What is the GDPR Lawfulness, Fairness, and Transparency Principle?

Defined in Article 5(1)(a) of the General Data Protection Regulation (GDPR); lawfulness, fairness, and transparency is the first principle related to the processing of personal data.

Further details for provisions related to this principle are found throughout the GDPR. Details on lawfulness are discussed in Articles 6 – 10. Transparency, as described in the differences between the 1998 Act, is captured in Articles 13 & 14, as part of the data subject’s rights.

Lawfulness, Fairness, and Transparency Summary

  • An organization must demonstrate a lawful basis for obtaining personal data to process it
  • Must meet criteria for at least one (1) of six (6) conditions for processing, referred to as ‘lawful bases’
  • Collection of personal data must be conducted in a fair manner, ensuring it was not obtained under false pretense
  • Processing personal data must be done with fairness to the individual, satisfying reasonable expectations as to how the data will be used
  • An organization must be clear and honest with individuals regarding the reasons why they are collecting personal data and how they intend to process it
  • Transparency, aside from its inclusion as a principle for processing, is further extended into data subjects’ ‘right to be informed’
  • To satisfy this principle an organization must meet expectations for all three (3) criteria: lawfulness, fairness and transparency

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR lawfulness, fairness and transparency principle remain fundamentally similar to the first principle of the 1998 Data Protection Act, with only minor differences regarding transparency.

Regarding lawfulness & fairness, both GDPR & the 1998 Act, the central concepts remain, with minor verbiage changes being the only main difference. The GDPR omits the idea of ‘fair processing information’ found in the 1998 Act; however, the concepts of the two remain fundamentally the same. Similarly, the GDPR introduces the term ‘lawful basis’ when referring to the ‘conditions for processing’ found in the 1998 Data Protection Act.

The most significant of the minor differences between both principles is transparency. While incorporated within both constructs, the GDPR breaks out details of transparency into the newly introduced ‘right to be informed’ provision.

Business Considerations for Organizations to Understand

What are the lawful bases for processing in the GDPR?

Adapted from the 1998 Data Protection Act’s ‘conditions for processing,’ the six (6) lawful bases for processing are as follows:

  • Consent: clear permission obtained from an individual to process their personal data for a specific purpose
  • Contract: processing is necessary to satisfy a contract with an individual or is negotiated before entering into a contract
  • Legal Obligation: is in compliance with the law, cannot include contractual obligations, supports the necessity to process the personal data
  • Vital Interests: processing is necessary to protect the vital interests of the data subject or someone else
  • Public Task: processing of personal data is necessary to satisfy tasks in the interest of the public or in the exercise of official authority
  • Legitimate Interests: processing is necessary for the organization’s legitimate interests, or the legitimate interests of a third party, unless protection of the data subject’s personal data overrides those interests, for example, the data subject is a minor

How do you determine fairness?

Unlike lawfulness and transparency, compliance for fairness is much more subjective. Consideration of how fair processing of personal data affects the interests of the data subject(s) must be taken into account by any organization processing or controlling that data. In general, an organization should only process personal data in such a way that would unquestionably support reasonable expectations of the data subject(s) without unjustified adverse effects.

However, personal data may sometimes be used in ways which negatively affect an individual yet complies with the principles of fairness. The importance here is determining whether or not such detriment, caused by processing, is justifiable. For example, if personal data collected from a data subject is processed to access outstanding fines, for say property taxes, the handling of the data, although detrimental to the individual, could still be considered fair.

How is transparency affected by personal data collected from third parties?

Transparency is essential even if an organization does not have a direct relationship with the data subject, for example, if the personal data was collected from a third party. In this type of situations, transparency can be even more critical because the data subject(s) may be unaware the organization is in possession of their personal data, limiting their ability to exercise their data subject rights properly. When obtaining personal data from a third party, organizations should familiarize themselves with Article 14 in the GDPR, which discusses data indirectly obtained from data subjects.