导航
GDPR > 第 8 條. 涉及資訊社會服務適用兒童同意之條件
下载PDF

第 8 條 GDPR. 涉及資訊社會服務適用兒童同意之條件

Article 8 GDPR. Conditions applicable to child's consent in relation to information society services

1. 第 6條第 1項第 a點適用於直接向兒童提供資訊社會服務之情況, 如兒童年滿 16 歲,兒童之個人資料處理應屬合法。如該兒童未滿 16 歲,僅限於其法定代理人授權或同意之範圍內,該等處理始為合法。

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

指南和案例法 相关文章

會員國得以法律為該等目的規定較低年齡,惟不得低於 13 歲。

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2. 在兒童之法定代理人授權或同意之情況,控管者應作出合理努力, 在考量現有科技之情況下,確認該法定代理人之同意或授權。

2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

專家評論
指南和案例法

3. 第 1 項規定不影響會員國之一般契約法,例如與兒童有關之契約 之有效性、形成或效力之規定。

3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 8(3) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.

The legal basis for the processing of PII can include:


访问全文

專家評論 ISO 27701 献技 指南和案例法 发表评论
專家評論

(EN) Children enjoy special protection under the General Data Protection Regulation as they are considered vulnerable (Guidelines on Consent). They did not indeed achieve physical and psychological maturity yet (Opinion 2/2009 on the Protection of Children’s Personal Data), so they may be less aware than adults of the risks and consequences of sharing their personal information when registering for online services or using connected platforms (recital 38).


访问全文

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to articles 8(1) and 8(2) GDPR:

7.2.3 Determine when and how consent is to be obtained

Control

The organization should determine and document a process by which it can demonstrate if, when and how consent for the processing of PII was obtained from PII principals.

Implementation guidance

Consent can be required for processing of PII unless other lawful grounds apply. The organization should clearly document when consent needs to be obtained and the requirements for obtaining consent.


访问全文

献技

(38) 鑑於兒童或未盡知悉其個人資料處理之風險、後果及相關保護 措施及其權利,兒童就其個人資料值得受特別保護。特別保護尤應適 用於為行銷或建立人格或使用者檔案之目的之兒童個人資料使用,及 當使用直接提供予兒童之服務時兒童個人資料之蒐集。於直接向兒童 提供預防性或諮詢性服務時,無須得其監護人之同意。

(38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

指南和案例法 发表评论