Overview of personal data processing disputes in 2025

The year 2025 marked a shift in the trend toward stricter regulation of personal data processing. New rules, prohibitions, and restrictions were introduced, and enforcement became more rigorous.

Court practice in disputes related to personal data processing continued to develop and reveal typical mistakes made by companies.

Continuing our annual review of trends in personal data protection practice, below we present the key cases of 2025 illustrating the most common problem situations.

1. Transfer of data to third parties without proper consent.

The case of PJSC TNS Energo N. Novgorod against the Roskomnadzor Office for the Volga Federal District is indicative. The reason for going to court was a customer complaint, after which the regulator issued an order to prevent violations of the law on personal data. In particular, the company was instructed to stop transferring customer personal data to third parties and to strengthen internal control over compliance with the law. TNS Energo attempted to challenge this requirement, but the courts of all instances sided with Roskomnadzor. The Arbitration Court of the Nizhny Novgorod Region ruled that the order was in accordance with the law and did not violate the company’s rights, refusing to invalidate it. The appeal and cassation courts left this decision unchanged [1].

During the proceedings, it was revealed that the company had transferred customer data to a counterparty without the explicit consent of the data subject. The courts emphasized that the processing of personal data is only permissible with the explicit consent of the data subject or on other legal grounds, and that a general energy supply agreement cannot serve as justification for transferring data to third parties. This case demonstrates that the transfer of customer information to third parties without explicit consent is illegal, even if such transfer is dictated by contractual relations with the customer.

2. Excessive collection of personal data (unnecessary biometrics).

Another important example is the dispute between Stroygroup LLC and the tax authority (MI FNS No. 3 for the Moscow Region) over the requirement to provide a photograph of the applicant when issuing a qualified electronic signature certificate. The tax inspectorate refused to issue the certificate to the company because the applicant’s representative refused to be photographed and sign a consent form containing the disputed conditions. In its lawsuit, the company demanded that the inspection’s actions be declared illegal, pointing out that the inclusion of a photograph in the list of requested personal data did not correspond to the purposes of processing in the provision of public services. Initially, the Arbitration Court of the Moscow Region rejected the claim, but the Tenth Arbitration Court of Appeal sided with the applicant. The appeal overturned the first instance decision, recognized the photography requirements as unlawful, and obliged the tax authority to issue an electronic certificate without collecting unnecessary data. The tax inspectorate attempted to appeal this decision, citing the need for identification, but the court of cassation upheld the appeal ruling, pointing out the inadmissibility of collecting more personal data than necessary [2].

The case emphasizes that organizations are prohibited from requesting unnecessary personal data (especially biometric data) from customers that is not directly necessary, otherwise such requests may be successfully challenged as illegal.

3. Refusal of a government agency to provide data necessary for business.

An interesting example is the case of the regional waste management operator Ekograd-N LLC against the Main Directorate of the Ministry of Internal Affairs in the Rostov Region. The company, which is a municipal solid waste collection service operator, requested information from the Ministry of Internal Affairs about the owners and registered residents of a number of houses (full names, dates of birth, passport details) – this data was needed to adjust consumer accounts, correctly calculate fees, and collect debts. The Ministry of Internal Affairs refused, citing confidentiality and special conditions (including the presence of military facilities in the region and the operation of the special military regime) and considering that the provision of address data would violate the rights of third parties to protect their personal data. The company challenged the refusal in arbitration court. The court of first instance ruled that the refusal was unlawful and ordered the Ministry of Internal Affairs to provide the requested information, which was upheld on appeal. The North Caucasus District, in its ruling No. F08-5231/2025 of August 29, 2025, left these decisions unchanged (case No. A53-44826/2024) [3]. The court of cassation emphasized that the requested information was necessary for the operator to fulfill its legal obligations, and that the police’s reference to the protection of third-party data was unfounded, since the law expressly permits the provision of address and reference information in such cases.

This case shows that restrictions on access to personal data by government agencies should not create obstacles to the lawful activities of companies. In other words, balancing interests means providing the necessary data to those who are entitled to receive it by law or contract—refusal on the grounds of general confidentiality may be deemed unlawful by a court.

4. Consent to advertising and customer rights.

Russian judicial practice strictly proceeds from the assumption that the use of personal data in advertising and marketing mailings is permitted only with the separate, informed, and unambiguous consent of the data subject. Thus, a client of Gazprombank JSC who refused to receive advertising mailings and participate in the loyalty program when concluding the contract successfully defended his right not to receive marketing messages. The ruling of the Sixth Court of Cassation of General Jurisdiction dated August 26, 2025 (case No. 88-15087/2025) established that if a customer marks “I do not agree,” the bank and its partners lose the right to send them any advertising offers. The court emphasized that offering to obtain consent for advertising does not in itself violate the law, but sending messages without the recipient’s voluntary consent is unacceptable. Thus, companies should obtain consent for each marketing activity (e-mail mailing, SMS message, phone call, push notifications, transfer of data to third parties, etc.) as transparently and in as much detail as possible, otherwise there is a high risk of attracting the attention of regulators and courts, which consistently defend the right of citizens not to receive advertising without their permission.

Conclusions

An analysis of court practice in the field of personal data in 2025 shows that courts consistently uphold the principles of Law 152-FZ. Regulatory requirements to remedy violations are most often recognized as justified if the company has indeed failed to comply with the rules (as in the case of data transfer without consent). The courts are prepared to protect the rights of data subjects – whether customers or employees – from excessive collection of information and imposed conditions. At the same time, the legitimate interests of bona fide companies are also protected: when an organization operates within the law and needs data to fulfill its obligations, a government agency’s refusal to provide such information may be deemed unlawful. Thus, dispute practice emphasizes that personal data must be processed strictly within the legal framework, and deviations from this framework inevitably entail legal risks.

---

[1] Ruling of the Arbitration Court of the Volga-Vyatka District dated August 23, 2024, in case No. A43-25737/2023.

[2] Ruling of the Arbitration Court of the Moscow District dated February 5, 2025, No. F05-30737/2024 in case No. A41-98381/2023.

[3] Ruling of the Arbitration Court of the North Caucasus District dated August 29, 2025, No. F08-5231/2025 in case No. A53-44826/2024.