Skip to content
AuditFront
Art.5.1a GDPR

GDPR Art.5.1a: Lawfulness, Fairness and Transparency

What This Control Requires

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency').

In Plain Language

Every time your organisation touches personal data, you need a legitimate reason for doing so - and you need to be upfront about it. Regulators treat this as the bedrock of GDPR compliance, and getting it wrong is one of the fastest routes to a significant fine. Lawfulness means each processing activity must map to one of the six legal bases in Article 6: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. Fairness means you cannot process data in ways that are misleading, unexpected, or unduly harmful to the people involved. And transparency means telling people clearly and honestly what you are doing with their data - before or at the moment you collect it. In practice, DPAs look for documented legal bases for every processing activity, privacy notices written in plain language (not legalese), and evidence that you actually thought through whether your chosen legal basis genuinely applies. If your Article 30 register is empty or your privacy notice reads like a contract, expect questions.

How to Implement

Start with a thorough data mapping exercise. Identify every processing activity across your organisation - what personal data flows where, for what purpose, and who touches it along the way. Do not skip departments like marketing or HR; they are often where the gaps hide. For each processing activity, pin down the right legal basis from Article 6(1) and document your reasoning. If you rely on consent, make sure it meets Article 7 standards: freely given, specific, informed, and unambiguous. If you rely on legitimate interests, write up a proper Legitimate Interest Assessment (LIA) that honestly weighs your interests against the individual's rights. Build layered privacy notices that comply with Articles 13 and 14. Put a short, readable summary at the point of collection, then link to the full policy with all the required details. Write them in plain language. If your grandmother would not understand the notice, rewrite it. Set up a review cycle. When you launch a new product feature, onboard a new vendor, or change how you use data, your legal bases and privacy notices need updating too. Keep version histories and records of how and when you communicated changes to data subjects. Train your team. Everyone who handles personal data should know which legal basis applies to what they do and how to handle questions from data subjects. Create a clear escalation path for situations where someone is not sure whether a processing activity is lawful.

Evidence Your Auditor Will Request

  • Records of processing activities (Article 30 register) with documented legal basis for each activity
  • Published privacy notices and cookie policies compliant with Articles 13 and 14
  • Legitimate Interest Assessments (LIAs) for processing based on legitimate interests
  • Consent records and consent management platform configuration
  • Staff training records on data protection principles and lawful processing

Common Mistakes

  • Relying on consent when another legal basis would be more appropriate, or when consent cannot be freely given due to power imbalances
  • Privacy notices that are excessively long, written in legal jargon, or fail to include all required information elements
  • No documented legal basis for processing activities, or legal basis determination performed retrospectively
  • Failing to update privacy notices when new processing activities are introduced or existing ones change
  • Using pre-ticked consent boxes or bundling consent with terms of service

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related
NIS2 Art.21.2d Partial overlap

Frequently Asked Questions

Can we change the legal basis for processing after data has been collected?
Short answer: no, not retroactively. Switching legal bases after the fact undermines the whole transparency principle. That said, if you genuinely made an error in your original assessment, you can correct it - provided the new basis was actually valid from the start. Document the correction thoroughly and let affected data subjects know.
How detailed does our privacy notice need to be?
It needs to cover everything in Articles 13 and 14 - controller identity, processing purposes, legal basis, recipients, retention periods, data subject rights, and international transfers. The trick is using a layered approach: a concise, readable summary up front, with a link to the full policy for anyone who wants the detail. Nobody reads a 15-page wall of text, and regulators know that.
What counts as 'fair' processing?
Think of it as a reasonableness test. Would the person whose data you are processing be surprised or concerned if they knew exactly what you were doing with it? Fair processing means you are not using data in ways that are misleading, unexpectedly harmful, or just plain unreasonable given the context. If you would not want it done to your own data, reconsider.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment