The Principle of Lawfulness, Fairness and Transparency
Article 5(1)(A) of the GDPR
Summary of the GDPR Principle
The Principle of Lawfulness, Fairness and Transparency
The principle of lawfulness, fairness and transparency is one of 7 fundamental data protection principles of the GDPR. A company must comply with all seven basic data protection principles under the GDPR. The following principle is divided into three parts, even though it is one principle pursuant to the GDPR. Article 5(1)(a) of the GDPR regulates the principle of lawfulness, fairness and transparency. Below you can read more about this principle and the three sub-principles it consists of.
The Principle of Lawfulness
Lawfulness means that the company complies with the laws and regulations that apply to the processing. In other words, the company complies with GDPR and other relevant laws and regulations. For example, the company must have a legal basis to process personal data, such as agreements with data subjects or consent.
First dispute resolution decision of the European Data Protection Board on the lawfulness of personal data processing
The Irish Data Protection Authority, together with several other EU Data Protection Authorities, investigated whether a company, which operates several of the largest social media platforms, had a lawful basis when processing the personal data of children. The Data Protection Authorities disagreed with the decision and therefore asked for a dispute resolution decision from the European Data Protection Board (EDPB). The EDPB concluded that the company did not have an appropriate legal basis for the processing and was therefore not lawful. The fine was EUR 405 million.
The Principle of Fairness
This part of the principle means that the processing of personal data, in relation to the data subjects, shall be proportionate, reasonable and fair. Proportionality of processing means that it must be proportionate to the benefits it actually brings. Therefore, the company must balance its interests against the interests of the data subject. The company shall conduct such balancing before the processing of the personal data is being carried out.
In addition, the processing of personal data must be reasonable in relation to the purpose. In other words, the data subjects should expect the processing in question. A practical example is if an e-commerce company processes personal data, such as contact details and address, in order to fulfill the agreement, the company may not process more personal data than necessary for that purpose. However, they may process some of the personal data that is not necessary for the performance of the contract on the basis of another legal basis, such as consent.
The company must inform the data subjects about how and why the company will process the personal data. This is very important. Articles 13 and 14 of the GDPR contain information about what information should be provided to the data subjects. In order for a processing to comply with the principle of fairness, it must not be carried out in secret or in other manipulated or hidden ways.
The Principle of Transparency
The company must inform the data subjects about the processing in a clear way. Among other things, by including information about what personal data the company processes, the purpose of the processing, when they will delete the personal data and the rights of data subjects.
Please observe that stricter requirements apply if the data subjects are children
A company may process personal data that belongs to children. However, the rules are stricter then. For example, the language used to inform about the processing shall be adapted and formulated in a simple way. The children must be able to understand it. In addition, the company must draft and provide the information in the national language. In other words, the company must inform the data subjects in Danish, if they are Danish citizens. One company had to pay a penalty because the language was in English instead of Dutch in Holland when many users were children.
Other data protection principles
Purpose Limitation is Another Basic Data Protection Principle
There are several data protection principles to follow when processing personal data. According to another principle, a company may not process more personal data than what is necessary for the purpose of the processing. In addition, the purpose must be clearly and explicitly stated. The company shall, among other things, inform the data subjects about the processing. In connection therewith, information about the purpose shall also be provided. This follows from the data protection principle of purpose limitation.