The data protection principle of lawfulness, fairness, and transparency is introduced in Article 5(1) of the GDPR (General Data Protection Regulation):
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).”
This means that the personal data that you are processing has to be done on legal grounds and carried out in a fair and transparent manner towards the data subject.
Lawfulness means that personal data processing is based on lawful grounds. This can include data protection laws and other applicable laws.
Under the GDPR the processing of personal data needs to be based on one of the six lawful bases for processing:
- Legal obligation
- Protection of vital interests
- Public task
- Legitimate interest
GDPR requires certain criteria to be met for each of those lawful bases, while Member States maintain the right to apply national instruments if they are consistent with the GDPR. There are special additional conditions for processing sensitive personal data. If you can not find the proper basis, then your processing will be unlawful.