Lawfulness, Fairness, and Transparency

Lawfulness, Fairness, and Transparency – A Complete CIPP/E Exam Guide

Introduction

Lawfulness, fairness, and transparency form the very first principle of data processing under Article 5(1)(a) of the General Data Protection Regulation (GDPR). This foundational principle underpins virtually every aspect of European data protection law, making it one of the most frequently tested topics in the CIPP/E examination. Understanding this principle thoroughly is not just essential for passing the exam — it is fundamental to understanding the entire GDPR framework.

Why Is This Principle Important?

The principle of lawfulness, fairness, and transparency is important for several critical reasons:

1. Foundation of the GDPR: It is the first principle listed in Article 5, signalling its primacy among all data protection principles. Without lawfulness, no processing activity can be justified, regardless of how well other principles are observed.

2. Trust and Accountability: The principle builds trust between data subjects and controllers. When individuals understand how their data is used (transparency), know that there is a legal basis for processing (lawfulness), and can trust that data is not used against their interests (fairness), they are more likely to engage with organisations confidently.

3. Enforcement Priority: Supervisory authorities, including the European Data Protection Board (EDPB), frequently cite violations of this principle when issuing fines. Some of the largest GDPR fines have been imposed for failures related to lawfulness and transparency.

4. Rights Enablement: Transparency is the gateway to the exercise of data subject rights. If individuals do not know what is happening with their data, they cannot effectively exercise rights such as access, rectification, erasure, or objection.

What Is Lawfulness, Fairness, and Transparency?

This principle is actually composed of three distinct but interrelated requirements. Let us examine each one in detail:

1. Lawfulness

Lawfulness requires that every processing activity must have a valid legal basis as set out in Article 6(1) GDPR. The six legal bases are:

(a) Consent — The data subject has given consent to the processing for one or more specific purposes.
(b) Contractual necessity — Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
(c) Legal obligation — Processing is necessary for compliance with a legal obligation to which the controller is subject.
(d) Vital interests — Processing is necessary to protect the vital interests of the data subject or another natural person.
(e) Public interest or official authority — Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(f) Legitimate interests — Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

For special categories of personal data (Article 9) and criminal conviction data (Article 10), additional conditions apply. Controllers must identify a lawful basis before processing begins and document it. The chosen legal basis cannot be swapped after the fact simply because the original basis no longer applies.

Key exam points on lawfulness:
- Consent must be freely given, specific, informed, and unambiguous (Article 4(11)).
- Legitimate interests require a three-part balancing test: (i) identify the legitimate interest, (ii) show the processing is necessary for that interest, (iii) balance against the data subject's rights and freedoms.
- Public authorities generally cannot rely on legitimate interests as a legal basis when performing their tasks (Article 6(1) last sentence).
- The legal basis must be determined and documented before processing begins (accountability principle, Article 5(2)).

2. Fairness

Fairness is the most open-textured element of this principle. While the GDPR does not define fairness explicitly, it encompasses several important ideas:

- Data should not be processed in ways that are unduly detrimental, unexpected, or misleading to the data subject.
- Controllers should consider the reasonable expectations of data subjects.
- There should be no unjustified adverse effects on individuals.
- Processing should respect the power imbalance between the controller and the data subject (particularly relevant in employer-employee and government-citizen relationships).
- Fairness requires that controllers do not use data in ways that discriminate unlawfully or exploit vulnerabilities (e.g., children, elderly, or economically disadvantaged individuals).

The EDPB has linked fairness to concepts such as data protection by design and by default (Article 25), emphasising that fairness should be embedded into the design of processing operations from the outset.

Key exam points on fairness:
- Fairness is assessed from the data subject's perspective.
- Even if processing is technically lawful and transparent, it can still be unfair.
- Fairness is closely related to the concept of purpose limitation — using data for purposes data subjects would not reasonably expect may be unfair.
- The EDPB's Guidelines on Data Protection by Design (2019) list fairness as a core design principle, including elements such as autonomy, non-discrimination, expectation, and power balance.

3. Transparency

Transparency requires that data subjects are informed about the processing of their personal data in a way that is clear, concise, easily accessible, and easy to understand, using plain language (Recital 39 and Articles 12–14 GDPR).

Transparency obligations differ depending on whether data is collected directly from the data subject (Article 13) or from a source other than the data subject (Article 14).

Information to be provided under Article 13 (data collected from the data subject):
- Identity and contact details of the controller (and DPO, if applicable)
- Purposes and legal basis of processing
- Legitimate interests pursued (if applicable)
- Recipients or categories of recipients
- Details of transfers to third countries and safeguards
- Retention period or criteria for determining it
- Data subject rights (access, rectification, erasure, restriction, portability, objection)
- Right to withdraw consent (if consent is the legal basis)
- Right to lodge a complaint with a supervisory authority
- Whether provision of data is a statutory or contractual requirement
- Existence of automated decision-making, including profiling (Article 22)

Information to be provided under Article 14 (data not obtained from the data subject):
All of the above, plus:
- Categories of personal data concerned
- The source from which the personal data originates
This information must generally be provided within a reasonable period, but no later than one month after obtaining the data, or at the time of first communication with the data subject, or at the time of first disclosure to a third party (whichever is earliest).

Exceptions to transparency under Article 14(5):
- The data subject already has the information.
- Providing the information would be impossible or involve disproportionate effort (with safeguards such as making information publicly available).
- Obtaining or disclosure is expressly laid down by EU or Member State law.
- The data is subject to an obligation of professional secrecy.

Article 12 requirements for the manner of communication:
- Information must be provided in a concise, transparent, intelligible, and easily accessible form.
- Clear and plain language must be used, especially when addressing children.
- Information may be provided in writing, electronically, or orally (if requested and identity verified).
- Controllers must facilitate the exercise of data subject rights and respond to requests within one month (extendable by two months for complex requests).
- Layered privacy notices and the use of standardised icons (in combination with text) are encouraged.

Key exam points on transparency:
- A privacy notice is not the same as consent — providing a notice does not mean consent has been obtained.
- Transparency must be proactive, not reactive.
- The use of overly legalistic or technical language may violate the transparency requirement even if all the required information is technically included.
- The EDPB Guidelines on Transparency (WP260 rev.01) are essential reading and provide detailed practical guidance.

How Does This Principle Work in Practice?

In practice, controllers must take the following steps to comply with the lawfulness, fairness, and transparency principle:

Step 1: Identify the legal basis
Before any processing activity begins, the controller must determine and document the applicable legal basis under Article 6(1). If special categories of data are involved, an additional condition under Article 9(2) must also be identified.

Step 2: Assess fairness
The controller should evaluate whether the processing could have unexpected, disproportionate, or discriminatory effects on data subjects. A Data Protection Impact Assessment (DPIA) under Article 35 may be required for high-risk processing and is a useful tool for assessing fairness.

Step 3: Provide transparent information
A privacy notice (or privacy policy) must be prepared and made available to data subjects at the appropriate time. The notice should comply with Articles 12, 13, and/or 14 and be regularly reviewed and updated.

Step 4: Document and demonstrate compliance
Under the accountability principle (Article 5(2)), the controller must be able to demonstrate compliance with all data protection principles, including lawfulness, fairness, and transparency. This includes maintaining records of processing activities (Article 30), documenting the legal basis chosen, and retaining evidence of privacy notices provided.

Real-World Examples and Enforcement

- Google LLC (CNIL, 2019): France's CNIL fined Google €50 million for lack of transparency and inadequate consent mechanisms. Information was found to be excessively scattered across multiple documents, requiring too many clicks, and consent for personalised advertising was not freely given or sufficiently informed.

- Meta/Facebook (Irish DPC, 2022–2023): Meta received significant fines for relying on an incorrect legal basis (contractual necessity) for behavioural advertising, when consent should have been used. This case highlighted the importance of correctly identifying the legal basis.

- Clearview AI (multiple EU authorities): Several supervisory authorities sanctioned Clearview AI for processing facial recognition data without a lawful basis and without providing adequate information to data subjects — violations of both lawfulness and transparency.

Interaction with Other GDPR Provisions

The lawfulness, fairness, and transparency principle interacts with numerous other GDPR provisions:

- Article 7: Conditions for valid consent
- Article 9: Processing of special categories of data
- Articles 12–14: Transparency obligations (detailed above)
- Article 21: Right to object (linked to lawfulness under legitimate interests or public interest)
- Article 22: Automated decision-making and profiling
- Article 25: Data protection by design and by default (fairness as a design principle)
- Article 35: Data Protection Impact Assessments (assessing fairness and risks)
- Recitals 39, 40, 42, 43, 47, 58, 60: Provide interpretive guidance on lawfulness, fairness, and transparency

Common Misconceptions

- Misconception: If you have consent, you do not need to worry about fairness or transparency.
Reality: Even with consent, you must still be transparent (provide a privacy notice) and fair (not mislead the data subject).

- Misconception: Legitimate interests can always be used as a fallback legal basis.
Reality: Legitimate interests require a proper balancing test and cannot be used by public authorities in the performance of their tasks. It is not a catch-all basis.

- Misconception: A detailed, lengthy privacy policy satisfies transparency requirements.
Reality: Transparency requires that information be concise, intelligible, and in plain language. An overly long or legalistic document may actually violate transparency requirements.

- Misconception: The legal basis can be changed after processing has begun.
Reality: Controllers should determine the legal basis before processing begins. While the GDPR does not explicitly prohibit changing the legal basis, doing so is strongly discouraged and may undermine accountability and data subject trust.

Exam Tips: Answering Questions on Lawfulness, Fairness, and Transparency

The CIPP/E exam frequently tests this principle. Here are detailed strategies for answering related questions effectively:

Tip 1: Know the six legal bases by heart.
You must be able to identify the correct legal basis from a scenario. Practice reading fact patterns and determining which of the six bases under Article 6(1) applies. Pay special attention to the distinctions between consent, contractual necessity, and legitimate interests, as these are the most commonly tested.

Tip 2: Distinguish between Articles 13 and 14.
Questions often present scenarios where data is collected directly versus indirectly. Know the additional requirements under Article 14 (categories of data and source of data) and the timing rules. Be familiar with the exceptions in Article 14(5).

Tip 3: Remember that fairness is a separate requirement.
Some exam questions test whether you understand that processing can be lawful and transparent yet still unfair. Look for scenarios involving power imbalances, misleading practices, or disproportionate impacts on vulnerable individuals.

Tip 4: Be precise about consent requirements.
Know the four elements of valid consent: freely given, specific, informed, and unambiguous. Know that consent must involve a clear affirmative action. Pre-ticked boxes do not constitute valid consent (Planet49 CJEU judgment, C-673/17). Children's consent requires special attention (Article 8).

Tip 5: Understand the legitimate interests balancing test.
When a question involves legitimate interests, apply the three-part test: (1) Is there a legitimate interest? (2) Is the processing necessary for that interest? (3) Do the data subject's rights and interests override? Remember Recital 47's reference to the reasonable expectations of the data subject.

Tip 6: Watch for transparency-specific scenarios.
If a question describes a privacy notice, evaluate whether it meets Article 12 standards (concise, transparent, intelligible, plain language). If information is missing, identify which Article 13 or 14 element is absent.

Tip 7: Connect the principle to other GDPR concepts.
The exam may ask about how lawfulness, fairness, and transparency relate to DPIAs, accountability, data protection by design, or data subject rights. Understand these interconnections and be prepared to explain them.

Tip 8: Use process of elimination.
In multiple-choice questions, eliminate answers that confuse legal bases (e.g., suggesting consent when the scenario clearly involves a legal obligation) or that conflate transparency with consent. Look for the most accurate and complete answer.

Tip 9: Pay attention to the controller vs. processor distinction.
The obligation to have a legal basis and to provide transparency rests with the controller, not the processor. If a question involves a processor, be cautious about attributing transparency obligations to them.

Tip 10: Review key CJEU and EDPB guidance.
Be familiar with major cases and guidelines, including:
- Planet49 (C-673/17) on consent and pre-ticked boxes
- Fashion ID (C-40/17) on joint controllership and legal bases
- Meta Platforms (C-252/21) on legal basis for behavioural advertising
- EDPB Guidelines on Transparency (WP260 rev.01)
- EDPB Guidelines on Consent (05/2020)
- EDPB Guidelines on Data Protection by Design and by Default (4/2019)

Tip 11: Practice scenario-based reasoning.
The CIPP/E exam is heavily scenario-based. For each scenario, ask yourself:
- What personal data is being processed?
- Who is the controller?
- What is the purpose?
- What is the legal basis?
- Has the data subject been informed?
- Is the processing fair given the circumstances?

Tip 12: Read the question carefully.
Some questions specifically ask about one element of the principle (e.g., only lawfulness, or only transparency). Do not confuse them. If the question asks about transparency, focus on Articles 12–14 and the manner of providing information, not on legal bases.

Summary

The principle of lawfulness, fairness, and transparency is the cornerstone of the GDPR. Lawfulness requires a valid legal basis for all processing. Fairness demands that processing respects data subjects' rights, expectations, and interests without causing unjustified adverse effects. Transparency requires proactive, clear, and accessible communication about data processing practices. Together, these three elements ensure that individuals retain meaningful control over their personal data and that organisations process data responsibly and accountably. Mastery of this principle is essential not only for the CIPP/E exam but for any data protection professional working within the European legal framework.