At a glance
- You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
- You must ensure that you do not do anything with the data in breach of any other laws.
- You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
- You must be clear, open and honest with people from the start about how you will use their personal data.
☐ We have identified an appropriate lawful basis (or bases) for our processing.
☐ If we are processing special category data or criminal offence data, we have identified a condition for processing this type of data.
☐ We don’t do anything generally unlawful with personal data.
☐ We have considered how the processing may affect the individuals concerned and can justify any adverse impact.
☐ We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.
☐ We do not deceive or mislead people when we collect their personal data.
☐ We are open and honest, and comply with the transparency obligations of the right to be informed.
- What is the lawfulness, fairness and transparency principle?
- What is lawfulness?
- What is fairness?
- What is transparency?
Article 5(1) of the GDPR says:
“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
There are more detailed provisions on lawfulness and having a ‘lawful basis for processing’ set out in Articles 6 to 10.
There are more detailed transparency obligations set out in Articles 13 and 14, as part of the ‘right to be informed’.
The three elements of lawfulness, fairness and transparency overlap, but you must make sure you satisfy all three. It’s not enough to show your processing is lawful if it is fundamentally unfair to or hidden from the individuals concerned.
For processing of personal data to be lawful, you need to identify specific grounds for the processing. This is called a ‘lawful basis’ for processing, and there are six options which depend on your purpose and your relationship with the individual. There are also specific additional conditions for processing some especially sensitive types of data. For more information, see the lawful basis section of this guide.
If no lawful basis applies then your processing will be unlawful and in breach of this principle.
Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations; or
- a breach of the Human Rights Act 1998.
These are just examples, and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.
Although processing personal data in breach of copyright or industry regulations (for example) will involve unlawful processing in breach of this principle, this does not mean that the ICO can pursue allegations which are primarily about breaches of copyright, financial regulations or other laws outside our remit and expertise as data protection regulator. In this situation there are likely to be other legal or regulatory routes of redress where the issues can be considered in a more appropriate forum.
If you have processed personal data unlawfully, the GDPR gives individuals the right to erase that data or restrict your processing of it.
Processing of personal data must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.
In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.
Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.
In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually. If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.
Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justified.
Where personal data is collected to assess tax liability or to impose a fine for breaking the speed limit, the information is being used in a way that may cause detriment to the individuals concerned, but the proper use of personal data for these purposes will not be unfair.
You should also ensure that you treat individuals fairly when they seek to exercise their rights over their data. This ties in with your obligation to facilitate the exercise of individuals’ rights. Read our guidance on rights for more information.
Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data.
Transparency is always important, but especially in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship.
Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important - as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’.
You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.
For more detail on your transparency obligations and the privacy information you must provide to individuals, see our guidance on the right to be informed.