawing consent does not terminate the processing of personal data if such processing is necessary for the performance of a contract (order tracking, bonus accrual, return processing) or is expressly required by law (accounting, tax reporting, storage). The DPO must establish a system for classifying the legal bases for processing such that marketing processing based on consent is immediately terminated, while processing based on a contract or law continues, with mandatory notification to the data subject regarding the legal bases and timeframes. The information security department, for its part, ensures technical data segregation, prevents the premature deletion of information subject to mandatory retention, and monitors logs to prevent incidents involving the destruction of sensitive data.
4. The Publication of Personal Data on a Website without the Data Subject’s Consent is Deemed Unlawful: the Court Upheld Roskomnadzor’s Claim against the Domain Administrator (Decision of the Oktyabrsky District Court in Tambov No. 2-2713/2025 2-2713/2025~M-1844/2025 M-1844/2025 dated August 17, 2025, in Case No. 2-2713/2025)
Case Summary:
Following a complaint from the applicant, the Tambov Regional Office of Roskomnadzor discovered that information relating to her personal data (specifically, details about her as an architect) had been posted on a website without her consent. The domain name administrator was a third party who, upon the agency’s request, failed to remove the disputed information. Roskomnadzor filed a lawsuit seeking a declaration that the website’s activities regarding the dissemination of personal data were unlawful and that the disseminated information was processed in violation of the law.
The court’s position:
The court granted the claims in full, recognizing the website’s activities as unlawful with respect to the dissemination of the claimant’s personal data. The court reasoned that the data subject’s consent to the processing of personal data is mandatory pursuant to paragraph 1 of part 1 of Article 6 of Federal Law No. 152-FZ of July 27, 2006, “On Personal Data”, and the defendant failed to provide evidence of such consent. The established fact of inaction following receipt of Roskomnadzor’s demand to delete the data also indicated a violation of Article 10.1 of the aforementioned law, which requires the cessation of data dissemination within three business days. The court emphasized that the unlawful dissemination of personal data on the Internet infringes upon a citizen’s constitutional right to privacy and the confidentiality of personal and family life.
Lidings Comment:
Posting any information on corporate websites, social media, or product pages that allows for the identification of an individual without their written consent is illegal, as directly confirmed by the court’s decision. This case also applies to retailers and FMCG companies, which should note that the DPO is required to organize regular audits of all the company’s public digital resources for such “archived” references to customers, former employees, or partners, while the information security department must implement processes for the prompt removal of such information upon request by the data subject or Roskomnadzor and monitor the appearance of such data in open sources. The response procedure must guarantee removal within three business days; ignoring the request creates direct risks of administrative and civil liability.
5. A Bank is Entitled to Process a Data Subject’s Personal Data without their Consent in the Event that an Additional Card is Issued to Another Customer (Resolution No. 13AP-32750/2025 of the 13th Commercial Court of Appeal dated March 25, 2026, in Case No. A56-71399/2025)
Case Summary:
The Roskomnadzor Office for the Northwestern Federal District filed a complaint seeking to hold the bank liable for processing the data subject’s personal data without his consent. The data subject became aware of the processing of his data after receiving text messages from the bank inviting him to join a family group, to open a personal account on the bank’s website, and to receive an additional card. The data subject noted that he had never been a client of the bank, had not applied for a card, and had not given the bank consent to process his personal data.
The bank confirmed that the data subject’s personal data had been processed when another customer applied for an additional card. Furthermore, during a phone call, a bank employee informed the data subject that the card had been issued to an unknown individual.
The court’s position:
The court noted that there are cases in which processing without the consent of the data subject is permitted if it is necessary for the performance of a contract to which the data subject is a party or the beneficiary (clause 5, part 1, Article 6 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”).
The possibility for banks to process the personal data of beneficiaries without their consent is confirmed by the joint information letter of the Central Bank of Russia No. IN-06-59/57 and the Federal Service for Supervision of Communications, Information Technology, and Mass Media No. 08LA-48666 dated July 29, 2021 "On Borrowers’ Consent to the Processing of Their Personal Data”.
The bank provides customer service based on a comprehensive service agreement, under which accounts and cards are opened for customers and the remote banking service system is activated. For the convenience of account holders, the bank offers the option to issue an additional bank card linked to the account for a third party based on an application completed by the customer.
It is important to note that the card is issued specifically to the bank customer’s account, not to a third party. This allows the customer to independently determine exactly whom they grant access to their funds.
Thus, a bank customer submitted an application to the bank to issue an additional card linked to their account in the name of the data subject. Consequently, the data subject is the beneficiary. Therefore, consent to the processing of their personal data is not required.
Lidings Comment:
This legal position – namely, the possibility of processing the beneficiary’s personal data without their consent – is also reflected in Ruling No. 5-KG25-56-K2 of the Supreme Court of the Russian Federation dated June 10, 2025.
In summary, we see opportunities for the practical application of an alternative legal basis that allows for processing without the data subject’s consent. Applying this provision in current business processes within the retail and consumer sectors allows the lawfulness of personal data collection to be justified by the fact of contract performance, where the customer acts as the direct beneficiary. We recommend keeping this basis in mind in your current operations, as its implementation can help reduce the administrative burden of document processing and minimize risks associated with potential withdrawal of consent by customers, provided that the purposes of processing are strictly limited to the scope of obligations under the transaction.
6. A Prospective Employer is not Entitled to Request Information About a Candidate from their Previous Employer without the Candidate’s Consent (Resolution No. 13AP-9850/2026 of the 13th Commercial Court of Appeal dated May 19, 2026, in Case No. A21-13246/2025)
Case Summary:
The Kaliningrad Regional Office of Roskomnadzor filed a petition with the arbitration court seeking to hold the company liable for processing personal data in cases not provided for by law. Previously, the recruitment agency had found the applicant’s resume on a publicly accessible job search website. Subsequently, without the individual’s consent, agency employees sent an official request to his former employer to verify his work history. The request contained the applicant’s personal data.
The court’s position:
The mere fact of posting a resume online for job search purposes does not mean that any company is free to forward it to third parties. The burden of proving the citizen’s consent to processing always lies with the data controller, i.e., the employer who sent the request. The court found the agency guilty under Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation.
Lidings Comment:
In the retail and consumer goods manufacturing sectors, there is widespread hiring of front-line staff, so the risks of legal liability are particularly high here. Any calls, written requests, or checks with a candidate’s previous employers may only be made after the candidate has signed a written consent form for the processing of personal data. Public access to a job seeker’s profile on websites such as HeadHunter or Avito grants the right only to contact the candidate personally, but not to send requests to their previous employers.
7. The Operator is Required to Comply with the Requirements Regarding the Localization of Personal Data of Russian Citizens within the Territory of the Russian Federation (Decision of the Moscow Commercial Court dated May 21, 2026 in case No. А40-272718/25-21-2028)
Case Summary:
The operator, a platform for learning foreign languages, collected personal data of Russian citizens, including via the Internet, without ensuring compliance with localization requirements.
The court’s position:
According to the privacy policy published on the Operator’s website, the Operator collected the following user data: name, email address, mobile phone number, mailing address, photograph, payment information, cookies, and IP address. The above information relates directly or indirectly to an identified or identifiable individual, i.e., it meets the criteria for personal data.
Thus, the Operator processes the personal data of Russian citizens, and therefore is subject to requirements ensuring that such data is stored within the territory of the Russian Federation.
During an analysis of the privacy policy, as well as through the use of a publicly available service, it was revealed that the Operator uses a database located outside the Russian Federation.
The Roskomnadzor sent a letter to the Operator requesting information (the paper version was returned to the Roskomnadzor, but the email was received). Despite receiving the email, the Operator ignored the regulator’s request.
The court found the Operator’s violation of localization requirements to be proven and held it administratively liable under Part 8 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation, imposing a fine of 1,000,000 rubles.
Lidings Comment:
Case law regarding Part 8 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation is consistent, and courts almost always side with the regulator when violations of localization requirements are identified. Please note that the Roskomnadzor identifies such violations remotely using publicly available services (WHOIS services). Since companies in the FMCG and retail sectors actively use websites and apps to interact with consumers, we recommend proactively using these services to verify compliance with localization requirements, if this has not been done previously.