Privacy Company advisors talk GDPR: legitimacy and transparency of processings

August 13, 2018

The GDPR is at the heart of our team's work. This means that we work with it on a daily basis, analyse the texts, understand the obligations and, in particular, translate them into practical tools for our customers. Which article do our colleagues prefer to work with? How do we help our customers to implement the articles? In this blog series our team is talking, each about one specific article.

Today, the blog series stands for the legitimacy and transparency of the processing.


An organization may only process personal data if it does so lawfully. This means, among other things, that you as an organisation must have described a clear and specific goal for the processing. Jill writes about the other important requirement for this legitimacy:

Processing of personal data requires a justification, also called “basis”. Article 6 GDPR names the six acceptable ones. Companies just need to pick one (and actually base the processing on it). Consent is a very common basis for a processing; it must be given informed, explicit, and can be withdrawn any time. That’s why we all had so much spam in our inboxes asking us to consent to receiving their newsletters – it was annoying, but we were able to withdraw our consent from all of them. Thanks to Article 6 GDPR. Hallelujah to empty inboxes!


In addition, the law requires us to be transparent in our communications to the persons concerned. This means that everyone must be able to understand the content of the communication, that information must be concise and easily accessible and that, above all, it must not be a legal argument. By being transparent, you are implementing one of the articles that Laurens quoted in the previous blog post in which the most important principles of data protection law are laid down: 'lawfulness, proportinality and transparency'. Article 12 of the GDPR specifically deals with this transparency, and Simone writes the following about this:

Privacy is often considered a legal matter, or an IT matter, but privacy is actually primarily about communication. The transparency provision in Article 12 of the GDPR shows this very well. By communicating transparently, you show that you have nothing to hide, and that you respect the fundamental rights of others: "I have respect for you." This can be seen, for example, in Article 8 of the European Convention on Human Rights, which lays out respect for privacy and family life, the home, and communication. This requires an enormous amount of creativity, because every target group is different. This makes it not only the most beautiful article for those involved, but also for privacy professionals, because they remain challenged to think about their own (communication) contribution to the subject.

Curious about which other parts of the GDPR our colleagues are going to tell you about? In the next blog post, Cora and Sterre will talk about the principles of Privacy by Design and Default and the obligation to create a register of processing activities!