Artikkel 8 GDPR. Tingimused, mida kohaldatakse lapse nõusolekule seoses infoühiskonna teenustega
Article 8 GDPR. Conditions applicable to child's consent in relation to information society services
1. Kui kohaldatakse artikli 6 lõike 1 punkti a seoses infoühiskonna teenuste pakkumisega otse lapsele, on lapse isikuandmete töötlemine seaduslik ainult juhul kui laps on vähemalt 16-aastane. Kui laps on noorem kui 16-aastane, on selline isikuandmete töötlemine seaduslik üksnes sellisel juhul ja sellises ulatuses, kui selleks on sellise nõusoleku või loa andnud isik, kellel on lapse suhtes vanemlik vastutus.
1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.
Where a data controller is targeting children or is, or should be, aware that their goods/services are particularly utilised by children (including where the controller is relying on the consent of the child), it should ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children so that the child addressee of the information recognises that the message/ information is being directed at them. A useful example of child-centred language used as an alternative to the original legal language can be found in the “UN Convention on the Rights of the Child in Child Friendly Language”.
129. While assessing the scope of this definition, the EDPB also refers to case law of the ECJ. The ECJ held that information society services cover contracts and other services that are concluded or transmitted on-line. Where a service has two economically independent components, one being the online component, such as the offer and the acceptance of an offer in the context of the conclusion of a contract or the information relating to products or services, including marketing activities, this component is defined as an information society service, the other component being the physical delivery or distribution of goods is not covered by the notion of an information society service. The online delivery of a service would fall within the scope of the term information society service in Article 8 GDPR.
 See European Court of Justice, 2 December 2010 Case C-108/09, (Ker-Optika), paragraphs 22 and 28. In relation to ‘composite services’, the EDPB also refers to Case C-434/15 (Asociacion Profesional Elite Taxi v Uber Systems Spain SL), para 40, which states that an information society service forming an integral part of an overall service whose main component is not an information society service (in this case a transport service), must not be qualified as ‘an information society service’.
Offered directly to a child
130. The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.
Liikmesriigid võivad seadusega sätestada madalama asjaomase vanuse, tingimusel et selline madalam vanus ei ole vähem kui 13 aastat.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. Vastutav töötleja teeb kättesaadavat tehnoloogiat arvesse võttes mõistlikud jõupingutused selleks, et kontrollida sellistel juhtudel, et nõusoleku või loa on andnud isik, kellel on lapse suhtes vanemlik vastutus.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
What is reasonable, both in terms of verifying that a user is old enough to provide their own consent, and in terms of verifying that a person providing consent on behalf of a child is a holder of parental responsibility, may depend upon the risks inherent in the processing as well as the available technology. In low-risk cases, verification of parental responsibility via email may be sufficient. Conversely, in high-risk cases, it may be appropriate to ask for more proof, so that the controller is able to verify and retain the information pursuant to Article 7(1) GDPR. Trusted third party verification services may offer solutions which minimise the amount of personal data the controller has to process itself.
3. Lõige 1 ei mõjuta liikmesriikide üldist lepinguõigust, näiteks õigusnorme, mis käsitlevad lapsega seotud lepingu kehtivust, koostamist ja mõju.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
(38) Laste isikuandmed väärivad erilist kaitset, kuna lapsed ei pruugi olla piisavalt teadlikud asjaomastest ohtudest, tagajärgedest ja kaitsemeetmetest ning oma õigustest seoses isikuandmete töötlemisega. Niisugune eriline kaitse peaks eelkõige rakenduma laste isikuandmete kasutamisel turunduse eesmärgil või isiku või kasutajaprofiili loomiseks ja laste isikuandmete kogumisel otse lastele pakutavate teenuste kasutamise puhul. Vanemliku vastutuse kandja nõusolekut ei peaks olema vaja seoses lapsele otse pakutavate ennetavate või nõustamisteenustega.
(38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.