Counting down to 25 May 2018: mapping the GDPR age of consent across the EU: May 2018

  • Awareness
  • 05/05/2018
  • Ingrida Milkaite and Eva Lievens, Ghent University

With around three weeks left until the GDPR will become applicable, the picture of how certain provisions will be implemented is (finally) becoming clearer. This update of the mapping of the implementation of article 8 GDPR reflects the most recent decisions that have been made in relation to the age of consent in the 28 EU Member States.

Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon.1 However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although still in quite some countries no final decisions have been taken, our research into a selection of national approaches, based on official and public documents, shows that the implementation of article 8 will be fragmented across the EU.    

Since the last update of the mapping in April 2017, several developments occurred. In Bulgaria, Croatia, Cyprus, Estonia, Italy, Malta, Portugal, Romania and Slovenia proposals on the age of consent for children have been put forward. In addition, new proposals or newly published documents also emerged in Ireland and Slovakia.

Austria | Belgium | Bulgaria | Croatia | Cyprus | Czech Rep. | Denmark | Estonia | Finland | France | Germany | Greece | Hungary | Ireland | Italy | Latvia | Lithuania | Luxembourg | Malta | Netherlands | Poland | Portugal | Romania | Slovakia | Slovenia | Spain | Sweden | UK

Bulgaria

On 30 April 2018, a public consultation on the Draft Law on the Amendment of the Personal Data Protection Act was launched and will be closed on 14 May 2018. Article 25(c) of the Draft Law currently sets the age of digital consent for children at 14 years (see Проект на Закон за изменение и допълнение на Закона за защита на личните данни). 

Croatia

The Proposal for the Law on the Implementation of the General Data Protection Regulation has been published for consultation. The proposed law does not refer to Article 8 GDPR and does not mention children in the context of digital consent suggesting that Croatia is either in the process of choosing the age of 16 or will add this provision at a later legislative stage.

During the public consultation, two comments which specifically address children's consent with regard to information society services being offered directly to children, were made. First, AmCham Croatia, the American Chamber of Commerce in Croatia, representing the business interests of American, international and Croatian companies, proposed to include the age of 15 as the age threshold for consent for children in Croatia. Second, Google considered the Draft Proposal for the Implementation of the GDPR inadequate with regard to the undefined age of consent for children using information society services and proposed to set the age threshold at 13 years. Google stated that such a decision is supported by industry as well as numerous experts, non-governmental organisations and international organisations (including UNICEF) advocating for the safety and welfare of children in the online world. According to Google, setting the age limit to 13 years would be in line with numerous international and national acts, including the 1998 US Children's Online Privacy Protection Act (COPPA). Google also made a reference to Article 17 of the UN Convention on the Rights of the Child which states that "children are entitled to information that is important to their health and well-being". Furthermore, Google claimed that setting the age limit for consent at 16 instead of 13 would have a negative impact on the development of teenagers, as young people would thus be denied essential social and educational opportunities. Moreover, for children of less digitally literate families, an additional parental consent requirement could hinder their access to online services altogether. In addition, some teenagers require their own right to privacy without parental or guardian involvement, and, as Google states, it is unquestionable that everyone wants a degree of privacy from their parents. Finally, Google reminded the Croatian policy makers that the original version of article 8 GDPR, initially proposed by the European Commission, stipulated that the age of consent for the use of information society services would be 13 years. Google added that many EU Member States also highlight the problems mentioned above and have the age of consent for the implementation of article 8 GDPR at 13.

Cyprus

In the beginning of April 2018, in the framework of a public consultation, the Draft Act on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data was published. Article 6 of the consultation document (see Νομοσχέδιο Κανονισμός τελικό διαβούλευση.doc) sets the age of consent when information society services are offered directly to children at 14 years. The consultation closed on 27 April 2018.

Estonia

On 4 December 2017, the Director General of the Data Protection Inspectorate of Estonia stated that although the Ministry of Justice provided for the age limit of 14 years in the draft implementing law, the age limit needed to be reduced to 13 years as the same age is used by all major service providers, such as Google, Facebook, etc., which have so far been governed by US law and there is no reason to believe that young Europeans should differ from American youth in terms of access to different services. On 12 April 2018, the Draft Bill on the Protection of Personal Data was discussed by the Government of the Republic of Estonia which approved it. The draft was submitted to the Parliament (Riigikogu), the documents and procedure concerning the draft are available on the Riigikogu's website and the Estonian Data Protection Authority website. On 16 April 2018, the Draft Law on Personal Data Protection was published. Article 8 of the draft law (Eelnõu docx) regulates the processing of children's personal data for the provision of information society services and provides for 13 years as the digital age of consent for children.

The explanatory note of the draft law (Seletuskiri docx) refers to recital 38 GDPR stressing the need for specific protection for children, recital 58 stating that all information should be provided in a clear and simple language that is easily understood by a child and, finally, explains that the 13 year limit for children's digital consent was supported by various parties.

Ireland

On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the General Scheme of Data Protection Bill 2017. He proposed that the age of consent for children should be set at 13 years. On 30 January 2018, the Irish Parliament, Houses of the Oireachtas, presented the Data Protection Bill 2018 (An Bille um Chosaint Sonraí, 2018). The Bill's part 29 on the consent of child in relation to information society services provides that the age of a child specified for the purposes of Article 8 is 13 years of age.

Preceding this decision, in November 2017, the Joint Committee on Justice and Equality of the Houses of the Oireachtas released a Report on pre-legislative scrutiny of the General Scheme of the Data Protection Bill 2017. This report includes arguments presented to the Committee by various stakeholders (Geoffrey Shannon, Special Rapporteur on Child Protection, among others) and specifies many important aspects that need to be taken into account when implementing the GDPR provisions with regard to the protection of children. The Committee acknowledged the fact that the evidence submitted before it by children's rights organisations and their advocates indicated they all agreed that the age of consent of children should be set at 13 years. In this sense, the Committee reiterated that it ‘would help to ensure that children can practically enforce their rights such as, the right to participate in matters concerning him or her, right to be heard, right to express themselves freely and the right to access information need to be exercised effectively by children'. Finally, in addition to recommending setting the age of consent at 13 years, the Committee also recommended that the age of consent is ‘reviewed at appropriate intervals to ensure it remains suitable as technology evolves'. Moreover, the Committee also decided to recommend that ‘a detailed consultation take place with children of all ages to ascertain their views on the proposed measures for data protection' and to include the definition of a child in the proposed legislation adopting the one set in article 1 of the UNCRC stating that a child is every human being below 18 years. Crucially, in the context of the relationship between data protection and digital safety, the Committee also recommended ‘that a policy framework and an associated educational programme be implemented to assist children in exercising their digital rights before they reach the digital age of consent'.

However, in the end of April 2018, news emerged suggesting that the main opposition parties in Ireland are trying to raise the age of digital consent for children to 16 years in an attempt to strengthen children's online safety. Politicians stated that they are planning to prepare "an amendment to the Data Protection Bill at committee stage in order to amend the age of digital consent from 13 to 16 years". Their reasoning is related to stronger protection of children's data, especially in the context of profiling and commercial targeting and decisions taken by other European countries, such as the Netherlands and Germany.

Italy

On 6 November 2017, the Law No 163 on the Delegation to the Government for the Implementation of European Law was published in the Official Journal No 259. The Law contains the delegation to the Government to prepare, within 12 months, legislative decrees on the implementation of, among other legislation, the GDPR. On 21 March 2018, the Council of Ministers approved a preliminary legislative decree which adapts the national legislation to the GDPR. Article 6 of the decree sets the age of digital consent for children at 14 years. The legislative process is still ongoing.

Malta

On 27 April 2018, the Maltese Data Protection Act 2018 (Bill No. 40) was published in the Supplement to the Government Gazette. According to article 1(2) of the Act, different parts of the law may come into force on different dates, depending on when the Minister responsible for data protection prescribes specific regulation on different aspects of the Act. Article 33 explains that the Minister may prescribe regulations concerning, among other matters, "the establishment of a lower age than sixteen years where the processing of the personal data of a child shall be deemed to be lawful in the absence of consent by the holder of parental responsibility over the child". Until the Minister decides to lower the age of digital consent for children, it appears that the general GDPR threshold of 16 years will apply.

Portugal

At the end of March 2018, the draft law implementing the GDPR in Portugal was approved by the Council of Ministers, according to news reports. The proposal still needs to be adopted by the Parliament but some details of the draft law were already made public in the press, including the decision to set the age of consent for children in relation to information society services at 13 years. For the moment, to our knowledge, the actual draft law has not been published yet.

Romania

On 5 September 2017, the Romanian Ministry for Internal Affairs published a Draft Law for Amending and Completing the Law no. 102/2005 Regarding the Establishment, Organization and the Functioning of the National Supervisory Authority for Personal Data Processing, as well as for the repeal of Law no. 677/2001 for the Protection of People with Regard to the Processing of Personal Data and the Free Movement of Such Data. On 14 March 2018, the proposal was submitted to the Senate. The Draft Law mainly regulates the organisation and functioning of the national data protection authority and does not mention any derogations in terms of article 8 GDPR. Due to the current apparent lack of a specific legislative provision, the digital age of consent in Romania seems to be maintained at 16 years.

Slovakia

The proposed Law on the Protection of Personal Data and on Amendments to Certain Acts (Zákon o ochrane osobných údajov a o zmene a doplnení niektorých zákonov) has been published in Slovakia. Currently, this Draft Law is being negotiated by the National Council of the Slovak Republic. Article 15 of the Draft Law provides that personal data may be processed by operators in the context of the provision of information society services in cases where the data subject has reached the age of 16 years. The Explanatory Statement accompanying the Draft Law (Dôvodová Správa) explains that children deserve special protection of their personal data as they are less aware of the risks and consequences associated with the processing of their personal data, especially when their data is obtained through a publicly accessible internet network. 

On 30 January 2018, the new Slovakian Data Protection Law (no. 18/2018 Coll.) was published. The age of digital consent for children was left at 16 years and the law will become applicable on the 25 May 2018.

Slovenia

In January 2018, a draft of the new Personal Data Protection Act was published for a second round of public consultation which was closed on 2 February 2018. Article 11 of the Draft Law regulates the conditions applicable to the consent of the child in relation to the use of information society services and specifies that the age of digital consent for children is set at 15 years. The explanatory part of the Draft Law makes a reference (on page 90) to the US COPPA and specifies that the age of 15 was chosen with regard to the systematic guidance of the Slovenian Family Code, according to which a 15-year-old child can take legal action on his or her own, unless the law provides otherwise. 

Figure 1: Current provisional indications of age of consent across the EU

 

Austria

On 5 July 2017, the Austrian Parliament officially adopted the DatenschutzAnpassungsgesetz 2018 implementing the GDPR into the national legislation. The age of consent for children has been set at 14 years.

Belgium

In February 2018, the Belgian Secretary of State for Privacy has proposed to set the age of consent at 13 years. Referring to the GDPR and the possibility for Member States to derogate from the set age of 16 in article 8 GDPR, the Secretary of State for Privacy stated that "digital is the new normal" and that the age of 13 for children's consent in relation to information society services corresponds to the reality of internet use by children. The Belgian Privacy Commission, the national data protection authority, has expressed its support for the decision to set 13 as the age of consent for children. According to the Privacy Commission, joining social media and other services is part of children's social development, but additional efforts to teach children from a young age about the risks of sharing information should be undertaken. As children are more vulnerable, the processing of their data should remain a point of special attention for companies that offer digital services to children. Currently, the work on the Belgian draft law on the GDPR implementation continues and still needs to be introduced in Parliament.

Czech Republic

One of the previous updates described how on 18 August 2017, a Draft law on the processing of personal data replacing the Act No. 101/2000 on the protection of personal data was published by the Ministry of Interior of the Czech Republic. According to article 6 of this proposal, the consent to the processing of personal data in connection with the provision of information society services directly to a child under the age of 13 is valid only if it is expressed or approved by his or her legal representative. The explanatory note on the draft law (Důvodová zpráva) provided some insight as to the reasons behind this proposal. First, a reference is made to the initial Commission proposal for the GDPR and the US Children's Online Privacy Protection Act, both setting the age of consent at 13 years. The explanatory note also refers to risks to youth in the context of information technologies and states that the processing of personal data in the context of information society services is not the same type of risk activity compared to other activities requiring parental consent under Czech law. The Czech law regarding driving licences is provided as an example which concerns teenagers of 15, 16 or 17 years. It is stated that driving a motor vehicle is an activity that the driver typically carries out independently and personally, which cannot be interfered with, and which is more difficult and risky in nature. Crucially, the document also explains that the reality of minors commonly using mobile phones and sending text messages should not be ignored. Therefore, limiting, for example, email services, social networks, or similar ways of communication, may be inappropriate. According to the document, a better way of addressing the risks associated with the use of information and communication technologies by children may be education and regular interest of educated parents.

However, on 21 March 2018, the Czech Government adopted a revised Draft Law on the Processing of Personal Data (Zákon o zpracování osobních údajů; see Materiál in the section Přílohy). Compared to the original proposal, the age of consent threshold for children increased from 13 years to 15 years. Article 7 of the revised Draft Law states that a child acquires the ability to grant consent to the processing of personal data in connection with the provision of information society services offered directly to him or her at the age of 15. The revised Draft Law has not yet been approved by the Parliament and the Senate. No explanatory documents seem to have been published together with the revised Draft Law.

Denmark

The Danish Ministry of Justice has published its Proposal for a Law on Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information. Under section 6 of the proposal the age of consent for children is set to 13 years. In July-August 2017 a public consultation concerning the proposal was conducted.

On 25 October 2017, the Minister of Justice proposed an updated Law on Supplementary Provisions to the Regulation on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Information (Data Protection Act). Section 6 of the updated proposal also deals with information society services being offered to children and their age of digital consent. Processing of children's personal data on the basis of consent in such situations is lawful if the child is at least 13 years old.

Finland

On 21 June 2017 the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision was made in relation to the age of consent, but the report proposed lowering the age threshold to either 13 or 15 years. The draft implementation act has opted for the age of 13. This choice was based on the opinions received during the preparation of the proposal which highlighted the importance of the internet for young people and which advocated for a lower age limit. The act still needs to be adopted.

France

On 13 December 2017, the French Minister of Justice presented the Draft Bill on the Protection of Personal Data (Projet de loi relatif à la protection des données personnelles). The Draft Law does not provide for specific provisions dealing with the issue of parental consent, thus leaving the threshold at 16 years. The Explanatory Statement (Exposé des Motifs), accompanying the Draft Law, states that the Government has chosen not to use its margin of manoeuvre. 

Interestingly, though, the Draft Law provides for specific age threshold for consent in the context of health-related research, studies or evaluations. Under article 59 of the Draft Law, a minor, aged 15 years or older, may object to the holder of parental responsibility having access to the data concerning him or her gathered during such a study, research or evaluation. In this case, the minor can receive the information and exercise his or her rights on his or her own behalf. 

On 13 December, the CNIL, the French Data Protection Authority, published its opinion on the draft law on the protection of personal data (which was adopted on 30 November 2017). It provides an insight into the parental consent provision and the government's decision not to derogate. In its opinion on the Draft Data Protection Bill, the CNIL states, first of all, that it was aware of the discrepancy between this provision and the reality of the digital practices of minors. It then articulates the necessary empowerment of young people and the special protection of their personal data that is required at this time of their life, adolescence, where disclosure of their data and potential attacks on their privacy may result in negative effects in their future. In this respect and in light of all the rights of the child as recognised by the French national legislation, the CNIL states that it had not identified any decisive factors justifying the derogation from the default threshold of 16 years as the 16-year threshold corresponds to a common threshold in many legal contexts, particularly in contractual and banking matters. The CNIL adds that such a parental consent threshold may, in fact, be considered as a means of creating an opportunity for dialogue between parents and their children on how they intend to protect their personal data on the internet and the precautions that shall be taken. In terms of practical implementation of the parental consent provisions, the CNIL promotes the adoption of specific obligations, in the form of codes of conduct or certification mechanisms, and in particular, strengthened protection in terms of profiling for advertising purposes.

One of the most recent developments concerning the French legislative process is the Annex to the Report (Annexe au Rapport), adopted by the French National Assembly on 25 January 2018. Crucially, the National Assembly has proposed the addition of a new article 14a, concerning the implementation of article 8 GDPR. According to this provision, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15. However, this provision could not be found in the version of the draft law as amended by the Senate in March, which again puts the age at 16. Discussions continued in April, so no final decision has been taken yet. 

Germany

On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. The draft law has been approved by the German Federal Council and will become applicable on 25 May 2018. The initial draft law can be found here and its adopted amendments are available here. The choice not to derogate means that the threshold of 16 years will be applicable. In August 2017, the German Ministry of Interior published the English translation of the new Federal Data Protection Act.

Greece

The public consultation on the adoption of legislative measures for the application of the GDPR was opened on 20 February 2018 and was successfully concluded on 5 March 2018. The Greek Ministry of Justice has subsequently published the Draft Law on the Protection of Personal Data (Νόμοσ για την Προςταςύα Δεδομϋνων Προςωπικού Φαρακτόρα). Article 6 of the Draft Law sets the age of consent for children at 15 years. According to the article, in relation to information society services being directly offered to a child, the processing of personal data of a child, when based on consent, shall be lawful where the child who provides consent has reached the age of 15 years. Where the child is below the age of 15 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Hungary

In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.

In the end of August 2017, the draft law on the amendment of the Hungarian Data Protection Act (Act CXII of 2011 on the right to information self-determination and freedom of information) and other relevant laws related to the GDPR were proposed and opened for public consultation. If the draft law was adopted in its current version. As there is no reference to the digital age of consent for children in the context of information society services being offered directly to them in the proposal, the age of consent would be set at 16 years.

Latvia

At the end of September 2017, the Latvian Ministry of Justice published the Latvian Draft Law on Personal Data Processing (Likumprojekts. Personas datu apstrādes likums). Article 43 of the Draft Law sets the conditions for the consent of the child in relation to information society services. According to this provision, pursuant to article 8 GDPR, when information society services are offered directly to the child, the consent of the child constitutes the legal basis for his or her data processing if the child is at least 13 years old. If the child is younger than 13 years, parental consent shall be obtained.

Lithuania

On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.

Luxembourg

On 12 September 2017 the draft law establishing the National Commission for Data Protection and implementing the GDPR was published in Luxembourg. The draft law does not address the issue of parental consent, therefore, setting it at 16 years old.

Poland

On 28 March 2017 the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years.

An introduction to the draft law on the protection of personal data which is published together with the draft law, explains that the age of 13 was chosen due to similar age threshold provided by the Polish Civil Code (article 15) which states that a person who has reached the age of 13 has limited legal capacity and can therefore conclude ‘minor contracts of daily life'. In this context, the document explains that it is also justified to accept the age of 13 for the effective expression of consent by the child for the processing of personal data relating to him or her as there is no reason to assume that a person who can manage his or her earnings and conclude minor contracts is not entitled to consent to the processing of his or her personal data in accordance with the provisions of the GDPR also bearing in mind that consent may be withdrawn at any time.

Spain

Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force.

However, in June 2017, the Draft Law for the Protection of Personal Data was published by the Spanish Ministry of Justice and was passed by the Council of Ministers in November 2017. Article 7 of the Draft Law refers to the consent of minors and sets the age of digital consent for children at 13 years. The document evaluating the impact of the proposed draft law (pages 47-49) explains, in section G, that the Draft Law has a positive impact on childhood since it provides for greater possibilities for development and participation in society for young people. Moreover, it is stated that restrictions on the access to the Internet and its services could lower children's possibilities of development and obtaining capacities and skills needed to face the challenges of digital life. References to the child's right to be heard, the promotion of children's maturity and autonomy, practical difficulties concerning age verification, especially bearing in mind the need for location tracking of children in those instances, are also made in the document.

Sweden

On 12 May 2017 Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.

The Netherlands

The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document stated that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has confirmed afterwards that in all probability there would be no derogation from the age of 16 in the Netherlands.

A new proposal for a law laying down the rules implementing the GDPR was published on 13 December 2017. Article 5 of this proposal clarifies that if article 8 GDPR is not applicable, the age of consent for children is 16 years. The Explanatory Memorandum accompanying the proposal again states that the age of 16 was already introduced in the Dutch Personal Data Protection Act () and there is no reason to make a different assessment. For this reason, no lower age limit is included in the Implementation Act, and, moreover, article 5 now clarifies that the age threshold of 16 also applies in circumstances where article 8 is not applicable.

United Kingdom

On 7 August 2017 the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8). Since then, the UK Information Commissioner's Office published draft Guidance on Children and the GDPR. The Bill was also discussed by the House of Lords. They have proposed to impose an obligation on the ICO to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children. During subsequent discussions in the House of Commons, this amendment was supported as well.

***

This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.

If you have any information about the implementation of Article 8 in your Member State, please send it to gdpr-roundtable@eun.org or
e.lievens@ugent.be
The authors wish to express their sincere thanks to everyone who has provided them with information so far.

This is the updated version of the article first published on 19 June 2017 which was further updated on 10 July 2017, 16 August 2017, 12 October 2017, 8 February 2018 and 16 April 2018. 

1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights


Related news

Children and the GDPR

There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.

Insafe network meets to discuss effective campaigning and the GDPR

Today, the Insafe network of Safer Internet Centres (SICs) begins a two-day training meeting in Berlin, Germany. The meeting aims to facilitate experience and good-practice sharing across the network on a range of topical eSafety issues, while continuing to enhance the collaborative learning community that has developed within Insafe. Open Space Technology will be used during the meeting as a method of encouraging interaction and debate.

Latest BIK bulletin - Positive online content, GDPR and post-summer roundup

In each edition of the BIK bulletin, we look at a topical issue - our main focus this month is on positive online content as we introduce our new campaign and reflect on the importance of being aware of what constitutes positive content for a wide range of stakeholders.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.