What does it mean to process data lawfully?
For the Data processor or controller it means that the reasons or grounds for processing the data must be legal. If there is no legal basis for processing data then the processing will be unlawful. The data controller or processor cannot do anything with the data which would be in breach of any legal obligations to the data subject or processing involves committing a criminal offence.
Processing may also be deemed to be unlawful if it results in:
- a breach of applicable privacy laws;
- infringement of copyright law;
- a breach of an enforceable contractual agreement; or
- a breach of industry-specific legislation or regulations
As a data subject, this provision would give you the right to find out why your data is being processed in order to determine whether or not it is lawful.
What does it mean to process data fairly?
In general, fairness means that processing must be done in ways that people would reasonably expect and not in ways that have unjustified adverse effects on them.
Assessing whether the processing is fair depends in part on how the data was obtained and how the processing affects individuals. If anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair. Processing may negatively affect an individual without necessarily being unfair. What matters is whether or not such detriment is justified.
What does it mean to process data in a transparent manner?
Transparency implies that any information and communication concerning the processing of personal data must be easily accessible and easy to understand.
As a Data controller or processor, you will be required to ensure that information regarding how and why you are processing the data is presented to the data subject in a way that they are able to understand. It is advisable to use clear and plain language.
Transparency also means the Data Controller provides sufficient information about the data controller and data processor to the data subject. The information they will need to convey includes identity, contact, the purpose of processing, where the processing is based, the recipients or categories of recipients, retention period, etc.
This is especially important where the data controller has outsourced the processing of data to a different company.