🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 14 of the GDPR: Information to be provided when data is not collected from the data subject

Home GDPR articles decrypted Article 14 of the GDPR: Information to be provided when data is not collected from the data subject
Article 14 of the GDPR supplements Article 13 by specifying the information to be communicated to a data subject when their personal data has been collected indirectly, i.e. by a third party or another source.

Article 14 of the GDPR explained

The data controller must provide the data subject with the following information:

  • Identity and contact details of the data controller,
  • Purposes and legal basis for processing.
  • Categories of data concerned,
  • Potential recipients,
  • Shelf life,
  • Rights of individuals (access, rectification, erasure, etc.),
  • Right to lodge a complaint with a supervisory authority,
  • Data source,
  • Existence of automated decision-making.

This information must be provided within a reasonable time, at the latest within one month, or during the first communication with the person concerned, as appropriate.

Why is this article important for your GDPR compliance?

Article 14 ensures the transparency even in indirect processing, particularly in cases of database purchases, commercial partnerships or delegated processing. Omitting this information constitutes a violation of the GDPR.

How to comply with Article 14 of the GDPR?

  • Include mentions of article 14 in your privacy policy documents or in direct communication (email, post, etc.).
  • Establish a process to identify cases of indirect collection.
  • Inform people within the time limits provided for by law (1 month maximum).
  • Document this action in your processing log.

Examples of application of Article 14 of the GDPR

  • A company purchases a prospecting file: it informs the people concerned by e-mail within 30 days.
  • A community obtains data from another public body: it makes a specific information page available on its site.
  • A recruiter consults profiles on LinkedIn: he informs candidates from the first contact.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

👉 Request a demo with an expert

⚡ Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

👉 GDPR: Self-assess now

Other articles
on the same subject