Article 14 GDPR (Information To Be Provided Where Personal Data Have Not Been Obtained From The Data Subject)

Understanding Article 14 of GDPR

Article 14 of GDPR provides guidelines with respect to the processing of personal data when the personal data was not obtained from the person in question by the company.

In such cases, GDPR requires companies to provide disclosure to the individual.

Disclosure when personal data was not obtained from an individual (Article 14(1) GDPR)

If a company receives, uses and stores personal data from a source other than the individual in question, they must provide the person with the following mandatory disclosure:

  1. Their company’s identity and contact information (Article 14(1)(a) GDPR)
  2. Contact details of their data protection officer if they have one (Article 14(1)(b) GDPR)
  3. The reason or purpose why they are processing personal data and the legal basis (Article 14(1)(c) GDPR)
  4. The category of personal data (Article 14(1)(d) GDPR)
  5. The recipients of the personal data (Article 14(1)(e) GDPR)
  6. If the company intends to transfer personal data to a third country having an adequacy decision or not or make reference to the appropriate safeguards such as a legally binding and enforceable contract or binding corporate rules (Article 14(1)(f) GDPR)

Information to be provided for fair and transparent processing (Article 14(2) GDPR)

In addition to the mandatory information to be provided to an individual prior to collecting, processing and storing their personal data, companies are required to give the following information to ensure fair and transparent processing of the personal data:

  1. For how long personal data will be stored (Article 14(2)(a) GDPR)
  2. If the processing is based on the company’s legitimate interest, a description of its interests (Article 14(2)(b) GDPR)
  3. Advise the person that they have the right to access their data, request the rectification, the erasure, restrict its processing, object to its processing and the right to data portability (Article 14(2)(c) GDPR)
  4. If the processing is based on the individual’s consent, notification as to the person having the right to withdraw his or her consent without affecting the legality of the processing that was done prior to the withdrawal (Article 14(2)(d) GDPR)
  5. The person’s right to file a complaint with a supervisory authority (Article 14(2)(e) GDPR)
  6. The source where the personal data was obtained and if the data came from a public source (Article 14(2)(f) GDPR)
  7. Information about the logic of any automated decision-making, including profiling, impacting the person along with possible consequences (Article 14(2)(g) GDPR)

Obligation to provide information to the data subject (Article 14(3) GDPR)

When a person requests the disclosure of the information about where a company has obtained their personal information, companies must provide the information to the person at the latest within the following timelines:

  1. Within 30 days from the receipt of the request (Article 14(3)(a) GDPR)
  2. If the company needs to use the personal data to communicate with the person, at the latest at the time of the company’s first communication to the person (Article 14(3)(b) GDPR)
  3. If the company must disclose the personal data to another recipient, the company must provide the information to the data subject at the latest when the personal data are first disclosed (Article 14(3)(c) GDPR)

Processing for other purposes (Article 14(4) GDPR)

If a company intends to use a person’s personal information for any other reason than the purpose based on which personal information was initially collected, the company must inform the individual of the new purpose and all the relevant information as required under Article 14(2).

When Article 14 does not apply (Article 14(5) GDPR)

In the following circumstances, the obligations of Article 14 will not apply:

  1. The person was already informed (Article 14(5)(a) GDPR)
  2. When it’s impossible or the effort is disproportionate to provide the information needed to the individual when data was used in the public interest, scientific, historical or statistical purposes (Article 14(5)(b) GDPR)
  3. Obtaining or disclosure is expressly required by a European Union member country to protect the person’s legitimate interests (Article 14(5)(c) GDPR)
  4. When the personal data must be kept confidential and subject to the obligation of professional secrecy (Article 14(5)(e) GDPR)

Recitals applicable to Article 14 of GDPR

Relevant Recitals: 60, 61, 62

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 14 or relevant recitals

None

GDPR Text: Article 14 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)