A question we are frequently asked is, is there a difference in the way we need to handle personal data of children compared with the personal data of adults under the GDPR?
The answer is yes, in some respects. The GDPR considers that children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. If your business or organisation processes children’s personal data you will need to review your practices and procedures and be aware that the GDPR contains new provisions to enhance the protection of children’s personal data in the following key areas:
Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear and plain way that a child will understand.
If you offer targeted online paid services to children you will need to obtain consent from a parent or guardian to process the child’s data. You will need to ensure you make reasonable efforts to verify that consent is given or authorised by the parent of guardian of that child.
The GDPR states that parental consent for access to paid online services is required for children aged under 16, however the GDPR does permit Member States to provide for a lower age in national law. The UK, in the Data Protection Bill, has proposed lowering the consent age to 13 (meaning a child who is 13 or over would be deemed capable of providing consent on their own behalf). This is currently the subject of some debate and we may see it increased. What we do know is that it won’t be above 16.
Another point to note is that if you are relying upon legitimate interests as your legal basis for processing children’s personal data, be aware that the interests of children are given greater weight (link to month number 10 consider your legal basis for processing). You will need to give this careful consideration when determining whether their interests override your organisation’s legitimate interests in processing their personal data, and document those considerations.
Codes of conduct
The GDPR provides for a code of conduct on the information provided to and the protection of children (including mechanisms for obtaining parental consent) to be prepared. Adherence with any such code of conduct would be a necessary element for your organisation to demonstrate its compliance with the GDPR, so watch this space.
Geldards are delighted to announce that to help organisations to comply with the GDPR we will shortly be launching our online GDPR e-learning solution. A cost effective and easy access learning option, the course complements the expert legal advice we provide, with a training resource specifically designed to deliver an understanding and insight into GDPR for your entire workforce.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>