We are receiving personal data from another organisation where the individuals concerned have consented to it being shared with us. Am I right in thinking I then to follow Article 14 and provide the individual with our privacy information?
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
I must unfortunately dissent from the view of DPOandCyber.
If you are the *receiver* of the personal data, then *you* are responsible for providing privacy information under Art. 14.
Depending on what it’s for, you may need to provide this information as soon as you use the data, or within one month of receipt.
The warranty from the *sender* of the data subjects’ consent is of more relevance in the due diligence stage than operationally.
Rule of thumb – whenever you get personal data other than as a processor, you need to provide a privacy notice. The way you do this can be quite creative and depends on the circumstances. I find many examples of professionals getting this wrong.
It is the responsibility of that ‘other organisation’ as the Data Controller to do so (for Article 14), but it is good practice and part of Article 5 to publish a privacy notice that explains what you do with data you source, how you use it and how long you retain it for.
This also helps if questions start to come in they don’t need bespoke replies but simply refer individuals to the privacy notice.