Children and the GDPR

There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.

The accompanying guidance focuses on child-specific considerations and, particularly, on the lawful basis for processing a child's personal data. There is also some practical information on what should be included in privacy notices and the rights that children have under the GDPR.

Although this is a consultation for UK-based organisations, much of the information relates to the GDPR in general terms and will be applicable to those outside of the UK too.

The following areas/questions are addressed in some detail:

  • What's new? (What the GDPR says about children.)
  • What should my general approach to processing children's personal data be? (Focusing on the particular protections that children need to be given.)
  • What do I need to think about when choosing a basis for processing children's personal data? (Including issues around consent.)
  • What are the rules about an ISS (online service) and consent? (Including the need to make reasonable efforts to verify that someone giving their own consent is old enough to do so.)
  • What if I want to market children?
  • What if I want to profile children or make automated decisions about them? (GDPR gives children the right not to be subject to this type of decision.)
  • How does the right to be informed apply to children? (Children should be given the same information as adults with regards to what happens to their personal data; such information needs to be presented in an age-appropriate way.)
  • What rights do children have? (Including situations where an adult can exercise children's data protection rights on their behalf.)
  • How does the right to erasure apply to children? (Including situations where children give consent without being aware of the risks.)

For those wishing to respond, the consultation is open until 28 February 2018.

Further information can be found on the UK's Information Commissioner's Office website.

Related news

Age of consent in the GDPR: mapping recent national guidance and proposals

  • Awareness
  • 19/06/2017
  • Eva Lievens and Ingrida Milkaité, Ghent University

In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.

Please note - an updated version of this article is available here. This previous version is preserved to allow readers to track developments should they so wish.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.