Article 14 Guide: Meeting Regulatory Requirements for Personal Data Not Directly Obtained from Data Subjects

Imagine a software-as-a-service (SaaS) company looking to grow its clientele by purchasing leads from a specialized lead generation firm. These leads come complete with contact details and demographic information of prospective customers. In a similar scenario, envision a real estate agency building a database of potential homebuyers through publicly accessible sources such as property listings and social media profiles. Both situations pose a crucial question:What are the obligations of these companies under the General Data Protection Regulation (GDPR)? Can they freely utilize the obtained data, or are there specific responsibilities they must adhere to?

Let’s delve into the key considerations and responsibilities mandated by GDPR when handling such data acquisition practices.

GDPR and Transparency

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how businesses handle personal data of individuals within the European Union (EU). One of the key aspects of this regulation is Article 14, which outlines the information that must be provided when personal data is obtained from a source other than the data subject.

Personal data has emerged as a valuable asset, continuously amassed, utilized, and processed by diverse entities, spanning from online consumer behavior to social media engagements.

The GDPR serves as a guiding light of transparency, ensuring that individuals are informed about the processing of their personal data. At the heart of this regulation lies the right to be informed, a fundamental aspect of data protection and a main obligation of the companies that are processing personal data of individuals. Data subjects have the right to know who is collecting their data, why they’re collecting it, and what they intend to do with it. This transparency is not merely a formality; it’s a legal obligation under Articles 13 and 14 of the GDPR.

Transparency doesn’t stop at mere disclosure. It’s about making information accessible and understandable. Whether companies are making an announcement to a tech-savvy adult or a curious child, they must communicate their data practices in clear, plain language. This includes detailing the purposes of data processing, the lawful basis for such processing, and any potential risks or rights associated with it.

But what if the data wasn’t obtained directly from the data subject?

For instance, if a company acquires information from a third party, they are still obligated to furnish essential details to the data subject. In such cases, they’re still obligated to provide the data subject with essential details about their data, including who they are, why they have their data, and who else might access it.

What is Article 14 of GDPR?

Article 14 of GDPR pertains to situations where personal data has not been obtained directly from the data subject. In such cases, the data controller (the entity processing the data) is required to provide the data subject with certain information.

What Information Must Be Provided to Data subjects?

When personal data is obtained from sources other than the individual – data subject, certain information must be provided to ensure transparency.

According to Article 14, the following information must be provided to the data subject:

1. The identity and contact details of the data controller and, where applicable, of the controller’s representative.
2. The contact details of the data protection officer, where applicable.
3. The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
4. The categories of personal data concerned.
5. The recipients or categories of recipients of the personal data, if any.
6. Where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

In addition to the above, the controller must provide the following information necessary to ensure fair and transparent processing:

1. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
2. Where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or by a third party.
3. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.
4. Where processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5. The right to lodge a complaint with a supervisory authority.
6. From which source the personal data originate, and if applicable, whether it came from publicly accessible sources.
7. The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Here is an ISO guidance outlining the type of information that a company should provide in any scenario when operating under Article 14:

This ICO guidance specifies the information that a company should provide when operating under Article 14, particularly when certain criteria are met:

When Should This Information Be Provided?

The controller should provide this information within a reasonable timeframe from obtaining the data, ensuring individuals are informed from the outset. The timeline for providing this information is crucial. Whether it’s upon data collection, the first communication with the individual, or when data is acquired from another party, organizations have a maximum of one month to fulfil this obligation.

Addressing Changes in Data Processing

In instances where data controllers intend to process personal data for purposes other than originally collected, individuals must be informed in advance. This proactive approach ensures transparency and allows individuals to make informed decisions about their data.

Exceptional Circumstances and Exemptions

While transparency is paramount, there may be situations where providing information is impractical or legally restricted. However, companies should strive to maintain transparency to the greatest extent possible, prioritizing privacy and security.

Article 14 of the GDPR does provide certain exemptions from the obligation to inform the data subject about the processing of their personal data. These exemptions apply under the following circumstances:

– If the provision of such information proves impossible or would involve disproportionate effort.

– If the notification requirement is likely to render impossible or seriously impair the achievement of the objectives of that processing.

It’s crucial to emphasize that routinely applying these exemptions is not advisable; instead, they should be carefully considered on a case-by-case basis. The data controller should justify and document their reasons for relying on an exemption. If no exemption applies, the data controller must comply with the GDPR as normal.

Example:

A research institution conducting a study on historical trends in public health. They obtain anonymized data from hospital records dating back several decades. The data subjects are individuals who were patients at those hospitals during that time.

In this case, it might be impossible for the research institution (the data controller) to provide information to the data subjects under Article 14 of the GDPR. The reasons could be:
1. Impossibility: The data subjects might not be reachable due to the passage of time, changes in contact information, or even death. Therefore, it would be impossible to provide the required information to the data subjects.
2. Disproportionate effort: Given the potentially large number of data subjects and the age of the data, it might require a disproportionate effort to track down each data subject and provide them with the information required under Article 14

The actual application of the exemption would depend on the specific circumstances and local data protection laws. It’s always recommended to seek legal advice when dealing with such matters.

Conclusion

Transparency is not merely a compliance requirement but a fundamental aspect of ethical data management. By prioritizing transparency, companies can build stronger relationships with their customers and demonstrate a commitment to responsible data handling practices.

Stay tuned to our blog for more insights on navigating the complex landscape of data protection and privacy compliance. Together, we can ensure that transparency remains at the forefront of our data management efforts.