GRCWatch
Sign inStart free trial

GDPR A5.01: Lawfulness, Fairness, and Transparency

Personal data processing must have a documented legal foundation and operate transparently with data subjects. This control requires you to identify and justify the lawful basis for every data processing activity—a critical first step in GDPR compliance that prevents costly violations and builds stakeholder trust.

What this means

This control mandates that all personal data processing occurs under a valid lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interest), with clear documentation and communication to affected individuals. Fair processing means no deceptive practices, and transparency requires you to inform data subjects how their data is collected, used, and protected.

How to comply

  1. 1.Map all personal data processing activities across your organization
  2. 2.Identify the lawful basis for each processing activity (consent, contract, legal obligation, vital interests, public task, or legitimate interest)
  3. 3.Document the basis selection rationale for audit and evidence purposes
  4. 4.Create privacy notices and data subject information disclosures aligned to each processing activity
  5. 5.Establish procedures to obtain and record consent where consent is the lawful basis
  6. 6.Train staff on fair processing principles and transparency obligations
  7. 7.Implement technical controls to limit data access and processing to documented purposes

Evidence auditors look for

  • Data processing inventory with documented lawful basis for each entry
  • Privacy notices and data subject information statements
  • Consent management records showing how, when, and what was consented to
  • Legitimate interest assessment (LIA) documents for processing based on legitimate interest
  • Processing contracts with third parties specifying lawful basis
  • Staff training records on fair processing and transparency
  • Audit logs showing data processing aligned to documented purposes only

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch streamlines lawful basis mapping and documentation in one control framework, automatically linking your privacy notices to processing activities so you can prove compliance to auditors in minutes instead of weeks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR A5.02 — Purpose LimitationGDPR A5.03 — Data MinimisationGDPR A5.04 — AccuracyGDPR A6 — Lawfulness of ProcessingGDPR A13 — Information to be Provided Where Personal Data are Collected from the Data Subject