GDPR ARTICLE 14: Where did you get my personal data?
Articles 13 and 14 of the GDPR state that information must be provided where personal data has been obtained directly from a data subject, or where personal data has not been collected directly from the data subject, respectively.
We often see that clients are fully compliant with Article 13 and know it’s a high priority item to have in place. But when it comes to GDPR Article 14, we frequently see confusion, especially around understanding the privacy notice and when you are required to provide one. This is because it’s easy to assume that by obtaining personal data from third parties, data subjects have already been informed, which is not always the case. A privacy notice is a public document that explains how an organisation processes personal information and applies data protection principles. To remain compliant to the GDPR, it’s crucial for organisations to be transparent with data subjects on how their personal data has been obtained, especially if it’s via a third party.
In this blog, we discuss when businesses should provide an Article 14 privacy notice, what a privacy notice should contain, conducting supplier due diligence when acquiring personal data from third parties, and the importance of documenting the source of personal data.
When do I need to provide an Article 14 privacy notice?
Understanding when you need to provide an Article 14 privacy notice is the first step in complying with Article 5’s principle on fairness and transparency. The regulation states that data controllers must provide data subjects with an Article 14 privacy notice where
personal data has not been obtained from the data subject.
Recital 60 explains this further stating,
principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes and that
data controllers should provide the data subject with any further information necessary to ensure fair and transparent processing.
In most businesses it is the sales and marketing team who obtain personal data from a third party. This could be from marketing campaigns on social media, purchasing mailing lists, or in some cases web scraping tools, such as plug-ins. All these sources are third parties and require you to comply with Article 14 by providing a privacy notice to the data subject.
The privacy notice should be provided at the first point of contact or within 30 days of obtaining the personal data. If you are contacting the data subject by phone, you should provide them with information on who you are, where you obtained their personal data, for what purpose you will be using it for, and in further communication, provide them with the privacy notice in writing.
It is important to note that prior to contacting the data subject, you should first cross check the data against the Telephone, Mailing, and Corporate Preference Service to ensure their details are not registered there, otherwise you will be in breach of their data subject rights.
What should be included in the privacy notice?
The ICO has provided a helpful guide on what to include in your Article 14 privacy notice. It is essentially a copy of your Article 13 privacy notice but with additional information on the source of the personal data.
|What information do we need to provide?||Personal data collected from individuals (Article 13)||Personal data obtained from other sources (Article 14)|
|The name and contact details of your organisation||Yes||Yes|
|The name and contact details of your representative||Yes||Yes|
|The contact details of your data protection officer||Yes||Yes|
|The purpose of the processing||Yes||Yes|
|The lawful basis for the processing||Yes||Yes|
|The legitimate interests for the processing||Yes||Yes|
|The categories of personal data obtained||No||Yes|
|The recipients or categories of recipients of the personal data||Yes||Yes|
|The details of transfers of the personal data to any third countries or international organisations||Yes||Yes|
|The retention periods for the personal data||Yes||Yes|
|The rights available to individuals in respect of the processing||Yes||Yes|
|The right to withdraw consent||Yes||Yes|
|The right to lodge a complaint with a supervisory authority||Yes||Yes|
|The source of the personal data||No||Yes|
|The details of whether individuals are under statutory or contractual obligation to provide the personal data||Yes||Yes|
|The details of the existence of automated decision-making, including profiling||Yes||Yes|
Supplier Due Diligence
It is important to understand that when using third parties to purchase personal data, there needs to be adequate supplier due diligence carried out. As a data controller, it is your responsibility to process personal data in a lawful manner. For instance, ensuring that you are only using third parties who can verify they have collected the personal data lawfully and are GDPR compliant.
Documenting the source of personal data under GDPR
To keep track of the different sources of personal data, it’s helpful to document them. The Records of Processing Activities (ROPA) document found in Article 30 is one way to keep track of personal data that has been collected. You can use ROPA as a tool to understand the data flow between parties you share the information with, and for understanding which processes require you to provide an Article 14 privacy notice.
The Polish data protection authority (UODO) fined Swedish data aggregation company Bisnode €220,000 for a GDPR violation of Article 14. Bisnode were found to have collected personal data from the public records and databases of approximately 700,000 data subjects without providing a privacy notice. Bisnode decided they were exempt from Article 14 because notifying over 6 million data subjects, for whom they did not have an email address, would be
disproportionate saying that it would cost the company €7.7 million. The UODO however, ruled against this since approximately 12,000 of those data subjects had already objected to the processing of their personal data.
- Article 14 of the GDPR states that information must be traceable where personal data has not been obtained directly from the data subject
- To remain compliant, it is essential for data subjects to be informed when companies have collected personal data from them directly, and indirectly, via third parties
- It’s important for organisations to know when to provide an Article 14 privacy notice to comply with the principles of fairness and transparency in Article 5 of the GDPR
- Supplier due diligence is crucial to understanding whether third parties can validate that they have collected personal data lawfully
- A ROPA document is another way to ensure GDPR compliance, by keeping a record of your data processing activities and understanding which processes require an Article 14 privacy notice
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.