In Chapter 2 of the General Data Protection Regulation, the first principle to appear is that of lawfulness, fairness, and transparency. It states that personal data must be processed lawfully, fairly, and in a transparent manner towards the data subject. Let us break down these terms so that we can fully understand their meaning.
For the processing of personal data to be lawful, it must relate to a specific ground (or legal basis) given for the processing. The legal basis for processing personal data can be found in Articles 6 to 10 of the General Data Protection Regulation. These are consent, contract, legal obligation, vital interest, public task, and legitimate interest. Identifying each processing activity within your company and the corresponding legal basis is a key element for compliance with the GDPR.
Fairness is a little more subjective. It means that the expectations of the data subject should be taken into account and that the processing does not have an unjustified negative impact on the data subject’s rights. For example, if a bank collects personal data from its customers to assess whether they should be offered more credit, this may cause harm, but it is not unjustified and is within the reasonable expectations of the data subject, so it may be a fair activity.
Finally, transparency is a key concept in the GDPR. Transparency is about providing the right information – such as the identity of the controller and the purpose of the processing – in a clear and understandable manner, in an accessible form, and in a timely manner. Fairness is also about transparency when it comes to providing the right and sufficient information to the data subject when collecting data. Some companies face huge fines for failing to comply with this principle. We strongly recommend you read our article on WhatsApp and transparency.
Lawfulness, fairness, and transparency is a multi-dimensional principle that refers to the lawfulness of the processing activity as well as the means by which the data subject must be treated and informed. A misunderstanding of what this principle stands for could be detrimental to a business, as it forms the basis for much of what the GDPR is about.
Learn more about GDPR principles and how Apex can help you on the road to compliance. Contact us today!