When an organization collects personal data indirectly, it triggers one of the most important—but often misunderstood—obligations under the EU’s data protection framework: the requirement to send a GDPR Article 14 notice email. This notice is not optional. It is a mandatory step that ensures transparency, fairness, and accountability when the controller acquires personal data through a third party, a public source, automated tools, data brokers, open-source intelligence, or any method other than direct collection from the data subject.
What Is a GDPR Article 14 Notice Email?
A GDPR Article 14 notice email is a formal communication that a data controller must send to individuals when it processes their personal data without obtaining that data directly from them. The notice provides the individual with all information that Article 14 requires, including:
- The identity and contact details of the controller
- The categories of personal data obtained
- The source of the personal data
- The purpose and legal basis for processing
- Data retention periods
- Recipients of the data
- A clear explanation of the data subject’s rights
This is sometimes referred to as:
- Article 14 transparency notice
- Indirect data collection notice
- Third-party sourcing notice
- Fair processing notice
Regardless of the terminology, the meaning is the same: you acquired data indirectly, so you must inform the people concerned.
When Must a GDPR Article 14 Notice Email Be Sent?
According to GDPR Article 14(3), the controller must provide the notice:
- Within a reasonable period, but no later than one month after obtaining the personal data.
- At the time of the first communication, if you contact the person before one month.
- Before personal data is disclosed to another recipient.
This timeline is strict. Many companies make the mistake of assuming they can send an Article 14 notice “when convenient.” That is incorrect. A controller must follow the 30-day window or the earlier of the two additional triggers.
Practical examples:
- If you purchase a marketing list, you must send the notice within 30 days.
- If you email an indirectly-sourced lead after 7 days, the notice must be included in that first email.
- If you found someone’s professional email from public sources and plan to share their contact details internally, you must send the notice before the sharing occurs.
Why Is a GDPR Article 14 Notice Important?
There are three reasons this obligation exists:
1. Transparency
Individuals must always know how and why their data is being processed—regardless of the source. Article 14 prevents secret data processing.
2. Fairness
If the data subject is unaware that their email, phone number, or personal information has been passed between companies, they are deprived of their rights. The notice restores balance.
3. Legal Compliance
Failing to provide an Article 14 notice is considered a breach of the GDPR’s core principles. Supervisory authorities have issued fines specifically for this failure, especially in marketing, HR, recruitment, and analytics contexts.
What Must Be Included in a GDPR Article 14 Notice Email?
Article 14 lists specific mandatory components. A compliant email must cover all of the following elements in clear, accessible language.
1. Identity and contact details of the controller
This includes company name, address, and a privacy contact email.
2. Contact details of the Data Protection Officer (if applicable)
If your organization has a DPO, you must include their email or other contact route.
3. Purposes of processing
Explain what you do with the data (e.g., marketing, recruitment, fraud prevention, analytics).
4. Legal basis for processing
You must identify which lawful basis under Article 6 applies:
- Legitimate interests
- Legal obligation
- Performance of contract
- Consent
- Public task
- Vital interests
For marketing, legitimate interest is the most commonly used but must be properly balanced.
5. Categories of personal data
For example:
- Name
- Phone number
- Job title
- Public profile data
- Company information
Avoid vague terms like “various information.”
6. Source of the data
You must specify where and how you obtained it. Examples:
- Public websites
- Social media profiles
- A partner organization
- A commercial data provider
- Public registries
Importantly: you do not need to name the specific individual who provided the data, but you must provide enough context to allow the data subject to understand the source.
7. Recipients or categories of recipients
Identify any third parties that may receive the data (e.g., marketing platforms, analytics companies, partners).
8. Retention period
Specify how long the data will be stored, or the criteria used to determine the period.
9. Rights of the individual
The email must list or reference the following rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to object
- Right to data portability
If you rely on legitimate interest, you must clearly explain the individual’s right to object.
10. Right to complain to a supervisory authority
You must state that the individual can file a complaint with their local Data Protection Authority.
11. Whether automated decision-making is involved
If applicable, you must explain profiling, scoring, or automated decision-making mechanisms.
How to Write a GDPR Article 14 Notice Email
The challenge is simple: your message must be complete, compliant, and understandable. The tone should be formal but not intimidating. A good Article 14 email explains why you are contacting the recipient and offers reassurance.
Below is a recommended structure:
1. Clear introduction
State why the individual is receiving this message.
2. Explanation of data source
Be transparent and straightforward.
3. Purpose of processing
Explain business context and why the individual may benefit from the contact.
4. Legality
Identify your legal basis.
5. Full Article 14 information block
Include all mandatory elements in a well-organized, concise format.
6. Rights section
Provide actionable instructions on exercising rights.
7. Closing
End politely, emphasizing transparency.
Example of a GDPR Article 14 Notice Email (Compliant Format)
Below is a structured example demonstrating how a compliant notice can be written. This is not legal advice but a model for clarity and style.
Subject: Information Notice Regarding Your Personal Data (GDPR Article 14)
Dear [Name],
We are contacting you to provide transparency about how we obtained and use your professional contact details, as required by Article 14 of the General Data Protection Regulation (GDPR).
How we obtained your data
Your name, job title, and email address were collected from publicly available professional sources, including business websites, directories, and professional networking information. We did not obtain your data directly from you.
Purpose and legal basis
We process your personal data to [explain purpose—for example, “share professional information and updates relevant to your industry”]. Our legal basis for this processing is legitimate interest (Article 6(1)(f) GDPR). We have conducted a legitimate interest assessment confirming that our communication is balanced, relevant, and does not override your rights.
Categories of personal data
We process the following data:
– Name
– Professional email address
– Job title
– Company affiliation
– Publicly available business profile information
Recipients
Your data may be shared with our internal teams and authorized processors who provide secure email delivery and CRM services. We do not sell or trade your personal data.
Retention period
We retain your data for [X months/years], or until you object or request deletion.
Your rights
Under the GDPR, you have the right to access, rectify, delete, restrict processing, or object at any time. You may exercise these rights by contacting us at: [privacy email].
If you believe that your rights have been violated, you may lodge a complaint with your local Data Protection Authority.
Controller details
[Company Name]
[Address]
Email: [Privacy Contact]
Data Protection Officer (if applicable): [DPO email]
If you prefer that we do not contact you again, simply reply STOP or email us with “opt-out,” and we will remove you from all future communications.
Thank you for your attention.
Kind regards,
[Controller Name / Department]
Best Practices for Article 14 Notice Emails
To ensure compliance and positive perception from recipients, follow these practical guidelines:
1. Avoid overly long explanations
Use clear, concise language. Long paragraphs reduce clarity and may cause recipients to miss essential instructions.
2. Do not hide or delay the notice
If your first communication is a marketing email, the Article 14 notice must appear in that same email or attached in a clear form.
3. Use plain language
The GDPR encourages understandable, non-technical phrasing.
4. Make the opt-out process effortless
One-click or one-reply opt-out mechanisms improve fairness and reduce complaints.
5. Keep internal documentation
Maintain records of when notices were sent, to whom, and with what content.
6. Align your CRM workflow
Marketing and sales teams must understand that contacting individuals sourced from indirect channels without a prior or simultaneous Article 14 notice is unlawful.
7. Conduct a Legitimate Interest Assessment (LIA) if applicable
If relying on legitimate interest, document the assessment.
8. Ensure that data accuracy is maintained
If the sourcing was from public data, verify that the information is still valid.
9. Do not send notices for data exempt under Article 14(5)
Some exceptions include:
- If providing the information is impossible
- If it requires disproportionate effort
- If EU law requires secrecy
- If the data subject already has the information
But these must be interpreted narrowly.
10. Use a standardized template
Creating a reusable but adaptable template ensures consistency.
Common Mistakes to Avoid
Many companies fail GDPR audits because of simple oversights. Avoid the following errors:
- Sending marketing emails without including the Article 14 notice
- Using vague language like “we got your email from the internet”
- Not identifying the lawful basis
- Not explaining the retention period
- Ignoring the requirement to offer rights and opt-out
- Not keeping evidence of compliance
- Assuming B2B emails are exempt (they are not)
- Thinking Article 14 does not apply to publicly available data
- Sending notices without DPO contact when required
A compliant notice requires accuracy and completeness.
Conclusion
A GDPR Article 14 notice email is a cornerstone element of lawful data processing when personal data is acquired indirectly. It protects individual rights, ensures transparency, and shields organizations from regulatory penalties. By following the clear structure, mandatory elements, and best practices outlined in this article, any organization can confidently craft Article 14 notices that meet both the letter and spirit of the GDPR.