Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof red team demonstrate a novel approach to evade static analysis in Linux malware.
Read More
Articles 13 and 14 of the GDPR state that information must be provided where personal data has been obtained directly from a data subject, or where personal data has not been collected directly from the data subject, respectively.
We often see that clients are fully compliant with Article 13 and know it’s a high priority item to have in place. But when it comes to GDPR Article 14, we frequently see confusion, especially around understanding the privacy notice and when you are required to provide one. This is because it’s easy to assume that by obtaining personal data from third parties, data subjects have already been informed, which is not always the case. A privacy notice is a public document that explains how an organisation processes personal information and applies data protection principles. To remain compliant to the GDPR, it’s crucial for organisations to be transparent with data subjects on how their personal data has been obtained, especially if it’s via a third party.
In this blog, we discuss when businesses should provide an Article 14 privacy notice, what a privacy notice should contain, conducting supplier due diligence when acquiring personal data from third parties, and the importance of documenting the source of personal data.
Understanding when you need to provide an Article 14 privacy notice is the first step in complying with Article 5’s principle on fairness and transparency. The regulation states that data controllers must provide data subjects with an Article 14 privacy notice where personal data has not been obtained from the data subject.
personal data has not been obtained from the data subject
Recital 60 explains this further stating, principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes and that data controllers should provide the data subject with any further information necessary to ensure fair and transparent processing.
principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes
data controllers should provide the data subject with any further information necessary to ensure fair and transparent processing
In most businesses it is the sales and marketing team who obtain personal data from a third party. This could be from marketing campaigns on social media, purchasing mailing lists, or in some cases web scraping tools, such as plug-ins. All these sources are third parties and require you to comply with Article 14 by providing a privacy notice to the data subject.
The privacy notice should be provided at the first point of contact or within 30 days of obtaining the personal data. If you are contacting the data subject by phone, you should provide them with information on who you are, where you obtained their personal data, for what purpose you will be using it for, and in further communication, provide them with the privacy notice in writing.
It is important to note that prior to contacting the data subject, you should first cross check the data against the Telephone, Mailing, and Corporate Preference Service to ensure their details are not registered there, otherwise you will be in breach of their data subject rights.
The ICO has provided a helpful guide on what to include in your Article 14 privacy notice. It is essentially a copy of your Article 13 privacy notice but with additional information on the source of the personal data.
It is important to understand that when using third parties to purchase personal data, there needs to be adequate supplier due diligence carried out. As a data controller, it is your responsibility to process personal data in a lawful manner. For instance, ensuring that you are only using third parties who can verify they have collected the personal data lawfully and are GDPR compliant.
To keep track of the different sources of personal data, it’s helpful to document them. The Records of Processing Activities (ROPA) document found in Article 30 is one way to keep track of personal data that has been collected. You can use ROPA as a tool to understand the data flow between parties you share the information with, and for understanding which processes require you to provide an Article 14 privacy notice.
The Polish data protection authority (UODO) fined Swedish data aggregation company Bisnode €220,000 for a GDPR violation of Article 14. Bisnode were found to have collected personal data from the public records and databases of approximately 700,000 data subjects without providing a privacy notice. Bisnode decided they were exempt from Article 14 because notifying over 6 million data subjects, for whom they did not have an email address, would be disproportionate saying that it would cost the company €7.7 million. The UODO however, ruled against this since approximately 12,000 of those data subjects had already objected to the processing of their personal data.
disproportionate
Ali is a seasoned GDPR Consultant who's written insightful articles on the subjects of GDPR compliance and data protection.
Our experienced team of DPOs can take the stress of compliance out of your hands
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.