제8조 📖 GDPR. 정보사회 서비스와 관련하여 아동의 동의에 적용되는 조건

제8조 GDPR. 정보사회 서비스와 관련하여 아동의 동의에 적용되는 조건

1. 제6조(1)의 (a)호가 적용되는 경우, 아동에게 직접 이루어지는 정보사회서비스 제공과 관련하여 아동의 개인정보의 처리는 해당 아동이 최소 16세 이상인 경우에 적법하다. 아동이 16세 미만인 경우, 그 같은 처리는 해당 아동의 친권을 보유한 자가 동의를 제공하거나 승인한 경우에만 적법하다.

지침 및 사례 법률 관련 교과서

지침 및 사례 법률

(EN)

Documents

Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (2018).

The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.

Article 29 Working Party, Guidelines on transparency under Regulation 2016/679 (2018).

Where a data controller is targeting children[16] or is, or should be, aware that their goods/services are particularly utilised by children (including where the controller is relying on the consent of the child)[17], it should ensure that the vocabulary, tone and style of the language used is appropriate to and resonates with children so that the child addressee of the information recognises that the message/ information is being directed at them.[18] A useful example of child-centred language used as an alternative to the original legal language can be found in the “UN Convention on the Rights of the Child in Child Friendly Language”.[19]

관련 교과서

제6조 GDPR. 처리의 적법성

1. 개인정보 처리는 적어도 다음 각 호의 하나에 해당되고 그 범위에서만 적법하다.

(a) 정보주체가 하나 이상의 특정 목적에 대해 본인의 개인정보 처리를 동의한 경우

[…]

회원국은 상기의 목적에 대한 아동의 연령을 법률로서 낮추어 규정할 수 있으나, 해당 연령이 13세 미만이 되어서는 안 된다.

2. 그 같은 경우 컨트롤러는 가용한 기술을 고려하여 해당 아동의 친권을 보유한 자가 동의를 제공하거나 승인하였는지를 입증하기 위한 합당한 노력을 기울여야 한다.

전문가 해설 지침 및 사례 법률

전문가 해설

(EN) Example. An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps:

Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent)If the user states that they are under the age of digital consent:

Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian.

Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility.

Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber. If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps.

Source: EDPB, Guidelines on Consent under Regulation 2016/679, WP259 rev.01 (2018)

지침 및 사례 법률

(EN) Article 29 Working Party, Guidelines on Consent under Regulation 2016/679, WP259 rev.01 (2018):

What is reasonable, both in terms of verifying that a user is old enough to provide their own consent, and in terms of verifying that a person providing consent on behalf of a child is a holder of parental responsibility, may depend upon the risks inherent in the processing as well as the available technology. In low-risk cases, verification of parental responsibility via email may be sufficient. Conversely, in high-risk cases, it may be appropriate to ask for more proof, so that the controller is able to verify and retain the information pursuant to Article 7(1) GDPR. Trusted third party verification services may offer solutions which minimise the amount of personal data the controller has to process itself.

3. 제1항은 아동과 관련한 계약의 유효성, 형식 또는 효력에 대한 규정 등 회원국의 일반 계약 법률에 영향을 미칠 수 없다.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 8(3) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:

…

로그인
전체 텍스트에 액세스하려면

유럽연합 일반 데이터 보호 규칙(EU GDPR)

Source: http://www.pipc.go.kr/cmt/not/ntc/selectBoardArticle.do?nttId=5969&bbsId=BBSMSTR_000000000121&bbsTyCode=BBST03&bbsAttrbCode=BBSA03&authFlag=Y&pageIndex=6

전문가 해설 ISO 27701 전문 (Recitals) 지침 및 사례 법률 코멘트를 남겨주세요

전문가 해설

(EN) Children enjoy special protection under the General Data Protection Regulation as they are considered vulnerable (Guidelines on Consent). They did not indeed achieve physical and psychological maturity yet (Opinion 2/2009 on the Protection of Children’s Personal Data), so they may be less aware than adults of the risks and consequences of sharing their personal information when registering for online services or using connected platforms (recital 38).

…

로그인
전체 텍스트에 액세스하려면

(EN) Author

(EN) Louis-Philippe Gratton PhD, LLM

(EN) Privacy Expert

(EN) Ask a question

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to articles 8(1) and 8(2) GDPR:

7.2.3 Determine when and how consent is to be obtained

Control

The organization should determine and document a process by which it can demonstrate if, when and how consent for the processing of PII was obtained from PII principals.

Implementation guidance

Consent can be required for processing of PII unless other lawful grounds apply. The organization should clearly document when consent needs to be obtained and the requirements for obtaining consent.

…

로그인
전체 텍스트에 액세스하려면

전문 (Recitals)

(38) 아동은 개인정보 처리에 따른 위험성, 결과, 이에 필요한 안전장치 및 본인의 권리를 잘 인지하지 못하고 있기 때문에 본인의 개인정보와 관련하여 구체적인 보호를 받아야 한다. 특정한 보호는 특히 마케팅 또는 사용자 프로필이나 가성인격 생성의 목적으로 아동의 개인정보를 사용하는 경우와 아동에게 직접 제공되는 서비스의 이용 시 아동과 관련한 개인정보를 수집하는 경우에 적용되어야 한다. 아동에게 직접 제공되는 예방 서비스 또는 카운슬링의 경우에는 친권 보유자의 동의가 필수적이지 않다.

지침 및 사례 법률

(EN)

Documents

Article 29 Working Party, Opinion 2/2009 on the Protection of Children’s Personal Data (General Guidelines and the Special Case of Schools) (2009).

EDPB, Guidelines 5/2020 on Consent under Regulation 2016/679 (2020).

ICO, Age Appropriate Design: A Code of Practice for Online Services (2020).

Case Law

CJEU, Data Protection Commissioner/Facebook Ireland Ltd and Schrems, C-311/18 (2020).

코멘트를 남겨주세요

[js-disqus]