Index
Home > Article 8. Conditions applicable to child's consent in relation to information society services
Download PDF

Article 8 GDPR. Conditions applicable to child's consent in relation to information society services

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Guidelines & Case Law Related

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Expert commentary
Guidelines & Case Law

3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

ISO 27701
Expert commentary ISO 27701 Recitals Guidelines & Case Law Leave a comment
Expert commentary

Children enjoy special protection under the General Data Protection Regulation as they are considered vulnerable (Guidelines on Consent). They did not indeed achieve physical and psychological maturity yet (Opinion 2/2009 on the Protection of Children’s Personal Data), so they may be less aware than adults of the risks and consequences of sharing their personal information when registering for online services or using connected platforms (recital 38).

[…]


to read the full text

Author
Louis-Philippe Gratton
Louis-Philippe Gratton PhD, LLM
Privacy Expert
ISO 27701
Recitals

(38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Guidelines & Case Law Leave a comment