In one sentence. GDPR Article 14 governs the privacy notice when personal data is obtained from a source other than the data subject — data brokers, public registers, partners, lead enrichment, scraped sources. The information items mirror Article 13, but the timing is different: within a reasonable period and at the latest within one month of obtaining the data, OR at the moment of first communication to the data subject, whichever is earlier. Five narrow exemptions exist.
Article 14 is where most data brokers, lead-enrichment vendors, and B2B prospecting tools fail. The CNIL has fined multiple controllers in 2023-2025 for purchasing or scraping data without ever informing the data subject. The information obligation cannot be waived by the upstream source.
For its sister provision (direct collection), see GDPR Article 13 information notices. For modalities, GDPR Article 12 transparency.
Key takeaways
- Article 14 applies whenever data is obtained from a source other than the data subject.
- 14 mandatory information items — same as Article 13 plus the source of the data.
- Timing: within a reasonable period, no later than one month OR at first communication to the data subject, whichever is earlier.
- Five exemptions (Article 14(5)) — narrow and require documentation.
- B2B prospecting via purchased lists requires Article 14 compliance — the CNIL has sanctioned several SaaS vendors on this ground.
1. When Article 14 applies
Whenever personal data is collected from any source other than the data subject:
- Data brokers (LeadIQ, ZoomInfo, Cognism, etc.)
- Lead-enrichment APIs (Clearbit, Hunter.io)
- Public registers (commercial register, LinkedIn-scraped data)
- Partners sharing customer lists
- Mailing list purchases
- Scraped data
- Data inherited from acquired companies
- Internal sources where the data subject didn’t directly provide
If your processing combines direct + indirect collection (most B2B SaaS), both Articles 13 and 14 apply — to different data flows.
2. Information items (Article 14(1)-(2))
The list largely mirrors Article 13 with one critical addition:
| # | Item | Article |
|---|---|---|
| 1 | Identity and contact details of controller | 14(1)(a) |
| 2 | DPO contact if designated | 14(1)(b) |
| 3 | Purposes and lawful basis | 14(1)© |
| 4 | Categories of personal data (added vs Article 13) | 14(1)(d) |
| 5 | Recipients | 14(1)(e) |
| 6 | International transfers + safeguards | 14(1)(f) |
| 7 | Storage period | 14(2)(a) |
| 8 | Legitimate interests pursued (if applicable) | 14(2)(b) |
| 9 | Rights (access, rectification, erasure, etc.) | 14(2)© |
| 10 | Right to withdraw consent | 14(2)(d) |
| 11 | Right to lodge complaint with DPA | 14(2)(e) |
| 12 | From which source the data originates, including public sources (added vs Article 13) | 14(2)(f) |
| 13 | Existence of automated decision-making | 14(2)(g) |
The two key additions vs Article 13: categories of data and source of data.
3. Timing (Article 14(3))
The notice must be provided:
- Within a reasonable period after obtaining the data
- At the latest within one month, OR
- At the time of first communication with the data subject (if earlier), OR
- At the time of first disclosure to another recipient (if earlier)
Common practice: send a “transparency email” within 30 days of obtaining the data, OR include the notice in the first marketing email.
Critical: the deadline is from when YOU obtained the data, not from when the data subject becomes a customer. A vendor who scraped emails in January and emails them in March is already late.
4. The five exemptions (Article 14(5))
Article 14(5) lifts the obligation if:
| Exemption | Practical scope |
|---|---|
| (a) Data subject already has the information | Narrow — must be provable |
| (b) Provision proves impossible or disproportionate effort, particularly for archiving/scientific research/statistical purposes | Most-invoked — but EDPB has clarified it requires specific assessment, not a blanket policy |
| © Obtaining or disclosure is expressly laid down by EU/Member State law | Narrow — actual law required |
| (d) Personal data must remain confidential under professional secrecy obligations | Lawyer-client, doctor-patient |
| (e) Personal data was already known to the data subject — no, this is (a) restated effectively | — |
The most common is (b) disproportionate effort. The EDPB requires:
- Number of data subjects affected
- Age of the data
- Appropriate safeguards (e.g., publication on a website where data subjects can find the notice)
- The CJEU and EDPB have rejected blanket invocations — each batch of data needs assessment
5. B2B prospecting and Article 14
B2B prospecting via purchased or enriched lists is a major Article 14 enforcement target. The CNIL has sanctioned several B2B SaaS vendors in 2023-2025 for:
- Sending cold emails without ever providing the Article 14 notice
- Invoking “disproportionate effort” without the required documented assessment
- Failing to mention the source (e.g., “obtained from a public register” — too vague; must be specific)
Compliant B2B prospecting:
- The data source must itself be lawful (the broker has lawful basis)
- Article 14 notice provided within 30 days OR in the first email
- Source of data named (not “from a marketing partner”)
- Right to object easy to exercise
- Lawful basis for the prospecting itself documented (typically legitimate interest with LIA)
For the legitimate interest assessment: see GDPR legitimate interest guide.
6. The “source of data” requirement
Article 14(2)(f) requires disclosing from which source the data originates, including public sources. The CNIL has clarified:
- Generic “marketing partners” is not specific enough
- Specific named source required: “obtained from [Vendor X] B2B database”
- For public sources: “obtained from the French commercial register (RCS)”
- For scraped data: this is virtually always non-compliant — public availability does not lift the obligation
7. Privacy notice template for Article 14 scenarios
We obtained your data from [Specific Source — name and type]. We process it
because [purpose] under our [lawful basis — typically legitimate interest
with documented LIA].
Categories of data we hold: [name, professional email, employer, role,
LinkedIn URL, etc.]
You can:
- Request access to your data: privacy@company.com
- Object to our processing: [one-click link]
- Lodge a complaint with the CNIL: cnil.fr/plaintes
Retention: [period]. International transfers: [details + safeguards].
Full notice: [link to layer 2].
8. Sanctions
| Year | Sanction | Article 14 violation |
|---|---|---|
| 2023 | Multiple B2B SaaS (CNIL) — €10K-€100K each | Cold prospecting without Article 14 notice |
| 2022 | Clearview AI (CNIL) — €20M | Mass scraping without informing data subjects |
| 2022 | Tagaday (CNIL) — €50K | Press monitoring without Article 14 notice |
Article 83(5)(b) places Article 14 violations at the top tier — up to €20M or 4% of global turnover.
9. Practical implementation
For organizations that obtain data from third parties:
- ☐ Inventory all third-party data sources in the ROPA
- ☐ Article 14 notice prepared per source
- ☐ Notice delivered within 30 days OR at first communication
- ☐ Source named specifically (not “partners”)
- ☐ Disproportionate-effort exemption assessed per batch (if invoked)
- ☐ Right to object included with one-click mechanism
- ☐ Records of notice delivery retained for 5 years
10. Tooling
Legiscope tracks third-party data sources in the ROPA and generates Article 14 notice templates per source. For B2B vendors using lead-enrichment, the platform automates the transparency-email workflow.
For related deep-dives: GDPR Article 13 information collected, GDPR Article 12 transparency, GDPR information notices, GDPR legitimate interest.
Conclusion
Article 14 is the obligation that B2B vendors most often forget. The duty doesn’t end with the upstream source’s compliance — your acquisition triggers a fresh obligation. Build the notice + delivery workflow as part of every data-acquisition process; assess the disproportionate-effort exemption per batch with documentation, not as a blanket excuse.
FAQ
When does GDPR Article 14 apply?
Whenever personal data is obtained from a source other than the data subject: data brokers, public registers, partners, lead-enrichment APIs, scraped sources, acquired company data, etc.
What’s the deadline to provide Article 14 information?
Within a reasonable period after obtaining the data, at the latest within one month, OR at the time of first communication with the data subject (if earlier), OR at the time of first disclosure to another recipient (if earlier). The deadline runs from when YOU obtained the data.
Can I invoke “disproportionate effort” to skip Article 14?
Only after a documented assessment per Article 14(5)(b) considering: number of data subjects, age of data, appropriate safeguards. The EDPB rejects blanket invocations — each batch needs assessment, with proportionate compensating measures (e.g., notice on a website where data subjects can reasonably find it).
Do I need to name the source of the data?
Yes. Article 14(2)(f) requires disclosing from which source the data originates. Generic “marketing partners” is not specific enough — name the actual source. For public sources, name the register.
Is B2B cold prospecting allowed under GDPR?
Yes, with conditions: (1) lawful basis (typically legitimate interest with LIA), (2) Article 14 notice within 30 days or in the first email, (3) source named, (4) easy right to object. Without these, the CNIL has sanctioned several B2B vendors in 2023-2025.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
