Information to be Provided Where Personal Data Have Not Been Obtained from the Data Subject : iCompaas Support

Overview

This article requires organizations to provide clear and transparent information to data subjects when their personal data is obtained indirectly from sources other than the data subject. Information must include the purposes of processing, the data source, and the rights of the data subject, and must be provided within one month of obtaining the data, unless an exemption applies.

Key Principles

Transparency: Inform data subjects about the collection and use of their personal data, even if obtained indirectly.
Timely Communication: Information must be provided within one month of obtaining the data.
Data Subject Rights: Explain the rights available, including access, correction, and objection.
Exemptions: Certain circumstances may allow delays or waivers, such as legal obligations or disproportionate effort.

Organizational Applicability

This article applies to all organizations that obtain personal data indirectly within the EU:

Controllers acquiring personal data from third parties, public sources, or other indirect means.
Public and private sector entities processing data of EU/EEA residents.
Teams responsible for data intake, compliance, or data governance when data is not collected directly from the individual.

Implementation Requirements

Identify personal data obtained indirectly and the source of the data.
Provide a privacy notice to the data subject including processing purposes, source, and rights.
Ensure delivery of information within the one-month timeframe, unless exempted.
Maintain records of notices issued and any exemptions applied.

Implementation Guidance

Develop standard procedures to notify data subjects when data is collected indirectly.
Use automated or manual systems to track deadlines and delivery of information.
Review exemptions and ensure legal basis for any delayed or waived notifications.
Train staff to handle indirect data collection and communications with data subjects.

Periodic Review

Frequency: Annually or when new sources of indirect data are introduced.
Responsible Role: Data Protection Officer (DPO) or Compliance Team.
Outcome: Ensure data subjects are informed appropriately and notices are delivered on time.

Non-Compliance Risks

Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Regulatory investigations, complaints, or enforcement actions.
Reputational Damage: Loss of trust with data subjects and stakeholders.
Operational Risk: Failure to notify subjects may require remediation or corrective actions.

GDPR Article 14: Information to be Provided Where Personal Data Have Not Been Obtained from the Data Subject Print