Article 14

GDPR Article 14: when personal data is collected from a source other than the data subject, the controller must notify the data subject within a reasonable period — and at the latest within one month of obtaining the data.

Source: docs/SYSTEM_OVERVIEW.md § GDPR; the Bisnode case context in GDPR Legitimate Interest.

What we collect that triggers it

Named contacts (full_name, role, email, phone) extracted by Crawlee Scraper / Firecrawl from third-party websites — i.e. from a source other than the individual.

Tracking table

CREATE TABLE "Article14_Notifications" (
  id                   SERIAL PRIMARY KEY,
  org_nr               TEXT,
  email                TEXT,
  collected_at         TIMESTAMPTZ,
  notification_sent_at TIMESTAMPTZ,
  status               TEXT,
  retry_count          INTEGER DEFAULT 0
);

P0 — Trigger fires at the wrong event

Warning

src/api/export.ts fires Article 14 notifications when data is exported. The legal obligation is within one month of collection (when enrichment completes). Export and collection are not the same event. The trigger needs to move to Update_Job so it runs immediately after enrichment.

If a contact is collected and never exported (e.g. low score, never queried), no notification is sent — direct GDPR breach. See Known Issues.

Required move

Move the notification queue insertion from src/api/export.ts to src/queues/workers.ts Update_Job, hooked off Enrich_Job completion.

EnrichNode Wiki

Explorer

Article 14

Article 14

What we collect that triggers it

Tracking table

P0 — Trigger fires at the wrong event

Required move

See also

See also

Graph View

Table of Contents

Backlinks