Art14

GDPR Article 14: Transparency Obligations Where Personal Data Have Not Been Obtained from the Data Subject
An Advanced Practitioner's Analysis — navigating the GDPR's primary safeguard against invisible processing.
The Unique Position of Article 14
Article 13 vs Article 14
Whereas Article 13 governs situations where personal data are collected directly from the data subject, Article 14 applies when controllers obtain personal data indirectly — from sources the individual never interacted with.
The provision operationalises the principles of fairness and transparency by ensuring individuals are informed about processing activities even when they have had no direct interaction with the controller.
Indirect Sources Covered
Data Brokers
Corporate Acquisitions
Third-Party Vendors
Public Registers
Social Media Scraping
Government Databases
The Fundamental Objective: Informational Parity
The GDPR assumes that indirect collection creates an asymmetry of knowledge. Without Article 14, individuals may never know that their data have been acquired, the purposes of processing, the source of the data, their rights, or the existence of profiling or automated decision-making. Article 14 therefore acts as a corrective mechanism designed to restore transparency and enable effective exercise of data subject rights.
Scope and Applicability
Article 14 Applies
Indirect Collection Scenarios
Prospect List Purchase
Purchasing prospect lists from a marketing broker.
Merger & Acquisition
Receiving customer information during a merger or acquisition.
Background Verification
Obtaining employee screening data from a background verification provider.
Public Registries
Collecting information from public registries or sanctions screening vendors.
Web Scraping
Using web-scraped information relating to identifiable individuals.
Article 13 Applies Instead
Direct Collection Scenarios
Article 14 generally does not apply where data are collected directly from the individual. These scenarios are governed by Article 13 rather than Article 14.
Website Registration Forms
Employment Applications
Submitted directly by candidates.
Customer Onboarding Portals
Call-Centre Interactions
Mandatory Information Requirements
Controllers subject to Article 14 must provide a comprehensive set of information to data subjects. Each category of required disclosure is detailed below.
1
Identity & Contact Information
Name of controller and contact details
Representative details where applicable
DPO contact details where required
2
Purposes & Legal Basis
Purpose descriptions — specific, not generic
Legal bases explicitly identified
Legitimate interests disclosed where relied upon
3
Categories of Personal Data
Contact, financial, and employment data
Behavioural and location data
Device identifiers
4
Recipients & Transfers
Internal business units and service providers
Third-country destinations and transfer mechanisms
Appropriate safeguards documentation
Retention Information
Specific retention periods where possible; retention criteria where fixed periods cannot be identified.
Data Subject Rights
Access, rectification, erasure, restriction, objection, data portability, and complaint rights to supervisory authorities.
Source of the Data
Particular emphasis on transparency concerning origin. Where applicable, controllers must explain that data came from publicly accessible sources.
Automated Decision-Making
Meaningful information regarding logic involved, significance, and anticipated consequences of profiling.
Generic statements such as "business purposes" are unlikely to satisfy transparency expectations. Legitimate interests must be articulated in a manner understandable to the data subject.
Timing Requirements
Article 14 establishes strict deadlines for when information must be provided to data subjects. Failure to meet these deadlines constitutes a breach of the regulation regardless of the quality of the notice itself.
The one-month period represents the outer limit — earlier obligations arise in specific circumstances that controllers must actively monitor.
Standard Deadline
Within a reasonable period — no later than one month after obtaining the personal data. This is the maximum permissible delay under any circumstances.
First Communication Trigger
If the data will be used to communicate with the individual, information must be provided no later than the first communication — which may be well within the one-month window.
First Disclosure Trigger
If the data will be disclosed to another recipient, information must be provided before the first disclosure — regardless of how recently the data were obtained.
Controllers must implement active monitoring systems to track which trigger applies earliest in each processing scenario. Relying solely on the one-month default is a common compliance failure.
Article 14(5) Exemptions
Article 14 provides a limited set of exemptions from the notification obligation. These exemptions are narrowly construed and the burden of proof rests with the controller in each case.
Individual Already Possesses the Information
Where the data subject already has all the information that would otherwise be required. Example: Employee data transferred internally during a restructuring where comprehensive notice was previously provided.
Provision Is Impossible
Where it is genuinely impossible to provide the information. The burden of proof rests firmly with the controller — this is a high threshold and must be documented rigorously.
Disproportionate Effort
Frequently invoked in archival activities, scientific research, historical research, and statistical processing. Mere inconvenience or cost does not automatically constitute disproportionate effort. A structured assessment is required.
Obtaining or Disclosure Laid Down by Law
National or Union legislation may create transparency alternatives that displace the Article 14 obligation. The specific legal provision must be identified and documented.
Professional Secrecy Obligations
Certain legal or regulatory confidentiality requirements — such as legal professional privilege or statutory secrecy regimes — may justify exemption from the notification obligation.
Exemptions must be assessed individually for each processing activity. A blanket reliance on any single exemption across an organisation's entire indirect data portfolio is unlikely to withstand regulatory scrutiny.
Examples Where Article 14 Clearly Applies
The following scenarios illustrate circumstances in which Article 14 obligations are unambiguously triggered. Controllers operating in these contexts must ensure compliant notice frameworks are in place.
Data Broker Acquisition
A company purchases a database of business professionals from a data broker. Article 14 notice is required because the data were not obtained directly from the individuals concerned.
Corporate Acquisition
Customer records transfer during a business acquisition. The acquiring entity becomes subject to Article 14 obligations in respect of all personal data received from the target organisation.
Public Registry Enrichment
A financial institution supplements its records using company registry data. Transparency obligations remain fully applicable despite the public availability of the source information.
Fraud Prevention Consortium
Members exchange fraud intelligence involving identifiable individuals. Individuals generally require Article 14 information unless a valid and documented exemption applies.
Recruitment Screening
Background information obtained from external providers during recruitment. Notice obligations arise regarding the additional personal data collected beyond what the candidate directly provided.
Examples Where Article 14 May Not Apply
The following scenarios illustrate circumstances where a valid Article 14 exemption may be available. In each case, the controller must conduct and document a formal exemption assessment.
Prior Comprehensive Notice
A processor-to-controller transition where comprehensive prior notice already covered the processing in question. The individual already possesses all required information — exemption under Article 14(5)(a).
Large-Scale Historical Research
Statistical research involving millions of historical records where individual notification would be demonstrably disproportionate. A structured disproportionate effort assessment must be completed and retained.
Statutory Reporting Regimes
Law enforcement or statutory reporting regimes where specific legal provisions displace Article 14 requirements. The applicable legal provision must be identified with precision.
Legal Professional Privilege
Protected legal privilege situations where certain professional secrecy requirements justify exemption. The scope of the privilege must be carefully assessed against the specific processing activity.
The availability of an exemption does not remove the obligation to document the assessment. Controllers must maintain evidence that the exemption was properly evaluated and legitimately applied.
Common Misconceptions
Several persistent misconceptions undermine Article 14 compliance programmes. Advanced practitioners must be equipped to identify and correct these misunderstandings within their organisations.
❌ Misconception
"Publicly available data are exempt from GDPR transparency obligations."
✅ Reality
Public availability does not remove Article 14 obligations. Controllers must still establish a lawful basis and provide full transparency — including disclosing that the data came from a publicly accessible source.
❌ Misconception
"Relying on legitimate interest removes the need for transparency."
✅ Reality
Article 14 specifically requires disclosure of legitimate interests when relied upon. Legitimate interest is a lawful basis — it is not a transparency exemption.
❌ Misconception
"Indirect collection only means purchased data."
✅ Reality
Indirect collection encompasses all forms of acquisition from non-data-subject sources — including scraped data, registry data, affiliate-shared data, and AI-generated inferences.
❌ Misconception
"A privacy notice on our website satisfies Article 14."
✅ Reality
Controllers must be able to demonstrate that Article 14 information was actively provided in accordance with timing requirements — passive website publication is generally insufficient.
GDPR Articles Most Closely Intersecting with Article 14
Article 14 does not operate in isolation. A comprehensive compliance programme must account for its interaction with the broader GDPR framework.
Understanding these intersections is essential for practitioners designing enterprise-wide compliance architectures. Each intersecting article creates additional obligations that must be satisfied in conjunction with Article 14 requirements.
Twenty Cross-Cutting Technical Controls for Article 14 Compliance
Mature Article 14 compliance requires systematic technical and organisational controls embedded across the enterprise data governance architecture.
Data Source Inventory Control
Maintain authoritative records identifying every indirect source of personal data across the organisation.
Data Lineage Mapping
Track provenance from original source through all downstream processing activities.
Article 14 Trigger Detection Engine
Automatically identify processing activities involving indirect collection to initiate compliance workflows.
ROPA Integration
Link Article 14 obligations directly to Article 30 Records of Processing Activities.
Purpose Specification Governance
Ensure every indirect collection activity has documented, specific processing purposes.
Legal Basis Registry
Maintain centrally governed legal basis assignments for all indirect processing activities.
Legitimate Interest Assessment Repository
Maintain auditable LIAs where Article 6(1)(f) is relied upon as the lawful basis.
Automated Privacy Notice Generation
Generate notices dynamically from authoritative metadata sources to ensure accuracy and consistency.
Notice Delivery Orchestration
Ensure delivery deadlines are tracked, enforced, and evidenced across all processing channels.
One-Month Compliance Timer Controls
Automatically monitor Article 14 notification deadlines from the point of data acquisition.
First-Contact Compliance Gate
Prevent outbound communication until Article 14 requirements are satisfied for the relevant data set.
Third-Party Disclosure Gate
Prevent onward disclosures where notification requirements remain unmet.
Data Source Transparency Catalogue
Maintain detailed source descriptions and acquisition justifications for all indirect data.
International Transfer Disclosure Management
Integrate transfer registers with privacy notices to ensure transfer disclosures remain current.
Profiling Transparency Controls
Document algorithmic logic, significance, and impacts for all profiling and automated decision-making activities.
Rights Management Integration
Connect Article 14 notices to rights request workflows to enable seamless exercise of data subject rights.
Retention Governance Controls
Ensure retention schedules align with disclosed retention periods across all indirect data sets.
Disproportionate Effort Assessment Framework
Standardised methodology for evaluating and documenting Article 14(5)(b) exemption claims.
Privacy-by-Design Review Checkpoints
Mandatory review of Article 14 implications during system development and procurement processes.
Continuous Compliance Monitoring & Audit
Regular testing of notice accuracy, timing compliance, source attribution, and evidence retention across the enterprise.
Advanced Practitioner Teaching Points
Article 14 is fundamentally an accountability obligation, not merely a notice obligation. Regulators increasingly assess whether organisations can demonstrate how data were obtained, why they were obtained, when notice was provided, what information was communicated, and whether exemptions were legitimately invoked.
The Hardest Compliance Challenge
The principal challenge is rarely notice drafting. It is establishing enterprise-wide visibility over indirect data acquisition channels — a fundamentally operational and governance challenge.
The True Maturity Indicator
For advanced organisations, the maturity indicator is not possession of an Article 14 notice template. It is the ability to demonstrate complete provenance, lawful acquisition, timely notification, and ongoing transparency across complex ecosystems of vendors, affiliates, brokers, public sources, AI systems, and data-sharing arrangements.
The Regulatory Perspective
From a regulatory perspective, Article 14 is best understood as the GDPR's primary safeguard against "invisible processing" — ensuring that individuals remain aware of, and able to challenge, processing activities even when the controller never collected information from them directly.
Organisations that embed Article 14 compliance into their data governance architecture — rather than treating it as a standalone notice exercise — are best positioned to demonstrate accountability and withstand regulatory scrutiny.