Lawfulness, fairness and transparency
The first principle bundles three ideas. Lawfulness means there must be a (and the processing must comply with all applicable laws). Fairness means data subjects should be aware their data is processed and the processing must not cause unjustified detriment. Transparency means being open and clear with data subjects. Note the GDPR abolished the Directive's general DPA notification obligation, replacing it with a duty to inform data subjects.
'Personal data shall be processed lawfully, fairly and in a transparent manner'. Lawfulness needs a AND consistency with all other applicable laws (employment, tax, health, etc.). Fairness asks whether the data subject is aware and whether any detriment is justified. Transparency requires open, clear communication.
| Lawful basis | Plain meaning |
|---|---|
| Consent | Data subject agreed to processing for specific purpose(s) |
| Contract performance | Necessary to perform a contract with the data subject, or pre-contract steps at their request |
| Legal obligation | Necessary to comply with a law the controller is subject to |
| Vital interests | Necessary to protect someone's life (the data subject's or another person's) |
| Public interest / official authority | Necessary for a public-interest task or official authority |
| Legitimate interests | Necessary for the controller's/third party's interests, unless overridden by the data subject's rights - NOT for public authorities in their tasks |
| Scenario | Fair? | Why |
|---|---|---|
| Tax authority gets pay details from employer under a legal duty | Fair | Permitted by law; deemed fair regardless of the employee's awareness |
| Travel site raises a holiday's price after detecting repeat visits | Unfair | Detriment to the user that is not justified |
| Police collect data from a speeding driver, leading to a fine | Fair | Detriment is justified by public-safety rules |
The GDPR abolished the Directive's general obligation to notify DPAs of processing. Recital 89 calls such indiscriminate notifications unhelpful. The duty now is to inform data subjects, not to register with the authority.
- Information must be clear, concise, easy to understand and accessible.
- When data come directly from the data subject, information must be available at the time of collection.
- Exemptions from the duty to inform: data subject already aware; informing would be impossible or a disproportionate effort; to protect the data subject's legitimate interest under law; to preserve confidentiality required by law.
- For children, language must be simple and plain; the GDPR promotes standardised icons/symbols.