Updated: July 2026
Picture a software-as-a-service (SaaS) company that wants more customers, so it buys leads from a lead generation firm. The leads come with contact details and demographic information about prospective customers. Or picture a real estate agency building a database of potential homebuyers from public sources like property listings and social media profiles.
Both situations raise the same question: what must these companies do under the General Data Protection Regulation (GDPR)? Can they use the data freely, or do they have specific duties? The answer lies mainly in Article 14.
• Article 14 applies when you get personal data from a source other than the person, such as bought leads or public listings.
• You must tell the data subject who you are, why you hold their data, the legal basis, and their rights, within one month at most.
• Transparency here is a legal duty under the GDPR, not an optional extra.
• Some exemptions exist, such as impossible or disproportionate effort, but use them case by case and record your reasons.
The General Data Protection Regulation (GDPR) governs how businesses handle the personal data of people in the European Union (EU). One key part is Article 14, which sets out the information you must provide when you get personal data from a source other than the data subject.
Personal data has become a valued asset. Many organisations collect, use, and process it, from online consumer behaviour to social media activity.
The GDPR is built on transparency. It makes sure people know how their personal data is processed. At its heart is the right to be informed, a core duty for any company that processes personal data. People have the right to know who is collecting their data, why, and what will be done with it. This is a legal duty under Articles 13 and 14 of the GDPR.
Transparency means more than disclosure. Information must be easy to find and easy to understand. Whether you address a tech-savvy adult or a curious child, you must explain your data practices in clear, plain language. This includes the purposes of processing, the lawful basis, and any risks or rights involved.
Sometimes the data does not come directly from the data subject. If a company gets information from a third party, it must still give the data subject key details: who they are, why they hold the data, and who else might access it.
Article 14 of the GDPR covers cases where personal data was not obtained directly from the data subject. In these cases, the data controller (the entity processing the data) must give the data subject certain information.
When personal data comes from a source other than the individual, certain information must be provided to keep processing transparent.
Under Article 14, you must give the data subject:
1. The identity and contact details of the data controller and, where relevant, the controller’s representative.
2. The contact details of the data protection officer, where relevant.
3. The purposes of the processing and its legal basis.
4. The categories of personal data concerned.
5. The recipients or categories of recipients of the personal data, if any.
6. Where relevant, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
The controller must also provide the following, to keep processing fair and transparent:
1. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
2. Where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or by a third party.
3. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.
4. Where processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5. The right to lodge a complaint with a supervisory authority.
6. From which source the personal data originate, and if applicable, whether it came from publicly accessible sources.
7. The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The ICO guidance below sets out the information a company should provide under Article 14. This first set applies in every case.
| What information do we need to provide? | What information do we need to provide? | When is this required? |
| The name and contact details of your organisation | Say who you are and how can individuals contact you. | Always |
The purposes of the processing | Explain why you use people’s personal data. Be clear about each different purpose. There are many different reasons for using personal data, you will know best the particular reasons why you use data. Typical purposes could include marketing, order processing and staff administration. | Always |
The lawful basis for the processing | Explain which lawful basis you are relying on in order to collect and use people’s personal data and/or special category data. This is one or more of the bases laid out under Article 6(1) of the UK GDPR. | Always |
| The categories of personal data obtained | Tell people what types of information you are collecting of them. | Always |
| The retention periods for the personal data | Say how long you will keep the personal data for. If you don’t have a specific retention period then you need to tell people the criteria you use to decide how long you will keep their information. | Always |
The rights available to individuals in respect of the processing | Tell people which rights they have in relation to your use of their personal data, e.g. access, rectification, erasure, restriction, objection, and data portability. The rights will differ depending on the lawful basis for processing – make sure what you tell people accurately reflects this. The right to object must be explicitly brought to people’s attention clearly and separately from any other information. | Always |
The right to lodge a complaint with a supervisory authority | Tell people that they can complain to a supervisory authority. Each EU Member State has a designated data protection supervisory authority. Individuals have the right to raise a complaint with the supervisory authority in the Member State where they live, where they work, or where the infringement took place. It is good practice to provide the name and contact details of the supervisory authority that individuals are most likely to complain to if they have a problem. In practice, if you are based in the UK, or you regularly collect the personal data of people that live in the UK, you should inform people that they can complain to the ICO and provide our contact details. | Always |
The source of the personal data | Tell people where you obtained their information from. If it was publicly accessible source, you must say this. Be as specific as possible and name the individual source(s) the personal data was obtained from. If you can’t do this because you don’t know the specific source, you should provide more general information. | Always |
This second set applies only when certain conditions are met.
| What information do we need to provide? | What should we tell people? | When is this requested? |
The name and contact details of your representative | Say who your representative is and how to contact them. A representative is an organisation that represents you if you are based outside the EU, but you monitor or offer services to people in the EU. | If applicable |
The contact details of your data protection officer | Say how to contact your data protection officer (DPO). Certain organisations are required to appoint a DPO. This is a person designated to assist with UK GDPR compliance. | If applicable |
The recipients, or categories of recipients of the personal data | Say who you share people’s personal data with. This includes anyone that processes the personal data on your behalf, as well all other organisations. You can tell people the names of the organisations or the categories that they fall within. Be as specific as possible if you only tell people the categories of organisations. | If applicable |
The details of transfers of the personal data to any third countries or international organisations | Tell people if you transfer their personal data to any countries or organisations outside the EU. Say whether the transfer is made on the basis of an adequacy decision by the European Commission under Article 45 of the UK GDPR. If the transfer is not made on the basis of an adequacy decision, give people brief information on the safeguards put in place in accordance with Article 46, 47 or 49 of the UK GDPR. You must also tell people how to get a copy of the safeguards. | If applicable |
The right to withdraw consent | Let people know that they can withdraw their consent for your processing of their personal data at any time. Consent must be as easy to withdraw as it is to give. Tell people how they can do this. | If applicable |
The details of the existence of automated decision-making, including profiling | Say whether you make decisions based solely on automated processing, including profiling, that have legal or similarly significant effects on individuals. Give people meaningful information about the logic involved in the process and explain the significance and envisaged consequences. Whilst this type of processing may be complex, you should use simple, understandable terms to explain the rationale behind your decisions and how they might affect individuals. Tell people what information you use, why it is relevant and what the likely impact is going to be. | If applicable |
The controller should provide this information within a reasonable time after getting the data, so people are informed from the start. Timing matters. Whether it happens at collection, at the first contact with the person, or when the data comes from another party, organisations have at most one month to meet this duty.
If a controller plans to process personal data for a purpose different from the original one, it must tell the individual in advance. This keeps processing transparent and lets people make informed choices about their data.
Transparency comes first, but sometimes providing information is impractical or legally restricted. Even then, companies should stay as transparent as possible and protect privacy and security.
Article 14 gives some exemptions from the duty to inform the data subject. They apply when:
• Providing the information proves impossible or would take disproportionate effort.
• The requirement would make it impossible, or seriously harm, the aims of the processing.
Do not apply these exemptions as a routine. Consider each case on its own. The controller should justify and record its reasons for relying on an exemption. If none applies, the controller must comply with the GDPR as normal.
Example:
A research institution runs a study on historical trends in public health. It obtains anonymised data from hospital records going back several decades. The data subjects are people who were patients at those hospitals at the time.
Here, it might be impossible for the research institution (the controller) to inform the data subjects under Article 14. The reasons could be:
1. Impossibility: The data subjects might not be reachable due to the passage of time, changes in contact information, or even death. Therefore, it would be impossible to provide the required information to the data subjects.
2. Disproportionate effort: Given the potentially large number of data subjects and the age of the data, it might require a disproportionate effort to track down each data subject and provide them with the information required under Article 14
How the exemption works in practice depends on the exact circumstances and local data protection laws. It is always wise to seek legal advice on these matters.
Transparency is a core part of ethical data management, and a legal duty. When companies put transparency first, they build stronger relationships with customers and show they handle data responsibly.
Follow our blog for more insights on navigating data protection and privacy compliance. Together, we can ensure that transparency remains at the forefront of our data management efforts!
Article 13 applies when you collect personal data directly from the person. Article 14 applies when you get it from another source, such as a data broker or a public listing. The information you must give is similar, but Article 14 also covers where the data came from.
You have at most one month after getting the data. If you use the data to contact the person, you must inform them by that first contact at the latest. If you plan to share it with someone else, inform them before you do.
Yes. Under Article 14 you must tell the data subject the source of their personal data, and say if it came from a publicly accessible source. If you do not know the exact source, give more general information.
When giving the information is impossible or would take disproportionate effort, or when it would seriously harm the aims of the processing. Do not apply these as a routine. Consider each case on its own and record your reasons.