Article 13 vs Article 14 of the UK GDPR: What’s the Difference and Why It Matters
Understand the key differences between Articles 13 and 14 of the UK GDPR, and why your company must tailor privacy notices depending on how personal data is collected.
Article 13 vs Article 14 of the UK GDPR: What’s the Difference and Why It Matters
Companies often overlook the difference between Article 13 and Article 14 of the UK GDPR — yet getting this wrong can lead to non-compliance and ICO scrutiny.
📌 Article 13 – Information to Be Provided When Personal Data Is Collected Directly
Article 13 applies when your company collects personal data directly from the individual. This is typically the case during:
- Job applications via your website
- Client onboarding forms
- Employee contracts or HR processes
In these cases, you must inform the individual of key details at the point of collection, including:
- Your identity and contact details
- The purposes and lawful bases for processing
- Data retention periods
- Their data subject rights
- Whether data will be transferred internationally
📌 Article 14 – Information to Be Provided When Data Is Collected Indirectly
Article 14 applies when your company obtains personal data from a third party or publicly available source, not directly from the individual. Examples include:
- Buying B2B marketing lists
- Receiving candidate CVs from recruitment agencies
- Collecting data from public databases or LinkedIn
Here, you must provide the same information required under Article 13, plus:
- The source of the data
- The categories of personal data obtained
This information must be provided within a reasonable period — typically within one month, or at the first point of communication.
❗ Why This Distinction Matters for Your Company
If you’re handling both direct and indirect data collection — as most companies do — your privacy notices must reflect this. One-size-fits-all notices may lead to:
- Gaps in your legal obligations
- ICO complaints or investigations
- Loss of trust from employees, clients, and partners
💡 Tip:
Create a matrix to map how and where your company collects personal data — and use it to tailor separate Article 13 and Article 14 privacy templates. This makes compliance smoother and future audits easier.
