Lawfulness, fairness and transparency
The processing of personal data shall be lawful, fair and transparent.
The processing of personal data must be done in compliance with the EU’s General Data Protection Regulation and other legislation applied to the processing of personal data.
The lawful processing of personal data requires an appropriate basis for processing.
This basis can be
- the consent of the data subject;
- a contract;
- a legal obligation of the controller;
- the protection of vital interests;
- a task carried out in the public interest or the exercise of public authority; or
- the legitimate interests of the controller or a third party.
The processing of personal data must also be lawful in other respects. The appropriate realisation of all principles of data protection along with any other requirements applied to the processing, such as measures for safeguarding the personal data, must always be ensured in connection with processing.
The processing of personal data must be appropriate and fair with regard to the purposes of processing.
The data subjects must be informed of the processing of personal data in an intelligible manner, and the information provided on the processing of personal data may not be misleading. The processing of personal data may not be concealed or communicated selectively for the purpose of manipulating the data subject.
Personal data may not be processed in an unpredictable or unexpected manner for the data subject. The processing would be unexpected in cases such as the following: An individual takes part in a prize draw whose organiser states that it only processes the personal data for the purposes of conducting the prize draw and contacting the winner. If the controller then also uses this personal data for other purposes, such as direct marketing, the processing would be unexpected and unpredictable from the perspective of the data subject, because this purpose was not communicated in connection with the collection of personal data.
The processing of personal data can sometimes be unexpected for the data subject due to, for example, exceptions provided for the notification obligation and purpose limitation. In such cases, the controller must be able to inform the data subject of why the processing was fair and lawful.
The purpose of data protection regulations is to maintain a balance between the controller’s need to process personal data and protection of the data subject’s privacy. The controller is required to assess the possible effects of the processing on the data subject. The processing of personal data may not cause more detriment than necessary for the purposes of processing. The controller must seek to facilitate the exercise of the rights of the data subject, and data subjects exercising their rights must be treated appropriately.
The processing of personal data must be communicated clearly and intelligibly.
The data subjects must be informed of
- what personal data related to them is being collected;
- what purposes their personal data is being processed for;
- how their personal data is being processed; and
- what rights they have.
The GDPR describes the information controllers are required to share with data subjects in more detail.
The information concerning the processing of personal data must be readily accessible and presented in clear and simple language. If the controller is processing the personal data of children, it must pay particular attention to intelligibility.
Transparency and intelligibility in the processing of personal data also builds trust in the controller.
Processing of personal data
Demonstrate compliance with data protection regulations
When is the processing of personal data permitted?
Rights of the data subject
Inform data subjects about processing