The first principle of the GDPR, requiring organisations to document a lawful basis for collecting and using personal data, to avoid processing personal data in a way that is unduly detrimental, unexpected or misleading to data subjects, and to be clear and honest about how they use personal data.