Skip to content
AuditFront
Art.14 GDPR

GDPR Art.14: Information Where Data Has Not Been Obtained from the Data Subject

What This Control Requires

Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal data, if any; (f) where applicable, that the controller intends to transfer personal data to a third country or international organisation.

In Plain Language

When you get personal data from somewhere other than the person it belongs to - a recruitment agency, a business partner, a data broker, public sources, or a corporate acquisition - you still owe that person transparency. Many organisations overlook this obligation entirely, which is a mistake regulators notice.

The information requirements are similar to Article 13, with two critical additions. You must tell people what categories of data you hold about them (since they may not know what was collected) and where the data came from (including whether it was from publicly accessible sources). These extra requirements exist because the individual had no direct interaction with you and may not even know you have their data.

The timing rules are different too. Since you were not there when the data was originally collected, you must provide the information within a reasonable period - at most one month after obtaining the data, or at the time of first communication with the person, or when you first share the data with someone else, whichever comes first. There are limited exemptions for impossible or disproportionately difficult situations, but DPAs interpret these narrowly.

How to Implement

Map every source of personal data that is not direct collection from individuals. Think recruitment agencies, purchased lists, business partners, group company data sharing, public source scraping, and data inherited through acquisitions. Document each source, what categories of data you receive, and how the data was originally collected.

For each indirect source, set up a process to notify affected individuals within the required timeframe. Decide whether you will proactively inform them within one month of obtaining the data or at the point of first contact. For large datasets, plan the logistics - email, post, or a combination. Do not let the practicalities stop you; plan ahead.

Write Article 14-compliant notices that include everything from the Article 13 checklist plus the data categories and specific source information. "Third parties" is not specific enough. Name the type of source or, ideally, the actual source. If the data came from publicly accessible records, say so explicitly.

If you think an exemption under Article 14(5) applies - particularly the "disproportionate effort" exemption - document your reasoning thoroughly. You still need to take alternative measures like making the information publicly available, and the exemption does not remove your other obligations. Do not lean on this unless you have a genuinely strong case.

Do due diligence on your data sources. Include contractual clauses requiring them to confirm that data was collected lawfully and that any necessary consents or legal bases are in place. If you cannot verify the provenance of data you are buying or receiving, that is a red flag. Keep records of these assessments as part of your accountability evidence.

Evidence Your Auditor Will Request

  • Inventory of all indirect data sources with categories of data received
  • Article 14-compliant privacy notices for indirectly obtained data
  • Evidence of timely notification to data subjects (within one month or at first contact)
  • Documented assessments for any Article 14(5) exemptions claimed
  • Due diligence records for third-party data sources

Common Mistakes

  • Failure to provide any Article 14 information to data subjects whose data was obtained indirectly
  • Missing the one-month deadline for providing information after data is obtained
  • Not disclosing the source of the personal data or using vague descriptions like 'third parties'
  • Over-reliance on the disproportionate effort exemption without proper documented justification
  • No due diligence on third-party data sources regarding lawfulness of original data collection

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

What if providing Article 14 information to every individual would be extremely expensive or difficult?
Article 14(5)(b) offers an exemption for situations where providing information would be impossible or involve disproportionate effort. But regulators treat this narrowly. You need a documented assessment justifying why it applies, and you must still take alternative measures - like making the information publicly available on your website. This is not a get-out-of-jail-free card; it is a last resort.
Do we need to tell data subjects the specific source of their data?
Yes, and be as specific as you can. "Various third parties" will not satisfy the transparency requirement. Name the source or at minimum describe the type of source clearly. If the data came from publicly accessible sources, state that explicitly. Regulators expect people to be able to trace where their data originated.
What if the data source asked us to keep their identity confidential?
Your GDPR obligations override commercial confidentiality agreements. You cannot sign away your legal duties in a contract with a data supplier. If disclosing the exact source identity is genuinely problematic, provide the type or category of source at minimum. But understand that the legal requirement to disclose the source takes priority over any NDA.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment