GDPR Article 14 Explained: Understanding Your Obligations When You Collect Personal Data Indirectly

Nov 29, 2025

When a business collects personal data, the GDPR requires it to follow strict transparency rules. Most organizations understand the duties that arise when collecting data directly from individuals—such as through a sign-up form, an account registration, or a purchase checkout. Those obligations are covered under GDPR Article 13.

But many companies forget that the same level of transparency is required when the data comes from somewhere else—a partner platform, a data broker, public sources, social media, or even internal referrals. That is exactly where GDPR Article 14 applies.

Article 14 of the General Data Protection Regulation is one of the most overlooked parts of the law, yet violations of Article 14 transparency obligations regularly lead to reprimands, audits, and fines. This article explains Article 14 in plain language, outlines the practical steps for compliance, and provides examples to help you understand how to apply it in real business scenarios.

What Is GDPR Article 14?

GDPR Article 14 sets out the information that data controllers must provide to individuals when their personal data is not collected directly from them. In other words, the business obtaining the data does not get it from the person themselves but from:

  • Publicly available sources

  • Affiliates or partners

  • Third-party data brokers

  • Business directories

  • Social networks

  • Customer referrals

  • Other departments or agencies

Whenever a business receives such data, Article 14 requires it to inform the data subject within a reasonable period—generally within one month, or at the first communication with the individual, whichever happens earlier.

The underlying philosophy of Article 14 is:
Data subjects should not be left in the dark about how their personal data came into the hands of an organization.

Why Article 14 Exists: The Goal Behind the Rules

Article 14 ensures transparency and fairness when organizations collect personal data indirectly. Without this rule, companies could easily build large databases of individuals without their knowledge or control. Europeans are granted clear rights under the GDPR, including:

  • The right to access their personal data

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to object

  • The right not to be subject to automated decision-making

But individuals cannot exercise those rights unless they know who is processing their data and why. Article 14 ensures they are informed early enough to take action if they choose.

When GDPR Article 14 Applies

Article 14 applies anytime all of the following conditions are met:

  1. A company obtains personal data about an identifiable person

  2. The data did not come directly from the person

  3. The company becomes a controller, meaning it decides the purposes and means of processing

  4. No Article 14 exceptions apply

Examples include:

  • Buying marketing lists

  • Getting referrals from existing clients

  • Receiving CVs from a recruitment agency

  • Uploading LinkedIn profiles into CRM software

  • Collecting leads from social media scraping

  • Receiving customer data from a partner brand after a joint promotion

  • Importing company contact information from a public registry

Even public information (e.g., LinkedIn or government registers) triggers Article 14 obligations.

What Information Must Be Provided Under Article 14?

GDPR Article 14 outlines a comprehensive list of information that must be shared with the individual. This includes almost everything required under Article 13, plus the following additional items that are unique to Article 14.

Mandatory Information Includes:

1. Controller identity and contact details

Who you are and how the person can reach you for privacy matters.

2. Data Protection Officer (DPO) contact details

Required if you have a DPO.

3. The purposes of processing

Why you are using the data.

4. The legal basis for processing

Common bases include:

  • Legitimate interest

  • Compliance with legal obligations

  • Contract

  • Public task

  • Vital interests

Consent is rarely applicable for indirect data collection unless the individual has already given valid consent elsewhere and you can prove it.

5. Categories of personal data collected

Because the individual did not provide the data directly, you must specify what types of information you received, such as:

  • Contact details

  • Professional details

  • Financial data

  • Behavioral or technical data

  • Demographic data

6. Categories of data sources

Where the data came from. You do not always have to name the exact source, but the description must be sufficiently clear (e.g., public business directories, partner companies, referrals).

7. Recipients of personal data

Any third parties that will receive the data, including:

  • Service providers

  • Analytics platforms

  • Payment processors

  • Group companies

8. Data retention periods

How long the data will be stored and when it will be erased.

9. Rights of the data subject

A clear explanation of GDPR rights.

10. The right to lodge a complaint

Information about the supervisory authority.

11. Whether the data will be used for automated decision-making or profiling

If applicable.

12. Any international transfers

If data is processed or stored outside the EEA, you must outline the safeguards.

When Must You Provide Article 14 Information?

Timing is an essential part of Article 14 compliance. The GDPR defines several scenarios:

1. Within one month of obtaining the data

This is the standard rule.

2. At the first communication with the individual

If you contact the person sooner (e.g., sending a marketing email), you must inform them immediately.

3. At the moment of disclosing the data to another party

If you pass the data to someone else before contacting the data subject, Article 14 information must be provided before the transfer.

Article 14 Exceptions: When You Do Not Have to Inform People

The GDPR allows exceptions in limited circumstances, though they are interpreted narrowly by regulators.

You may skip Article 14 only if one of the following conditions applies:

1. The individual already has the information

You must be able to prove that the person already received all required information from another source.

2. Providing the information is impossible or would involve disproportionate effort

This is most common with:

  • Archival data

  • Large-scale historical data

  • Statistical or scientific research

  • Fraud detection databases

Note: You must still implement appropriate safeguards, such as publicly available privacy notices.

3. Obtaining or disclosure is required by law

For example, criminal investigations or regulatory compliance operations.

4. The data must remain confidential due to professional secrecy

E.g., legal privilege.

These exceptions are narrow, and regulators expect documented justification.

Practical Examples of Article 14 in Real Business Scenarios

Understanding theory is helpful, but seeing how Article 14 applies in real life makes it clearer.

Example 1: Marketing List Purchases

A company buys a list of email addresses from a third-party data broker.
Before sending any promotional emails, the company must send each person:

  • A privacy notice explaining who they are

  • Why they have the person’s contact details

  • The source of data (data broker)

  • The legal basis (typically legitimate interest)

Example 2: Referral Programs

A client submits their friend’s phone number for a referral discount.
The company must message the friend informing them:

  • Where their data came from (client referral)

  • Why it was collected

  • How their data will be processed

  • Their right to object

Example 3: Recruitment Agencies

A recruiter provides candidate CVs to a company.
The hiring organization must send the candidate Article 14 information within one month or at first communication.

Example 4: Public Data Extracted from LinkedIn

A B2B sales team manually collects names and emails from LinkedIn profiles.
They must still provide Article 14 information before or during their first outreach.

Legal Basis for Indirect Data Collection Under Article 14

Selecting the appropriate legal basis is crucial. Most organizations rely on legitimate interest, but it must be properly documented in a Legitimate Interest Assessment (LIA). The test includes:

  1. Identifying the legitimate interest

  2. Necessity test

  3. Balancing test (impact on the individual)

If legitimate interest is not appropriate, an alternative basis may apply, such as:

  • Contract (if the data relates to pre-contractual steps)

  • Legal obligation (e.g., fraud checks)

Consent is rarely valid because you did not collect the data directly.

How to Comply with GDPR Article 14: Step-by-Step Guide

Step 1: Identify all indirect data sources

Perform an internal audit and map all incoming personal data sources.

Step 2: Determine the legal basis for processing

Document this clearly for every data source.

Step 3: Prepare an Article 14-compliant privacy notice

Ensure it includes all mandatory elements.

Step 4: Define communication timelines

Implement workflows:

  • Within one month

  • At first contact

  • Before data sharing

Step 5: Automate notifications if possible

CRM platforms, email automation tools, and onboarding workflows can help.

Step 6: Maintain records of compliance

Keep logs of notifications, including timestamps and delivery methods.

Step 7: Train staff

Sales teams, HR teams, support teams, and marketing staff must understand Article 14 obligations.

Step 8: Review exceptions and document justification

Never assume an exception applies.

Common Mistakes Companies Make with Article 14

  • Failing to send notices when importing data into CRM

  • Assuming publicly available data does not require notification

  • Relying on “legitimate interest” without assessments

  • Not informing individuals within the correct timeframe

  • Assuming data brokers have obtained consent

  • Not documenting data sources clearly

  • Overlooking joint controller scenarios

  • Failing to maintain proof that Article 14 notifications were sent

Regulators across the EU have issued fines specifically because of these errors.

Why Article 14 Compliance Matters More Today

With the rise of AI, large datasets, and automated profiling, regulators have increased scrutiny on indirect data collection. The largest enforcement actions in this area often involve:

  • Online advertising companies

  • Lead generation companies

  • App developers

  • Recruiters

  • Data brokers

  • Insurers

  • Financial services

Transparency is becoming the central theme of modern privacy enforcement, and Article 14 is at the heart of that.

Conclusion: Article 14 Is a Core Component of GDPR Transparency

GDPR Article 14 ensures that individuals remain informed and empowered even when their personal data is obtained indirectly. For organizations, compliance requires a mix of documentation, timely communication, and internal workflows.

By understanding the requirements—especially what information must be provided, when, and under what legal basis—businesses can significantly reduce regulatory risk and demonstrate a commitment to fair and transparent data processing.