Children and the GDPR

There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.

The accompanying guidance focuses on child-specific considerations and, particularly, on the lawful basis for processing a child's personal data. There is also some practical information on what should be included in privacy notices and the rights that children have under the GDPR.

Although this is a consultation for UK-based organisations, much of the information relates to the GDPR in general terms and will be applicable to those outside of the UK too.

The following areas/questions are addressed in some detail:

  • What's new? (What the GDPR says about children.)
  • What should my general approach to processing children's personal data be? (Focusing on the particular protections that children need to be given.)
  • What do I need to think about when choosing a basis for processing children's personal data? (Including issues around consent.)
  • What are the rules about an ISS (online service) and consent? (Including the need to make reasonable efforts to verify that someone giving their own consent is old enough to do so.)
  • What if I want to market children?
  • What if I want to profile children or make automated decisions about them? (GDPR gives children the right not to be subject to this type of decision.)
  • How does the right to be informed apply to children? (Children should be given the same information as adults with regards to what happens to their personal data; such information needs to be presented in an age-appropriate way.)
  • What rights do children have? (Including situations where an adult can exercise children's data protection rights on their behalf.)
  • How does the right to erasure apply to children? (Including situations where children give consent without being aware of the risks.)

For those wishing to respond, the consultation is open until 28 February 2018.

Further information can be found on the UK's Information Commissioner's Office website.


Related news

GDPR: updated state of play of the age of consent across the EU, June 2018

  • Awareness
  • 28/06/2018
  • Ingrida Milkaite and Eva Lievens, Ghent University

The General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018. This update of the mapping of the implementation of article 8 GDPR reflects the most recent decisions that have been made in relation to the age of consent in the 28 EU Member States. In quite a number of countries, these decisions might still be subject to further changes in the coming weeks and months.

Czech children will use social networks illegally from May 2018

  • Awareness
  • 28/03/2018
  • Czech Safer Internet Centre

As already reported several times on the Better Internet for Kids (BIK) portal, the new General Data Protection Regulation (GDPR), which comes into force in May 2018, presents a number of challenges in relation to Article 8 which contains specific requirements regarding consent for the processing of personal data of children. Here, colleagues from the Czech Safer Internet Centre (SIC) update on the situation in their country.

Greece proposes age of digital consent at 15 years old

  • Awareness
  • 15/02/2018
  • Greek Safer internet Centre

Following Safer Internet Day 2018, we've heard from a number of SID Committees on how they marked the day. In Greece, Prof. Fereniki Panagopoulou made an announcement at the main event of Greek Safer Internet Centre for Safer Internet Day 2018 concerning the upcoming GDPR legislation.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.