Άρθρο 8 📖 GDPR. Προϋποθέσεις που ισχύουν για τη συγκατάθεση παιδιού σε σχέση με τις υπηρεσίες της κοινωνίας των πληροφοριών

Άρθρο 8 GDPR. Προϋποθέσεις που ισχύουν για τη συγκατάθεση παιδιού σε σχέση με τις υπηρεσίες της κοινωνίας των πληροφοριών

Article 8 GDPR. Conditions applicable to child's consent in relation to information society services

1. Όταν εφαρμόζεται το άρθρο 6 παράγραφος 1 στοιχείο α), σε σχέση με την προσφορά υπηρεσιών της κοινωνίας των πληροφοριών απευθείας σε παιδί, η επεξεργασία δεδομένων προσωπικού χαρακτήρα παιδιού είναι σύννομη εάν το παιδί είναι τουλάχιστον 16 χρονών. Εάν το παιδί είναι ηλικίας κάτω των 16 ετών, η επεξεργασία αυτή είναι σύννομη μόνο εάν και στον βαθμό που η εν λόγω συγκατάθεση παρέχεται ή εγκρίνεται από το πρόσωπο που έχει τη γονική μέριμνα του παιδιού.

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Οδηγίες & Νομολογία Σχετικά Άρθρα

Οδηγίες & Νομολογία

(EN)

Documents

Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (2018).

The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.

Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (2018).

Where a data controller is targeting children[16] or is, or should be, aware that their goods/services are particularly utilised by children (including where the controller is relying on the consent of the child)[17], it should ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children so that the child addressee of the information recognises that the message/ information is being directed at them.[18] A useful example of child-centred language used as an alternative to the original legal language can be found in the “UN Convention on the Rights of the Child in Child Friendly Language”.[19]

Σχετικά Άρθρα

Άρθρο 6 GDPR. Νομιμότητα της επεξεργασίας

Article 6 GDPR. Lawfulness of processing

1. Η επεξεργασία είναι σύννομη μόνο εάν και εφόσον ισχύει τουλάχιστον μία από τις ακόλουθες προϋποθέσεις:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

α) το υποκείμενο των δεδομένων έχει συναινέσει στην επεξεργασία των δεδομένων προσωπικού χαρακτήρα του για έναν ή περισσότερους συγκεκριμένους σκοπούς,

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

[…]

Guidelines on consent under Regulation 2016/679

Information society service

129. While assessing the scope of this definition, the EDPB also refers to case law of the ECJ.[62] The ECJ held that information society services cover contracts and other services that are concluded or transmitted on-line. Where a service has two economically independent components, one being the online component, such as the offer and the acceptance of an offer in the context of the conclusion of a contract or the information relating to products or services, including marketing activities, this component is defined as an information society service, the other component being the physical delivery or distribution of goods is not covered by the notion of an information society service. The online delivery of a service would fall within the scope of the term information society service in Article 8 GDPR.

_{[62] See European Court of Justice, 2 December 2010 Case C-108/09, (Ker-Optika), paragraphs 22 and 28. In relation to ‘composite services’, the EDPB also refers to Case C-434/15 (Asociacion Profesional Elite Taxi v Uber Systems Spain SL), para 40, which states that an information society service forming an integral part of an overall service whose main component is not an information society service (in this case a transport service), must not be qualified as ‘an information society service’.}

Offered directly to a child

130. The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.

Τα κράτη μέλη δύνανται να προβλέπουν διά νόμου μικρότερη ηλικία για τους εν λόγω σκοπούς, υπό την προϋπόθεση ότι η εν λόγω μικρότερη ηλικία δεν είναι κάτω από τα 13 έτη.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2. Ο υπεύθυνος επεξεργασίας καταβάλλει εύλογες προσπάθειες για να επαληθεύσει στις περιπτώσεις αυτές ότι η συγκατάθεση παρέχεται ή εγκρίνεται από το πρόσωπο που έχει τη γονική μέριμνα του παιδιού, λαμβάνοντας υπόψη τη διαθέσιμη τεχνολογία.

2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Σχολιασμός ειδικών Οδηγίες & Νομολογία

Σχολιασμός ειδικών

(EN) Example. An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps:

Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent)If the user states that they are under the age of digital consent:

Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian.

Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility.

Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber. If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps.

Source: EDPB, Guidelines on Consent under Regulation 2016/679, WP259 rev.01 (2018)

Οδηγίες & Νομολογία

(EN) Article 29 Working Party, Guidelines on Consent under Regulation 2016/679, WP259 rev.01 (2018):

What is reasonable, both in terms of verifying that a user is old enough to provide their own consent, and in terms of verifying that a person providing consent on behalf of a child is a holder of parental responsibility, may depend upon the risks inherent in the processing as well as the available technology. In low-risk cases, verification of parental responsibility via email may be sufficient. Conversely, in high-risk cases, it may be appropriate to ask for more proof, so that the controller is able to verify and retain the information pursuant to Article 7(1) GDPR. Trusted third party verification services may offer solutions which minimise the amount of personal data the controller has to process itself.

3. Η παράγραφος 1 δεν επηρεάζει το γενικό ενοχικό δίκαιο των κρατών μελών, όπως τους κανόνες περί ισχύος, κατάρτισης ή συνεπειών μιας σύμβασης σε σχέση με παιδί.

3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 8(3) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:

…

Σύνδεση
για πρόσβαση στο πλήρες κείμενο

Γενικός Κανονισμός για την Προστασία Δεδομένων

General Data Protection Regulation (EU GDPR)

The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.

Σχολιασμός ειδικών ISO 27701 Αιτιολογικές σκέψεις Οδηγίες & Νομολογία Αφήστε ένα σχόλιο

Σχολιασμός ειδικών

(EN) Children enjoy special protection under the General Data Protection Regulation as they are considered vulnerable (Guidelines on Consent). They did not indeed achieve physical and psychological maturity yet (Opinion 2/2009 on the Protection of Children’s Personal Data), so they may be less aware than adults of the risks and consequences of sharing their personal information when registering for online services or using connected platforms (recital 38).

…

Σύνδεση
για πρόσβαση στο πλήρες κείμενο

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to articles 8(1) and 8(2) GDPR:

7.2.3 Determine when and how consent is to be obtained

Control

The organization should determine and document a process by which it can demonstrate if, when and how consent for the processing of PII was obtained from PII principals.

Implementation guidance

Consent can be required for processing of PII unless other lawful grounds apply. The organization should clearly document when consent needs to be obtained and the requirements for obtaining consent.

…

Σύνδεση
για πρόσβαση στο πλήρες κείμενο

Αιτιολογικές σκέψεις

(38) Τα παιδιά απαιτούν ειδική προστασία όσον αφορά τα δεδομένα τους προσωπικού χαρακτήρα, καθώς τα παιδιά μπορεί να έχουν μικρότερη επίγνωση των σχετικών κινδύνων, συνεπειών και εγγυήσεων και των δικαιωμάτων τους σε σχέση με την επεξεργασία δεδομένων προσωπικού χαρακτήρα. Αυτή η ειδική προστασία θα πρέπει να ισχύει ιδίως στη χρήση των δεδομένων προσωπικού χαρακτήρα με σκοπό την εμπορία ή τη δημιουργία προφίλ προσωπικότητας ή προφίλ χρήστη και τη συλλογή δεδομένων προσωπικού χαρακτήρα όσον αφορά παιδιά κατά τη χρήση υπηρεσιών που προσφέρονται άμεσα σε ένα παιδί. Η συγκατάθεση του γονέα ή κηδεμόνα δεν θα πρέπει να είναι απαραίτητη σε συνάρτηση με υπηρεσίες πρόληψης ή παροχής συμβουλών που προσφέρονται άμεσα σε ένα παιδί.

(38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Οδηγίες & Νομολογία

(EN)

Documents

Article 29 Working Party, Opinion 2/2009 on the Protection of Children’s Personal Data (General Guidelines and the Special Case of Schools) (2009).

EDPB, Guidelines 5/2020 on Consent under Regulation 2016/679 (2020).

ICO, Age Appropriate Design: A Code of Practice for Online Services (2020).

Case Law

CJEU, Data Protection Commissioner/Facebook Ireland Ltd and Schrems, C-311/18 (2020).

Αφήστε ένα σχόλιο

[js-disqus]