GDPR Principle 1: Lawfulness, Fairness, Transparency

What is the first of the seven data processing principles outlined in GDPR?

The first principle is the principle of lawfulness, fairness and transparency of data processing.

GDPR text on lawfulness, fairness and transparency

Article 5 of GDPR provides that personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to the data subject”

Under this principle, processing personal data of EU citizens must be lawful and meet the GDPR requirements.

GDPR text on the lawfulness of processing

Article 6(1) of GDPR defines the lawfulness of processing as:

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(a) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(b) processing is necessary for compliance with a legal obligation to which the controller is subject;

(c) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(e) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

What is lawfulness, fairness and transparency of data processing?

Based on principle 1 of GDPR, the processing of personal data must also be done with fairness.

Fairness is how a data controller or data processor acts in accordance to what they disclosed or informed the data subject.

Individuals must have a reasonable expectation of how you will use their personal data.

Organizations should only use an individual’s personal data in accordance with the disclosure and notification given to the data subject.

Finally, the processing of personal data must be done with transparency.

Transparency means that you must be clear about what you will do with a data subject’s data.

The data subject should have a good and clear understanding of who you will use their data so they can give proper consent.

How can you comply with the lawfulness, fairness and transparency principle?

To comply with this principle, generally speaking, data controllers and data processors must not do anything that is unlawful from the GDPR point of view but also in relation to the other statutes applicable to an organization.

To comply with this principle, organizations should ask themselves a few questions to determine whether or not they are respecting this first principle of data processing outlined in GDPR.

  1. Are we using personal data for legitimate purposes?
  2. Are we using personal data in accordance with the terms of our contract?
  3. Are we using personal data in compliance with any applicable statute or regulation applicable to our business, including GDPR?
  4. Are data subjects deceived when collecting their data?
  5. Do we use personal data in a manner that can be seen as fair and reasonable?
  6. Will there be a risk for significant harm or potential prejudice to the data subject?
  7. Did we clearly inform the data subject about our purpose and use of personal data?
  8. Do we use clear and specific language to get the data subject’s consent?

What are the consequences of non-compliance?

Are there sanctions or penalties for failing to comply with GDPR principle 1?


The consequences are pretty strict.

GDPR provides for heavy administrative fines in the event a person violates the GDPR basic principles.

The administrative fines can go up to the higher of 20,000,000 EURO or 4% of and organization’s worldwide annual turnover.

Data protection authorities have the powers to take into consideration the circumstances in which personal data was collected and decide on a fine that will be meaningful and dissuasive.

For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?