Children and the GDPR

There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.

The accompanying guidance focuses on child-specific considerations and, particularly, on the lawful basis for processing a child's personal data. There is also some practical information on what should be included in privacy notices and the rights that children have under the GDPR.

Although this is a consultation for UK-based organisations, much of the information relates to the GDPR in general terms and will be applicable to those outside of the UK too.

The following areas/questions are addressed in some detail:

  • What's new? (What the GDPR says about children.)
  • What should my general approach to processing children's personal data be? (Focusing on the particular protections that children need to be given.)
  • What do I need to think about when choosing a basis for processing children's personal data? (Including issues around consent.)
  • What are the rules about an ISS (online service) and consent? (Including the need to make reasonable efforts to verify that someone giving their own consent is old enough to do so.)
  • What if I want to market children?
  • What if I want to profile children or make automated decisions about them? (GDPR gives children the right not to be subject to this type of decision.)
  • How does the right to be informed apply to children? (Children should be given the same information as adults with regards to what happens to their personal data; such information needs to be presented in an age-appropriate way.)
  • What rights do children have? (Including situations where an adult can exercise children's data protection rights on their behalf.)
  • How does the right to erasure apply to children? (Including situations where children give consent without being aware of the risks.)

For those wishing to respond, the consultation is open until 28 February 2018.

Further information can be found on the UK's Information Commissioner's Office website.


Related news

Children and data protection in Estonia

  • Awareness
  • 22/01/2019
  • Estonian Safer Internet Centre

The General Data Protection Regulation (GDPR) of the European Union entered into force on Friday, 25 May 2018. Although the media in Estonia has quite thoroughly covered the changing data protection rights, they have not paid attention to children's rights. What does the new data protection framework mean for children?

GDPR: The question of minimum age on social networks after May 2018

  • Awareness
  • 03/04/2018
  • Austrian Safer Internet Centre

As of May 2018, with the entry into force of the General Data Protection Regulation (GDPR), stronger rules will apply on data protection. The Austrian Safer Internet Centre (SIC) has looked at the measures taken by the largest social networks such as Facebook, Instagram, WhatsApp, YouTube and Musical.ly regarding the minimum age guidelines for their usage. 

The changing patchwork of the child's age of consent for data processing across the EU (January 2019)

  • Awareness
  • 22/01/2019
  • Ingrida Milkaite and Eva Lievens, Ghent University

Eight months have passed since the General Data Protection Regulation (GDPR) became applicable across the European Union (EU) in May 2018. This new update focuses on the most recent situation in terms of the age that has been decided upon by national government when implementing article 8 GDPR, final implementation laws adopted by most countries and specific provisions certain states include in their (updated) legislation.

Czech children will use social networks illegally from May 2018

  • Awareness
  • 28/03/2018
  • Czech Safer Internet Centre

As already reported several times on the Better Internet for Kids (BIK) portal, the new General Data Protection Regulation (GDPR), which comes into force in May 2018, presents a number of challenges in relation to Article 8 which contains specific requirements regarding consent for the processing of personal data of children. Here, colleagues from the Czech Safer Internet Centre (SIC) update on the situation in their country.

Greece proposes age of digital consent at 15 years old

  • Awareness
  • 15/02/2018
  • Greek Safer internet Centre

Following Safer Internet Day 2018, we've heard from a number of SID Committees on how they marked the day. In Greece, Prof. Fereniki Panagopoulou made an announcement at the main event of Greek Safer Internet Centre for Safer Internet Day 2018 concerning the upcoming GDPR legislation.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.