General Data Protection Regulations: December


18th December 2017
Derby Office Icon

A question we are frequently asked is, is there a difference in the way we need to handle personal data of children compared with the personal data of adults under the GDPR?

The answer is yes, in some respects. The GDPR considers that children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. If your business or organisation processes children’s personal data you will need to review your practices and procedures and be aware that the GDPR contains new provisions to enhance the protection of children’s personal data in the following key areas:

Privacy notices

Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear and plain way that a child will understand.

Online services

If you offer targeted online paid services to children you will need to obtain consent from a parent or guardian to process the child’s data. You will need to ensure you make reasonable efforts to verify that consent is given or authorised by the parent of guardian of that child.

The GDPR states that parental consent for access to paid online services is required for children aged under 16, however the GDPR does permit Member States to provide for a lower age in national law. The UK, in the Data Protection Bill, has proposed lowering the consent age to 13 (meaning a child who is 13 or over would be deemed capable of providing consent on their own behalf). This is currently the subject of some debate and we may see it increased. What we do know is that it won’t be above 16.

Legitimate interests

Another point to note is that if you are relying upon legitimate interests as your legal basis for processing children’s personal data, be aware that the interests of children are given greater weight (link to month number 10 consider your legal basis for processing). You will need to give this careful consideration when determining whether their interests override your organisation’s legitimate interests in processing their personal data, and document those considerations.

Codes of conduct

The GDPR provides for a code of conduct on the information provided to and the protection of children (including mechanisms for obtaining parental consent) to be prepared. Adherence with any such code of conduct would be a necessary element for your organisation to demonstrate its compliance with the GDPR, so watch this space.

Coming Soon

Geldards are delighted to announce that to help organisations to comply with the GDPR we will shortly be launching our online GDPR e-learning solution. A cost effective and easy access learning option, the course complements the expert legal advice we provide, with a training resource specifically designed to deliver an understanding and insight into GDPR for your entire workforce.




Geldards successfully advises on BioCity Group acquisition
Geldards is proud to have successfully advised on a landmark deal for the city.


Employment Cardiff Webinar Series - The Post Covid-19 Workplace
Geldards Cardiff Employment Team invite you to a series of events looking at the key considerations for the post Covid-19 workplace:


Transforming the lives of children and young people with special educational needs and disabilities
Parents of children with a disability often face significant uncertainty and struggle when seeking to secure an appropriate education and care package for their child. Each educational milestone and life stage can present fresh challenges.


Salus – Wealth and Family Protection
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758