Child Interests Under GDPR

By now you should understand what the GDPR is, the six principles that will affect your business, what you can rely on when processing personal data, and how it will impact your future marketing communications.

One third of online users are children.

Under the current Data Protection Act there are no specific provisions for the protection of data in relation to a child. The GDPR intends to outline and enhance the protection of a significant proportion of online users (1 in 3 in fact: Source - Livingstone, S., Carr, J. and Byrne, J. (2015) One in three: internet governance and children's rights (PDF). Ontario: Centre for International Governance Innovation.) who are classed as children and therefore potentially vulnerable to the risks associated with marketing and creating online profiles. The aim of these provisions being to protect the child as a person.

In Article 8, the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation. The age of consent will vary between 13 and 16 across EU Member states. As a controller, you will need to obtain the consent of a parent or guardian, whilst making “reasonable efforts” to verify that they are in effect who they say they are. Although it is worth noting that the methods for such verification have yet to be developed.

Whilst there is a definitive process you can follow if you require consent to process a child’s personal data, any reliance on “legitimate interests” necessitates a carefully crafted document showing all the elements you can use to justify how your organisations interests outweigh those of the child. Article 6(1)(f) of the GDPR notes that the rights and freedoms of a data subject may “in particular” override the interests of the controller or third party where the relevant data subject is a child. 

GDPR Top Tip

A child will attain control over their own personal data once they come of age. The will have the right to rectify, amend, delete etc and revoke control by others. 

horizontal rule

The GDPR mostly focuses on child data in relation to online services (information society services) which provide a service at the user’s request, sometimes for remuneration. Parental/guardian consent is not required where the processing is related to preventative or counselling services offered directly to a child.

GDPR Top Tip

Remain aware of national legislation for offline data processing relating to children’s data. 

horizontal rule

Article 40 requires Member States and supervisory authorities to encourage the creation of codes of conduct, including in the area of the protection of children, and concerning the ways in which consent can be collected from the holder of relevant parental responsibility. 

GDPR Top Tip

Organisations that process personal data relating to children should watch for the creation of codes of conduct by member states, which might impose particular additional requirements.

horizontal rule

Are you aware that Mercurytide also offer GDPR compliance training for your employees? 


Privacy notices for children

Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand.

If your basis for processing a child’s personal data is consent, according to your member state age limit, a child under that age instead requires consent from a person holding ‘parental responsibility’.

GDPR Top Tip

Solely automated profiling is forbidden on a child’s personal data

horizontal rule

If you or your organisation is processing the personal data of children, there are extra measures and thought-processes that need to be completed. We recommend you ask yourself questions such as the following:

checkboxAm I obtaining data from anyone under the age of 18?

checkboxDo I require all the information I am collecting?

checkboxDo I have consent from either the child, if they are over 13, or the person with parental responsibility?

checkboxAm I relying on legitimate interest?

checkboxDo I have a document outlining why I don’t require specific consent?

checkboxDo I have a privacy policy written not only in plain English, but in language a child will understand?

checkboxDo I have a retention policy?

checkboxDo I know who has access to children’s personal data?

If you have any questions about the points I've raised, or want a more in-depth chat about all things GDPR, please get in touch via the form below.

PREVIOUS: Your GDPR Checklist so far

Enjoy what you're reading? Read one of our other articles on GDPR below