Lawfulness of Processing

The requirement that all processing of personal data must comply with applicable law and have a valid legal basis. Lawfulness is the first principle in GDPR Article 5, paired with fairness and transparency. Processing is lawful when it satisfies legal requirements including having appropriate legal basis under Article 6 (or Article 9 for special categories), complying with sector-specific regulations, respecting data subject rights, following data protection principles, and adhering to security requirements. Lawfulness also means processing doesn't violate other laws—even if you have GDPR legal basis, processing that violates criminal law, employment law, or other regulations isn't lawful. Organizations must assess lawfulness before processing, document the legal basis, ensure ongoing compliance with legal requirements, monitor legal changes affecting lawfulness, and be prepared to demonstrate lawfulness to regulators. Lawfulness is foundational—without it, all processing is non-compliant regardless of other safeguards.