Article 14

Information to be provided where personal data have not been obtained from the data subject

Overview:

Article 14 mandates data controllers to provide information to data subjects when personal data is collected indirectly. This article helps to ensure transparency and allow data subjects to know how their data  is going to be processed even if the same is not collected directly from them. Article further states that this information must be provided within a reasonable time period typically within one month of obtaining the personal data or at the first time of communication if date is used to contact the individual.

  1. Paragraph 1: Basic Information to be Provided
  2. The first paragraph specifies the fundamental information to be provide to the data subject
  3. The contact detail and identity of the data controller, this should include but not limited to the address contact details of the point of contact.
  4. Contact details of the Data Protection Officer (DPO)
  5. The purposes and legal basis for the processing.
  6. If the controller is not based in the EU, but processes EU residents’ data, they must appoint an EU representative whose details must also be provided.
  7. The controller must clearly explain the reason for collecting and processing the personal data.
  8. The controller must also specify the legal basis under Article 6 of GDPR they are relying on for each purpose (e.g., consent, contract, legal obligation, legitimate interests).
  9. In case of multiple purposes for processing the personal data, each one of the purpose and legal basis separately.
  10. If the processing is based on the legitimate interests of the controller or a third party (Article 6(1)(f)), these interests must be explicitly stated.
  11. The controller must inform the data subject if their personal data will be shared with any other entities.(eg: marketing agencies, other processing entity, etc)
  12. The data subjects must be informed if their personal data will be transferred outside the EU/EEA.

Paragraph 2 -Additional information to be provided to the data subject to ensure fair and transparent processing .This includes:

  1. The controller must inform the data subject how long their personal data will be stored. In cases where the duration cannot be specified, the criteria used to determine the period needs to be specified.
  2. The controller must inform the data subject of their rights under GDPR, which include:
  1. Right of access: to obtain a copy of their personal data
  2. Right to rectification: to correct inaccurate personal data
  3. Right to erasure (right to be forgotten): to have their personal data erased under certain circumstances
  4. Right to restriction of processing: to limit how their data is used
  1. The data subject must be made aware of the following:
  1. The right to withdraw consent at any point in time. They should also be made aware that the processing that happened before withdrawal of the content remains lawful.
  2. The right to lodge a complaint. They should be informed about the relevant data protection authority.
  3. The controller must clarify whether providing personal data is:
  1. A statutory requirement (required by law)
  2. A contractual requirement
  3. A requirement necessary to enter into a contract
  1. The data subject is made aware of the necessity or the consequence of not furnishing the personal data for the above situations
  2. The data subject must be informed whether the personal data is used for automated decision-making processes, including profiling.
  3. Right to object to processing: to stop the processing of their data in certain cases
  4. Right to data portability: to receive their data in a structured, commonly used, and machine-readable format.
  5. The source of the personal data received, whether it is publicly accessible.

Paragraph 3 addresses the timing of when a data controller must provide the required information to data subjects when personal data has not been obtained directly from them.

  1. The controller should inform the data subject within a period of one month from the date of receiving the data.
  2. If the controller intends to contact the data subject with the data collected ( eg – tele-calling ) the information should be provided not later than the first communication.
  3. If the controller intends to share the data with other recipient(s), the data subject must be informed prior to the disclosure.

Paragraph 4 outlines specific situations where the obligation to provide information to data subjects (as detailed in paragraphs 1 to 3) does not apply.

This includes situations where it might be impossible, disproportionately difficult, or unnecessary to inform individuals about the processing of their indirectly collected personal data.

If the data subject already possesses the information required by Article 14, there’s no need to provide it again.

  1. There is no need to furnish the information to the data subject if they already possess the information. The data controller must ensure that they data subjects has the complete information and not just part of it.
  2. The exception applies to special situations where it is practically impossible to inform each and every data subject like large scale processing for specific purposes leading to disproportionate effort. This includes processing for archiving, scientific/historical research, or statistical purposes etc.
  3. The data controller should make effort to ensure the rights of the data subject, like making the information publicly available.
  4. If Union or Member State law explicitly requires the obtaining or disclosure of the personal data, and that law provides appropriate measures to protect data subjects’ interests, the information provision obligation doesn’t apply.
  5. If the personal data must remain confidential due to professional secrecy obligations (e.g., legal, medical, or other professional confidentiality requirements), the information provision obligation doesn’t apply.

Implementation Guidance:

  1. Perform a data discovery and identify all the sources of data collection
  2. Develop a comprehensive privacy notice that covers all the address mentioned in Article 14
  3. Develop and implement policies and procedures for the points mentioned
  4. Regularly keep the privacy notice updated.

Compliance Checklist:

  1. Privacy policy
  2. Privacy notice
  3. Policies and procedures for handling the request
  4. Data Subject Notification Template
  5. Record of Processing Activities (ROPA)

Examples & Use Cases

  1. An organisation is planning to launch an online fashion retail portal in the next six months. However they have started building a database of the potential customers for a pre-launch campaign to start in the next 90 days. In this case as per Article 14, the organisation has to inform the potential customers ( data subject) within 30 days of receiving their details. They cannot wait for another 90 days to inform the potential customers just before the campaign starts.
  2. A marketing agency buys a customer database on 1st of February. They want to sell the database to its customers starting 10th of Februry.In this case, they should inform the data subjects before 10th of February not before 30th of February.
  3. A university uses a database of thousands of individuals to conduct a study of which many are deceased . In this case it is practically impossible to contact each and every individual, still the university has to take appropriate measures like publish the information about the research and the details in their website.
  4. A law enforcement agency collects personal data as a part of an investigation process. However, as per the national law, the data has to be safeguarded. In this case, the law enforcement agency does not have to inform the data subjects as it may jeopardise the investigation.
Scroll to Top