Lawfulness, Fairness and Transparency The GDPR Principles

Lawfulness, Fairness and Transparency: GDPR Principles

Update: July 2026

Lawfulness, fairness, and transparency are the cornerstone of data protection law under Article 5(1)(a) of both the UK GDPR and the EU GDPR. This principle requires organisations to process personal data lawfully, fairly, and in a clear and open way towards data subjects. Every processing activity must meet all three parts at once: a lawful basis on its own is not enough without fairness and transparency. You can read the regulator’s view on the ICO’s lawfulness, fairness and transparency guidance.

This principle shapes how you collect, store, use, and share personal data, and it sets the base for all the other data protection principles and data subject rights.

Key Takeaways:

How to identify appropriate lawful bases and document processing decisions
Methods for ensuring fair processing that meets data subjects’ reasonable expectations
Requirements for creating transparent privacy notices using clear and plain language
Step-by-step compliance procedures for new and existing data processing activities

What does lawfulness, fairness, and transparency mean under GDPR?

Article 5(1)(a) of the GDPR says personal data must be processed lawfully, fairly, and in a clear and open way towards the data subject. You can’t meet your duties by satisfying only one or two parts. All three must be shown for any processing to comply with data protection law.

This principle is the base for the other GDPR rules, setting the accountability standards that let data subjects understand and use their rights. Without lawfulness, fairness, and transparency, the other principles and rights lose their meaning.

What is the lawfulness requirement?

Lawfulness means you must identify and rely on a specific legal basis under Articles 6 to 10 of the GDPR before processing starts. The six lawful bases for ordinary personal data are: consent, contract necessity, legal obligation, vital interests, public task, and legitimate interests.

Processing special category data under Article 9 needs both a lawful basis under Article 6 and an extra condition under Article 9, such as explicit consent for health data or substantial public interest grounds. Criminal conviction data under Article 10 needs official authority or a specific legal provision beyond the standard bases.

Lawfulness also covers other laws that may restrict processing. For example, you must follow sector-specific rules, employment law, and confidentiality duties that can add limits on how you process personal data.

What is the fairness requirement?

Fairness means processing personal data in ways that meet people’s reasonable expectations and don’t cause unjustified harm. This goes beyond having a lawful basis: even lawful processing can be unfair if it deceives people, creates discriminatory outcomes, or causes undue harm.

Fairness ties directly to weighing your legitimate interests against people’s rights and freedoms. When you rely on legitimate interests as your basis, you must show your processing needs don’t override the fundamental rights and freedoms of the people whose data you collect.

Fairness connects to other principles, including purpose limitation and data minimisation. Processing more data than you need, or using data in ways that clash with the original purpose, usually fails the fairness test even with a valid lawful basis.

What is the transparency requirement?

Transparency means being open, honest, and clear about your processing from the point of collection onwards. It links directly to the Article 13 and Article 14 information rules, which require specific disclosures when you collect personal data, whether directly from people or from other sources.

Privacy information must use clear, plain language that your audience can easily understand. Technical jargon, legal terms, and vague explanations fail the transparency standard and stop people making informed choices about their data.

Transparency lets people use their rights by understanding what data is collected, why, who can see it, and how long it’s kept. Without clear information, people can’t meaningfully consent or challenge decisions that affect them.

How do you implement lawfulness, fairness, and transparency in practice?

You need concrete steps to build these three parts into your processing. That means setting up clear procedures for identifying lawful bases, checking fairness, and giving clear information to people before processing starts.

Documentation is important for showing you meet the accountability principle. Keep records that show how you chose a lawful basis, weighed fairness, and met the transparency rules for each activity.

How do you establish lawful processing?

Before you process any personal data, choose and record a suitable lawful basis from Article 6(1). This needs careful thought about the purpose, your relationship with the people involved, and your needs. Each basis has its own requirements and effects on data subject rights.

Record your lawful basis in your Records of Processing Activities (RoPA), as required by Article 30. Include the exact sub-paragraph you rely on (for example, Article 6(1)(f) for legitimate interests), the reason for your choice, and any assessments you ran. This shows accountability and supports regulatory transparency.

When processing has more than one purpose or changes over time, check whether your original basis still fits or whether you need another. Switching lawful basis mid-processing is generally not allowed, so a careful start prevents problems later.

For special category data and criminal conviction data, identify both the Article 6 basis and the specific Article 9 or Article 10 condition. Record any extra safeguards, such as stronger security or access limits, that protect this sensitive data.

How do you ensure fair processing?

Check whether your processing meets people’s reasonable expectations by looking at how you collect data, what you do with it, and how that matches what people would expect. Processing that surprises or disadvantages people is likely to fail the fairness test.

When you rely on legitimate interests under Article 6(1)(f), run a full legitimate interests assessment (LIA) covering the purpose, necessity, and balancing tests. Record your analysis of whether the processing serves a legitimate purpose, whether less intrusive options exist, and whether people’s interests override your needs.

Avoid deceptive or misleading collection that tricks people into giving data or consenting to something they don’t understand. Make sure your collection methods, privacy notices, and consent tools accurately reflect what you actually do.

Consider possible harms to people, including discrimination risks, the effects of automated decisions, and impacts on vulnerable groups. Put safeguards and monitoring in place to spot and fix unfair outcomes.

How do you meet transparency obligations?

Write detailed privacy notices that follow Articles 13 and 14. Include all the required elements: controller identity, purposes, lawful basis, legitimate interests (where relevant), recipients, retention periods, and data subject rights.

Use a layered approach for complex processing: give the key information upfront, with more detail available through links or expandable sections. This meets the rules without flooding people with detail at first contact.

Give the information at the point of collection when you collect directly, or within one month for indirect collection, unless an exemption applies. Timing rules are strict: late information can undermine the whole processing activity and expose you to regulatory action.

Keep privacy information easy to find through clear placement on your site, regular updates when processing changes, and accessible formats for people with disabilities. Transparency is an ongoing duty that needs active upkeep and regular review.

What is the step-by-step compliance framework?

A structured approach keeps your lawfulness, fairness, and transparency work consistent across all activities and supports your accountability duties. This framework fits with your existing data protection governance and risk management.

Regular monitoring and review help you spot gaps, adapt to new processing needs, and show you keep meeting Article 5(1)(a).

1. Identify Processing Purpose: Document the specific, explicit and legitimate purposes for processing personal data, ensuring alignment with organisational objectives and legal requirements.

2. Select Lawful Basis: Evaluate all six Article 6(1) options against your processing purpose and data subject relationship, selecting the most appropriate basis and documenting your rationale.

3. Assess Fairness: Evaluate whether processing meets data subjects’ reasonable expectations, consider potential adverse impacts, and implement necessary safeguards to protect individual rights.

4. Design Transparency Measures: Create privacy notices that comply with Articles 13 or 14 requirements, using clear, plain language accessible to your intended audience.

5. Document Decisions: Record all assessments, decisions, and supporting rationale in your Records of Processing Activities and compliance documentation systems.

6. Implement Monitoring: Establish ongoing review procedures to ensure ongoing compliance and to identify any changes that require reassessment of the lawful basis or fairness considerations.

How do direct and indirect collection transparency requirements compare?

ElementArticle 13 (Direct Collection)Article 14 (Indirect Collection)
TimingAt the point of data collectionWithin one month of obtaining data
Mandatory InformationIdentity, purposes, lawful basis, recipients, retentionSame as direct plus source of data
Additional RequirementsRights information, legitimate interests detailsCategories of data, whether from public sources
ExemptionsLimited – mainly impossible/disproportionate effortBroader – includes existing knowledge, legal obligations

Direct collection under Article 13 needs information straight away when you get data from people. Indirect collection under Article 14 gives you one month to notify but needs extra detail about where the data came from. Choose your approach based on how you get the data, and note that mixed methods may mean both articles apply at once.

What are common challenges and solutions?

Organisations often hit practical obstacles that can harm compliance despite good intentions. Knowing the common pitfalls and their fixes helps you avoid regulatory issues and keep people’s trust.

1. How do you balance legitimate interests with data subject rights?

Run a full three-part legitimate interests assessment covering the purpose, necessity, and balancing tests, with documented evidence for each conclusion.

The purpose test asks you to show the processing meets genuine needs or benefits. The necessity test asks for evidence that less intrusive options can’t reach the same goal. The balancing test weighs your interests against the impact on people, taking account of their reasonable expectations and fundamental rights.

2. How do you give transparent information without overwhelming users?

Use layered privacy notices with just-in-time information and progressive disclosure suited to your interfaces and context.

Use summary boxes showing key information, such as purposes and rights, with fuller detail behind clearly labelled links. For mobile and IoT devices, give the essentials at once, with fuller detail available through other channels like QR codes or voice commands.

3. How do you show ongoing fairness for automated decisions?

Set up regular algorithm audits and human oversight that meet Article 22 for automated decisions with legal or significant effects.

Run bias testing, outcome monitoring, and reviews that catch discriminatory or unfair results. Give clear information about the logic, importance, and consequences of automated decisions, as the transparency rules require, so people can understand and challenge them.

Conclúid

Lawfulness, fairness, and transparency are the bedrock of GDPR compliance and the base for building trust with data subjects. These three linked parts work as one principle that governs every stage of processing, from first collection to final deletion or archiving.

Compliance is an ongoing commitment, not a one-off task. As your processing changes and new technology arrives, you must keep reviewing your lawfulness, fairness, and transparency measures to protect data well and show accountability.

Ana Mishova

About the Author

Ana Mishova

Sales and Business Development Consultant — GDPRLocal

Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.

Frequently Asked Questions

What does the principle of lawfulness, fairness and transparency mean under GDPR?

The principle requires you to process personal data in a legal, fair, clear, and open way towards the data subject. That means having a valid lawful basis, making sure the processing matches people’s reasonable expectations without causing unjustified harm, and giving clear, accessible information about how you collect, use, and share personal data.

How can organisations demonstrate compliance with the lawfulness, fairness and transparency principle?

You show compliance by recording the lawful basis for each activity, checking fairness by weighing the impact on people, and giving clear privacy information in plain language. Keeping detailed records of these decisions supports accountability and helps you meet the rules.

What are the transparency requirements under GDPR Articles 13 and 14?

Articles 13 and 14 require you to give people full privacy information at the point of collection (direct) or within one month if you get the data indirectly. This includes the controller, the purposes, the lawful bases, the recipients, retention periods, and data subject rights, all in a clear, accessible way.