Article 13 vs Article 14: which one applies to your data purchase?
The distinction matters because the two articles carry different obligations and a different trigger. Article 13 of the UK General Data Protection Regulation (UK GDPR) applies when you collect personal data directly from the individual: a contact form, a telephone enquiry, an event badge scan. In that scenario, you provide privacy information at the point of collection, typically through a privacy notice on the form or a verbal statement at sign-up.
Article 14 kicks in whenever you obtain personal data from any source other than the person themselves. Bought data files, compiled B2B prospect lists, consumer lifestyle databases, data shared by a group company, or records lifted from a public register all trigger Article 14. The individual never gave you their details directly, so they have no expectation that you hold them. Article 14 is the mechanism that corrects that information gap.
In short: if you purchased a file of 5,000 UK business contacts to run an outbound email campaign, Article 14 applies to every record on that list.
What must the Article 14 notice actually say?
The Information Commissioner's Office (ICO) sets out the required elements in its guidance, which mirrors Article 14(1) and 14(2) of the UK GDPR. Everything below is mandatory unless a specific exemption applies.
| Required element | What to include | Article 14 sub-clause |
|---|---|---|
| Identity and contact details of the controller | Your company name, registered address, and a contact route (email or web form) | Art. 14(1)(a) |
| Data Protection Officer contact (if applicable) | DPO name or dedicated email address; omit if you are not required to appoint one | Art. 14(1)(b) |
| Purposes of processing | Specific and concrete: "to send you information about our logistics software by email" rather than vague phrases like "marketing purposes" | Art. 14(1)(c) |
| Lawful basis | Name the Article 6(1) basis being relied on (e.g. legitimate interests under Article 6(1)(f)); if special-category data is involved, also cite the Article 9 basis | Art. 14(1)(c) |
| Categories of personal data | What data you actually hold: name, job title, corporate email, direct telephone number | Art. 14(1)(d) |
| Source of the data | Where the data came from; for bought files this means identifying the data supplier or the type of source (e.g. "compiled from publicly available corporate information") | Art. 14(2)(f) |
| Recipients or categories of recipients | Anyone you share the data with, such as your CRM platform, email service provider, or any sub-processors | Art. 14(1)(e) |
| Retention period or criteria | Either a specific period ("12 months from first contact") or the criteria used to determine it | Art. 14(2)(a) |
| Rights of the individual | Right of access, rectification, erasure, restriction, portability (where applicable), and the right to object; for legitimate-interests processing the right to object must be clearly flagged | Art. 14(2)(b)-(d) |
| Right to complain to the ICO | A statement that the individual can lodge a complaint with the ICO at ico.org.uk | Art. 14(2)(e) |
| Automated decision-making (if applicable) | If you use the data for profiling or fully automated decisions, meaningful information about the logic involved | Art. 14(2)(g) |
You do not need to reproduce all of this in the body of an email. A concise paragraph covering the key points, plus a link to your full online privacy notice where individuals can read the detail, is what most organisations use in practice.
What is the deadline, and when does the clock start?
Article 14(3) sets out three possible timings, and the earliest one that applies governs your deadline.
The default rule is one month from the date you obtained the personal data. Buy a list on 1 June, and notices must be provided by 1 July at the latest.
The first exception: if you intend to use the data to communicate with the individual, the notice must be provided at the latest at the point of first contact. Send a cold email on 10 June and the notice must be in that email (or a dedicated notice sent no later than simultaneously).
The second exception: if you plan to disclose the data to a third party, the notice must be provided before that disclosure occurs. This scenario is less common for typical list-buying use cases, but it matters for data brokers and data co-ops.
For most outbound marketing use cases, the practical answer is: send the Article 14 information in your first communication, no later.
How to fold the Article 14 notice into a first marketing email
The ICO's guidance explicitly acknowledges that, for B2B direct marketing, it is "often practical and proportionate" to include the transparency information within the first marketing communication rather than sending a separate notification beforehand. That is good news for any organisation running cold outreach to a purchased prospect file.
A compliant first email does not need to be heavy or legalistic. A short paragraph at the foot of the email, or a prominent linked notice, typically suffices. Here is the structure that works.
In the body of the email (2 to 3 sentences): Identify who you are, explain that you sourced the recipient's contact details from a third-party data supplier (naming the source or its category), state your lawful basis, confirm the purpose of your contact, and provide a clear mechanism to opt out. Something like: "We obtained your details from [data source], a B2B data provider sourcing contact records from publicly available corporate information. We are processing your data under legitimate interests to contact you about [specific product/service]. If you would prefer not to hear from us, reply to this email or click [unsubscribe link]."
Linked privacy notice: "For full details of how we handle your data, your rights (including your right to access, erasure, and to lodge a complaint with the ICO), and our data retention periods, please see our privacy notice at [URL]."
That combination satisfies the substance of Article 14 while keeping the email readable. The right to object to processing on legitimate-interests grounds must be signalled prominently, not buried in small print.
For organisations running B2B campaigns using data compiled under legitimate interests from public sources, as our B2B file is, this first-email approach is the standard recommended practice. The legitimate interests assessment template on this site includes a section on transparency obligations that you can use when documenting your approach.
The disproportionate-effort exemption: what it does and does not allow
Article 14(5)(b) provides an exemption where providing the information to the individual would "prove impossible or involve a disproportionate effort." This is the clause some marketers reach for when they want to skip individual notification. It does not work that way.
The exemption does not permit you to say nothing. Where it applies, you must instead take "appropriate measures to protect the data subject's rights, freedoms, and legitimate interests" including making the information publicly available. In practice that means publishing the Article 14 information prominently on your website and documenting why individual notification was disproportionate.
When does disproportionate effort genuinely apply?
The bar is high. The ICO expects you to consider the cost of notification, the number of data subjects, the age of the data, and any technical safeguards in place. Factors that could legitimately justify the exemption include:
- Very large-scale historical research datasets where individual contact details are incomplete or unreliable.
- Postal-only files where you hold names and addresses but no email address, and direct mail notification would cost several pounds per record (with a clear documented assessment that this is disproportionate to the processing activity).
- Data compiled for fraud prevention or law-enforcement purposes where notification would prejudice the purpose of processing.
Buying a B2B email list of 5,000 contacts and deciding notification is disproportionate because you do not want to spend time on it is not a valid application of the exemption. The ICO will not accept that.
What about B2C consumer data?
For B2C consumer data, the exemption is even harder to claim. A fully opted-in consumer file will include, by definition, a contact channel for every record: postal address, telephone number, email address, or a combination. You already have the means to notify. Claiming disproportionate effort when you hold a valid email address for 500,000 consumers is a weak position to defend.
The correct approach for B2C campaigns is to include a clear privacy statement in the first direct mail piece, the first email, or the introductory script for an outbound call. Consumer data bought through legitimate, consent-based channels will often already carry transparency obligations from the data supplier, but those obligations do not substitute for yours as the data controller using the file.
Understanding the wider Privacy and Electronic Communications Regulations (PECR) rules for marketers is essential context here, particularly for electronic communications where both UK GDPR and PECR apply simultaneously.
ICO enforcement: what has actually happened
Transparency failures are one of the ICO's recurring enforcement themes. While the largest fines tend to involve data breaches, the ICO has pursued organisations specifically for inadequate transparency about third-party data sourcing.
In 2019 the ICO fined Experian Limited £9.4 million (later reduced on appeal to £1.35 million) partly because its data bureau business was supplying personal data for direct marketing purposes without individuals knowing their data was being used this way. The ICO found that Experian had not provided adequate fair processing information. The case predates UK GDPR but illustrates the regulator's view that opacity about data sourcing is a serious concern, not a technical box-ticking exercise.
The ICO has also used enforcement notices against organisations that relied on vague or generic privacy notices that failed to identify specific sources and purposes. A notice that says "we may obtain data from third parties for marketing purposes" without specifying what type of third party, or what categories of data, does not meet the Article 14 standard.
Practical warning
If you receive a Subject Access Request (SAR) from someone on a purchased list, you must be able to tell them the source of their data. If your privacy notice or Article 14 communication did not name (or describe the category of) the data supplier, you face a harder conversation. Document the source of every data file at the point of purchase and retain that record for the duration of your processing activity plus any applicable retention buffer.
B2B vs B2C: how Article 14 obligations differ in practice
The legal obligation is identical for both channels, but the practical application differs enough to be worth stating clearly.
| Factor | B2B (corporate contacts) | B2C (consumer contacts) |
|---|---|---|
| Typical lawful basis for processing | Legitimate interests under Article 6(1)(f), supported by a Legitimate Interests Assessment (LIA) | Consent under Article 6(1)(a) and PECR consent for electronic channels |
| Disproportionate-effort exemption | Rarely justified where you hold a working email address; first-email notice is the standard approach | Extremely difficult to justify; individual notification is almost always feasible |
| Source of data | Often publicly available corporate sources (Companies House, corporate websites, industry directories) | Consented surveys, prize-draw entries, lifestyle questionnaires |
| Right to object prominence | Must be clearly flagged given legitimate-interests basis; the individual can object at any time | Withdrawal of consent must be as easy as giving it; unsubscribe mechanism must be immediate |
| Preferred delivery method for notice | First outreach email (with link to full privacy notice) | Postal: printed notice on outer or inner; email: visible notice in first message; telephone: verbal statement at call opening |
| Record-keeping requirement | Document source file, LIA, and first-contact date for each campaign | Document consent record, source file, and delivery confirmation for each channel |
In our experience, the organisations that handle Article 14 most cleanly are those that treat it as a design constraint rather than an afterthought. Build the notice into the email template before you brief copywriters, not after legal reviews the draft.