KB 2023 004108 - [2025] EWHC 1824 (KB)

The first processing principle, as provided by article 5(1) UK GDPR, is that personal data shall be processed “lawfully, fairly and in a transparent manner” (article 5(1)(a)).

Data will be processed “lawfully” if, and to the extent that, at least one of the six bases provided by article 6 applies. This is not a case where it is suggested that the claimants gave their consent to the processing in question; reliance is, however, placed on sub-paragraphs (c), (e), and/or (f).

In understanding what is required to establish a legal obligation for the purpose of article 6(1)(c), or a task carried out in the public interest or the exercise of official authority under article 6(1)(e), recital (45) provides assistance: the processing should have a basis in domestic law, although it need not be pursuant to a specific legislative provision. The legal obligation to comply with the duty of candour has been recognised as falling within this provision (Dixon v North Bristol NHS [2022] EWHC 3127 at [104]); similarly, I would accept (and it has not seriously been disputed) that these are provisions that would also apply to a solicitor’s overriding obligation to act on their client’s instructions and to protect their best interests (Solicitors Regulation Authority Code of Conduct for Solicitors etc (“SRA Code”) at [3.1]), and, as an officer of the court, to draw the court’s attention to procedural irregularities which are likely to have a material effect on the outcome of proceedings (and, thus, the administration of justice) (SRA Code at [2.7]).

As for what might constitute a “legitimate interest” for the purpose of article 6(1)(f), the UK GDPR does not seek to limit what might properly to be considered under this provision and a wide range of interests is, in principle, capable of being regarded as legitimate (see UF v Land Hessen (Joined Cases C-26/22 and C-64/22 [2024] 3 CMLR 4 at [76]; Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Personnsgegevens (Case C-621/22) [2025] 4 WLR 7 at [38]). That said, the establishment of a legitimate interest is only the first step; the question will then arise as to whether the processing was necessary for the purpose of pursuing that interest, and, if so, whether it was proportionate – a condition arising from the condition of necessity and the express requirement to evaluate whether the interests relied on are not overridden by the interests or fundamental rights and freedoms of the data subject (see further below).

Turning to the requirements of fairness and transparency, these are distinct, albeit overlapping, considerations. By recital (39) UK GDPR, it is emphasised that:

“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. .... Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data ... ”

Whilst not a statutory code (and thus having no special status), the ICO’s Guide to the UK GDPR identifies potentially relevant factors going to the question of fairness, as follows: (i) how the data was obtained (whether anyone was deceived or misled); (ii) how the processing of the data concerned affects the interests of the data subjects, either as a group or individually; (iii) whether the processing has given rise to an unjustified detriment; (iv) how the data subjects concerned have been treated when seeking to exercise their data protection rights.

What is required for personal data to be processed “in a transparent manner” for article 5(1) purposes is not expressly specified, although reference can be made to the provisions at article 12-14, which specifically address the question of transparency. Again, recital (39) assists, providing that:

“... The principle of transparency requires that any information and communicating relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. ...”

It is, however, apparent that information relating to the processing of personal data can be provided by way of a general communication, including a privacy notice on a website (see recital (58) and, by way of example, Information Commissioner v Experian Ltd [2024] UKUT 105 (AAC) at [137] and [164]).