Children and the GDPR

There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.

The accompanying guidance focuses on child-specific considerations and, particularly, on the lawful basis for processing a child's personal data. There is also some practical information on what should be included in privacy notices and the rights that children have under the GDPR.

Although this is a consultation for UK-based organisations, much of the information relates to the GDPR in general terms and will be applicable to those outside of the UK too.

The following areas/questions are addressed in some detail:

  • What's new? (What the GDPR says about children.)
  • What should my general approach to processing children's personal data be? (Focusing on the particular protections that children need to be given.)
  • What do I need to think about when choosing a basis for processing children's personal data? (Including issues around consent.)
  • What are the rules about an ISS (online service) and consent? (Including the need to make reasonable efforts to verify that someone giving their own consent is old enough to do so.)
  • What if I want to market children?
  • What if I want to profile children or make automated decisions about them? (GDPR gives children the right not to be subject to this type of decision.)
  • How does the right to be informed apply to children? (Children should be given the same information as adults with regards to what happens to their personal data; such information needs to be presented in an age-appropriate way.)
  • What rights do children have? (Including situations where an adult can exercise children's data protection rights on their behalf.)
  • How does the right to erasure apply to children? (Including situations where children give consent without being aware of the risks.)

For those wishing to respond, the consultation is open until 28 February 2018.

Further information can be found on the UK's Information Commissioner's Office website.

Related news

Children and data protection in Estonia

  • Awareness
  • 22/01/2019
  • Estonian Safer Internet Centre

The General Data Protection Regulation (GDPR) of the European Union entered into force on Friday, 25 May 2018. Although the media in Estonia has quite thoroughly covered the changing data protection rights, they have not paid attention to children's rights. What does the new data protection framework mean for children?

GDPR: The question of minimum age on social networks after May 2018

  • Awareness
  • 03/04/2018
  • Austrian Safer Internet Centre

As of May 2018, with the entry into force of the General Data Protection Regulation (GDPR), stronger rules will apply on data protection. The Austrian Safer Internet Centre (SIC) has looked at the measures taken by the largest social networks such as Facebook, Instagram, WhatsApp, YouTube and regarding the minimum age guidelines for their usage. 

Status quo regarding the child's article 8 GDPR age of consent for data processing across the EU

  • Awareness
  • 20/12/2019
  • Ingrida Milkaite and Eva Lievens, Ghent University
The General Data Protection Regulation (GDPR) entered into force more than a year and a half ago, on 25 May 2018. In December 2019 one Member State of the European Union (EU) – Slovenia – is yet to adopt its final GDPR implementation law. In practice, the fact that Slovenia has not yet passed its GDPR implementation law means that the article 8 GDPR age currently is 16 years instead of the age which is proposed in Slovenian draft legislation (15 years) until the national law is officially adopted.

Czech children will use social networks illegally from May 2018

  • Awareness
  • 28/03/2018
  • Czech Safer Internet Centre

As already reported several times on the Better Internet for Kids (BIK) portal, the new General Data Protection Regulation (GDPR), which comes into force in May 2018, presents a number of challenges in relation to Article 8 which contains specific requirements regarding consent for the processing of personal data of children. Here, colleagues from the Czech Safer Internet Centre (SIC) update on the situation in their country.

Greece proposes age of digital consent at 15 years old

  • Awareness
  • 15/02/2018
  • Greek Safer internet Centre

Following Safer Internet Day 2018, we've heard from a number of SID Committees on how they marked the day. In Greece, Prof. Fereniki Panagopoulou made an announcement at the main event of Greek Safer Internet Centre for Safer Internet Day 2018 concerning the upcoming GDPR legislation.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.