Information to be provided when personal data are collected from someone else than the data subject.
If the personal data was not obtained from the data subject, the controller is also obliged to provide the data subject with information about the processing of his/her personal data.
The catalogue of information to be provided differs (but not by much) from that in Article 13 of the GDPR.
The GDPR sets out precisely the deadline within which the information should be provided. This varies depending on the circumstances but is generally a maximum of 1 month from the acquisition of the data.
The GDPR provides for several exemptions to the above obligation.
When does Article 14 of the GDPR apply?
Article 14 of the GDPR applies when the controller obtains personal data not directly from the data subject but, for example, from a third party or from publicly available sources.
What information must be provided in accordance with Article 14 of the GDPR?
If the controller obtains personal data not directly from the data subject, the following information must be provided to the data subject in addition to the information referred to in Article 13 of the GDPR:
Categories of personal data that the controller has obtained,
The source of the personal data and, where applicable, whether this source is publicly available - in accordance with the Guidelines, the specific source of the data should be provided unless this is not possible - (...). If the name of the specific source is not mentioned, the information provided should include: the nature of the source (i.e. public/private) and the type of organisation/industry/sector.
It should be remembered that certain provisions (other than those contained in the GDPR) may contain derogations from the necessity or scope of implementing the obligations under Article 14 of the GDPR. This is so, for example, in the case of the Act on the Protection of Whistleblowers, which provides that the provision of Article 14(2)(f) of the GDPR (concerning information about the source of data) does not apply unless the whistleblower does not meet the conditions indicated in Article 6 of the Act on the Protection of Whistleblowers or has expressly consented to the disclosure of his/her identity.
In the case of indirect acquisition of data, it is also not necessary to provide information whether the provision of personal data is a statutory or contractual requirement or a condition for entering into a contract and whether the data subject is required to provide the data and what are the possible consequences of failing to do so. The absence of this requirement is evident since there is no direct provision of data by the data subject.
Practical guidance on complying with the information obligation can be found in the Article 29 Working Party Guidelines on Transparency under Regulation 2016/679 (the "Guidelines").
By what date must the controller comply with the information obligation under Article 14 of the GDPR?
In accordance with Article 14 of the GDPR, the controller shall provide the data subject with information:
Within a reasonable period after the personal data have been obtained - at the latest within one month - having regard to the specific circumstances of the processing of the personal data;
If the personal data is to be used for communication with the data subject, at the latest on the first such communication with the data subject (with the understanding that if the first communication with the data subject occurs more than one month after the personal data is obtained, then the time limit in (a) above applies); or
If it is planned to disclose the personal data to another recipient - at the latest when the personal data arefirst disclosed (with the understanding that if the personal data are disclosed later than one month after they are obtained, then the time limit in (a) above applies).
Therefore, regardless of the circumstances, the maximum time limit for providing information to the data subject is one month from the acquisition of his/her data.
How to comply with the information obligation? Practical tips on transparency
The principle of transparency is central to the implementation of the information obligation - the comments made in this regard in the commentary to Article 13 of the GDPR (as well as the comments on accountability and the language in which the information obligation should be implemented) will apply here accordingly.
In the case of data sourcing through third parties, controllers sometimes seek to "pass on" the performance of the information obligation to these third parties through contractual arrangements in this regard. However, it is worth remembering that it is the controller that is responsible for the performance of the information obligation and any irregularities in its performance by the third party will, in principle, constitute a breach of the GDPR by the controller. Therefore, when deciding on this type of solution, it is worthwhile to adequately protect oneself, for example by specifying what content of the information clause is to be provided, how it is to be provided and by what deadline. Also to be considered in such a situation is a possible contractual regulation of the third party's liability if it fails to fulfil or improperly fulfils its responsibility to support the implementation of the information obligation.
When is it not necessary to provide the information under Article 14 of the GDPR?
In addition to the case that Article 13 of the GDPR also covers (the data subject already has this information about the processing of personal data), Article 14 of the GDPR provides for several additional situations, indicated below, in which the controller is not obliged to comply with the information obligation:
(1) The controller is not obliged to make the information referred to in Article 14 of the GDPR available to data subjects if the provision of such information proves impossible or would involve a disproportionate effort; in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR, or insofar as the obligation referred to in Article 14(1) of the GDPR is likely to render impossible or seriously impede the purposes of such processing. In such cases, the controller shall respond appropriately to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available.
As the Guidelines indicate, the above exemption covers three distinct situations:
If it proves impossible to impart the information referred to in Article 14 of the GDPR to data subjects (for archival purposes, for the purposes of scientific/historical research or for statistical purposes).
According to the Guidelines, the situation where the provision of information "proves impossible" is a zero-sum situation. Indeed, such a situation is either impossible or possible; there are no degrees of "impossibility". If the controller intends to invoke this derogation, he/she must indicate the factors that prevent him/her from providing the relevant information to data subjects. If, after a certain period the factors which caused the 'impossibility' are no longer present and the controller is given the opportunity to provide the information to data subjects, he/she should do so without delay. In practice, there are very few situations in which a data controller can demonstrate an actual impossibility of providing information to data subjects.
If making the information referred to in Article 14 of the GDPR available to data subjects (in particular for archiving purposes, for scientific/historical research or for statistical purposes) would require a disproportionate effort.
In practice, it is very difficult to determine whether, in the given circumstances, compliance with the information obligation would require a disproportionate effort. Recital 62 of the GDPR may be helpful in this predicament, which states that the assessment of this issue should be made considering the number of data subjects, the duration of data storage and any appropriate safeguards adopted.
The Guidelines additionally indicate that this exception should not be routinely applied by data controllers who do not process personal data for archival purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes.
A similar standpoint with regard to limiting the possibility of applying the discussed exemption to situations other than processing for archival purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes was presented by the Supreme Administrative Court in the judgement of 19 September 2023, case III OSK 2538/21 (available in Lex no. 3634532), in which it was stated as follows:
'The possibility of waiving the information obligation by applying the exception under Article 14(5)(b) of the GDPR does not therefore cover data processing activities that do not pursue a public interest, thus serving the realisation or protection of other values relevant to the public interest, for example public health. It is only when this aspect of the processing of personal data is present that the controller can invoke the indicated exemption from the information obligation by demonstrating at the same time that its implementation would involve a disproportionate effort (...) Therefore, the said exception does not cover the processing of personal data in the course of business activities carried out by the plaintiff in cassation, the purpose of which is to achieve commercial objectives.
In addition, the Guidelines state that a disproportionate effort must be directly attributable to the fact that the personal data were collected otherwise than from the data subject, and that, if a controller intends to invoke the exception in Article 14(5)(b) on the ground that the provision of the information would involve a disproportionate effort, he/she should carry out a balancing test to compare the effort made by the controller to provide the information to the data subject with the consequences and effects for the data subject if the information is not provided.
Where the provision of the information required under Article 14(1) of the GDPR would be likely to render impossible or seriously impede the realisation of the purposes of such processing.
According to the Guidelines, in order to invoke this exception, data controllers must demonstrate that the mere provision of the information set out in Article 14(1) would frustrate the purposes of the processing. The Guidelines also emphasise that invoking this exception presupposes that the processing complies with all the principles set out in Article 5 of the GDPR and, most importantly, that in all circumstances the processing of personal data is fair and has a legal basis.
Importantly, if the controller makes use of any of the three abovementioned exemptions to the information obligation, the controller is obliged to take appropriate measures to protect the rights and freedoms and legitimate interests of data subjects, which includes disclosing the information referred to in Article 14 of the GDPR. If the controller invokes the exemptions discussed above, he/she should always disclose the information referred to in Article 14 of the GDPR.
As regards the manner of disclosure, the GDPR does not provide for specific requirements in this regard. However, the Guidelines indicate that the controller may disclose the information to the public in a number of ways, for example by posting it on his/her website or by actively advertising it in the newspaper or on posters at his/her premises.
In addition to disclosing the information to the public, the controller should consider implementing additional appropriate measures to protect the rights and freedoms and legitimate interests of the data subject. As the Guidelines indicate, these measures will depend on the circumstances of the processing and may include carrying out a data protection impact assessment, applying data pseudonymisation techniques, minimising the amount of data collected and the period of storage, and implementing technical and organisational measures to ensure a high level of security.
2. The controller is not obliged to disclose to data subjects the information referred to in Article 14 of the GDPR if the acquisition or disclosure is expressly governed by EU law or the law of the Member State to which the controller is subject, which provides for appropriate measures to protect the data subject's legitimate interests.
Example: Article 8 of the Act on the Workplace Social Benefits Fund sets out, inter alia, the rules for obtaining personal data of members of the family of an employee entitled to benefit from the fund. According to the Chairman of the Personal Data Protection Office, it is therefore possible to consider using the above exemption in relation to persons whose personal data are obtained pursuant to this legislation.
3. The controller is not obliged to disclose to data subjects the information referred to in Article 14 of the GDPR if the personal data must remain confidential in accordance with the obligation of professional secrecy under EU or Member State law, including the statutory obligation of secrecy.
According to the Guidelines, where a data controller intends to invoke this derogation, he/she must be able to demonstrate that he/she has properly identified it and show how the professional obligation of secrecy directly relates to the data controller so that he/she is not permitted to provide the data subject with all the information set out in Articles 14(1), 14(2) and 14(4).
Waiver of the information obligation and the principle of accountability
When waiving the information obligation for accountability reasons, it is recommended that controllers prepare and document an analysis confirming their assessment as to which exemptions from the information obligation apply in a given case (and why).
Commentary to Article 14
Information to be provided when personal data are collected from someone else than the data subject.
When does Article 14 of the GDPR apply?
Article 14 of the GDPR applies when the controller obtains personal data not directly from the data subject but, for example, from a third party or from publicly available sources.
What information must be provided in accordance with Article 14 of the GDPR?
If the controller obtains personal data not directly from the data subject, the following information must be provided to the data subject in addition to the information referred to in Article 13 of the GDPR:
It should be remembered that certain provisions (other than those contained in the GDPR) may contain derogations from the necessity or scope of implementing the obligations under Article 14 of the GDPR. This is so, for example, in the case of the Act on the Protection of Whistleblowers, which provides that the provision of Article 14(2)(f) of the GDPR (concerning information about the source of data) does not apply unless the whistleblower does not meet the conditions indicated in Article 6 of the Act on the Protection of Whistleblowers or has expressly consented to the disclosure of his/her identity.
In the case of indirect acquisition of data, it is also not necessary to provide information whether the provision of personal data is a statutory or contractual requirement or a condition for entering into a contract and whether the data subject is required to provide the data and what are the possible consequences of failing to do so. The absence of this requirement is evident since there is no direct provision of data by the data subject.
Practical guidance on complying with the information obligation can be found in the Article 29 Working Party Guidelines on Transparency under Regulation 2016/679 (the "Guidelines").
By what date must the controller comply with the information obligation under Article 14 of the GDPR?
In accordance with Article 14 of the GDPR, the controller shall provide the data subject with information:
Therefore, regardless of the circumstances, the maximum time limit for providing information to the data subject is one month from the acquisition of his/her data.
How to comply with the information obligation? Practical tips on transparency
The principle of transparency is central to the implementation of the information obligation - the comments made in this regard in the commentary to Article 13 of the GDPR (as well as the comments on accountability and the language in which the information obligation should be implemented) will apply here accordingly.
In the case of data sourcing through third parties, controllers sometimes seek to "pass on" the performance of the information obligation to these third parties through contractual arrangements in this regard. However, it is worth remembering that it is the controller that is responsible for the performance of the information obligation and any irregularities in its performance by the third party will, in principle, constitute a breach of the GDPR by the controller. Therefore, when deciding on this type of solution, it is worthwhile to adequately protect oneself, for example by specifying what content of the information clause is to be provided, how it is to be provided and by what deadline. Also to be considered in such a situation is a possible contractual regulation of the third party's liability if it fails to fulfil or improperly fulfils its responsibility to support the implementation of the information obligation.
When is it not necessary to provide the information under Article 14 of the GDPR?
In addition to the case that Article 13 of the GDPR also covers (the data subject already has this information about the processing of personal data), Article 14 of the GDPR provides for several additional situations, indicated below, in which the controller is not obliged to comply with the information obligation:
(1) The controller is not obliged to make the information referred to in Article 14 of the GDPR available to data subjects if the provision of such information proves impossible or would involve a disproportionate effort; in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR, or insofar as the obligation referred to in Article 14(1) of the GDPR is likely to render impossible or seriously impede the purposes of such processing. In such cases, the controller shall respond appropriately to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available.
As the Guidelines indicate, the above exemption covers three distinct situations:
According to the Guidelines, the situation where the provision of information "proves impossible" is a zero-sum situation. Indeed, such a situation is either impossible or possible; there are no degrees of "impossibility". If the controller intends to invoke this derogation, he/she must indicate the factors that prevent him/her from providing the relevant information to data subjects. If, after a certain period the factors which caused the 'impossibility' are no longer present and the controller is given the opportunity to provide the information to data subjects, he/she should do so without delay. In practice, there are very few situations in which a data controller can demonstrate an actual impossibility of providing information to data subjects.
In practice, it is very difficult to determine whether, in the given circumstances, compliance with the information obligation would require a disproportionate effort. Recital 62 of the GDPR may be helpful in this predicament, which states that the assessment of this issue should be made considering the number of data subjects, the duration of data storage and any appropriate safeguards adopted.
The Guidelines additionally indicate that this exception should not be routinely applied by data controllers who do not process personal data for archival purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes.
A similar standpoint with regard to limiting the possibility of applying the discussed exemption to situations other than processing for archival purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes was presented by the Supreme Administrative Court in the judgement of 19 September 2023, case III OSK 2538/21 (available in Lex no. 3634532), in which it was stated as follows:
'The possibility of waiving the information obligation by applying the exception under Article 14(5)(b) of the GDPR does not therefore cover data processing activities that do not pursue a public interest, thus serving the realisation or protection of other values relevant to the public interest, for example public health. It is only when this aspect of the processing of personal data is present that the controller can invoke the indicated exemption from the information obligation by demonstrating at the same time that its implementation would involve a disproportionate effort (...) Therefore, the said exception does not cover the processing of personal data in the course of business activities carried out by the plaintiff in cassation, the purpose of which is to achieve commercial objectives.
In addition, the Guidelines state that a disproportionate effort must be directly attributable to the fact that the personal data were collected otherwise than from the data subject, and that, if a controller intends to invoke the exception in Article 14(5)(b) on the ground that the provision of the information would involve a disproportionate effort, he/she should carry out a balancing test to compare the effort made by the controller to provide the information to the data subject with the consequences and effects for the data subject if the information is not provided.
According to the Guidelines, in order to invoke this exception, data controllers must demonstrate that the mere provision of the information set out in Article 14(1) would frustrate the purposes of the processing. The Guidelines also emphasise that invoking this exception presupposes that the processing complies with all the principles set out in Article 5 of the GDPR and, most importantly, that in all circumstances the processing of personal data is fair and has a legal basis.
Importantly, if the controller makes use of any of the three abovementioned exemptions to the information obligation, the controller is obliged to take appropriate measures to protect the rights and freedoms and legitimate interests of data subjects, which includes disclosing the information referred to in Article 14 of the GDPR. If the controller invokes the exemptions discussed above, he/she should always disclose the information referred to in Article 14 of the GDPR.
As regards the manner of disclosure, the GDPR does not provide for specific requirements in this regard. However, the Guidelines indicate that the controller may disclose the information to the public in a number of ways, for example by posting it on his/her website or by actively advertising it in the newspaper or on posters at his/her premises.
In addition to disclosing the information to the public, the controller should consider implementing additional appropriate measures to protect the rights and freedoms and legitimate interests of the data subject. As the Guidelines indicate, these measures will depend on the circumstances of the processing and may include carrying out a data protection impact assessment, applying data pseudonymisation techniques, minimising the amount of data collected and the period of storage, and implementing technical and organisational measures to ensure a high level of security.
2. The controller is not obliged to disclose to data subjects the information referred to in Article 14 of the GDPR if the acquisition or disclosure is expressly governed by EU law or the law of the Member State to which the controller is subject, which provides for appropriate measures to protect the data subject's legitimate interests.
Example: Article 8 of the Act on the Workplace Social Benefits Fund sets out, inter alia, the rules for obtaining personal data of members of the family of an employee entitled to benefit from the fund. According to the Chairman of the Personal Data Protection Office, it is therefore possible to consider using the above exemption in relation to persons whose personal data are obtained pursuant to this legislation.
3. The controller is not obliged to disclose to data subjects the information referred to in Article 14 of the GDPR if the personal data must remain confidential in accordance with the obligation of professional secrecy under EU or Member State law, including the statutory obligation of secrecy.
According to the Guidelines, where a data controller intends to invoke this derogation, he/she must be able to demonstrate that he/she has properly identified it and show how the professional obligation of secrecy directly relates to the data controller so that he/she is not permitted to provide the data subject with all the information set out in Articles 14(1), 14(2) and 14(4).
Waiver of the information obligation and the principle of accountability
When waiving the information obligation for accountability reasons, it is recommended that controllers prepare and document an analysis confirming their assessment as to which exemptions from the information obligation apply in a given case (and why).