The essence of 152-FZ and the position of the regulator during checks is that the processing of personal data is consistent with the purposes for which this PD was transferred by the user.
From the point of view of 152-FZ, the user consented to the processing of his PD in order to provide him with services for working with a social network upon registration and agreeing to the User Agreement.
He did not give you consent to the processing of PD.
In order for you to legally process PD, there is a limited list of processing conditions described in Article 6 of 152-FZ:
1. consent of the subject
2. fulfillment of international treaties
3. for the purposes of justice
4. execution of the powers of federal authorities
5. fulfillment of an agreement with the subject
6 protection of the subject's life
7. legitimate interests of the operator
8. professional activities of the media, etc.
9. Statistical research
10. Processing of public data
11. Processing of data subject to mandatory publication
Here, some mistakenly believe that the user, having registered in a social network, made his data publicly available. But it's not.
First, how data is made public is described in Article 8 of 152-FZ:
Vkontakte does not take the written consent of users, and indicates, for the purpose of collecting and processing PD, not the organization of public access, but the provision of social network services to the user.
Thus, you have no legal grounds to process personal data received from the social network.
I singled out personal data on purpose, because if you use only the user login in your project, then it will be possible to prove that this is not personal data, but anonymized and based on it

it is impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information