You are currently viewing Minors and GDPR

Minors and GDPR

In a world filled with wonder and curiosity, our little friends deserve special protection when it comes to their personal data. The legislation has recognized the need for tailored measures to safeguard our children’s innocence and ensure their online safety. But before we get into it, you might want to take a look at our introductory article on personal data.

What will we see in this post?

Two children using the internet

What is the basis for special protection for minors and what ages does it include?

The 2018/1725 Regulation establishes age limits for minors deserving of extra protection. Children under 16 years old fall under this safeguard. Additionally, EU member states have the flexibility to set a younger age, as long as it remains above 13 years.

Setting the Age Limits for Special Protection:

13 YEARS OLD14 YEARS OLD15 YEARS OLD16 YEARS OLD
BelgiumAustriaCzech RepublicCroatia
DenmarkBulgariaFranceGermany
FinlandCyprusGreeceHungary
MaltaItalySloveniaIreland
LatviaLithuaniaLuxembourg
PortugalSpainNetherlands
SwedenPoland
United KingdomRomania
Slovakia

When is the processing of personal data of minors lawful?

Consent is the key. For your company/organization to provide services/products to minors, explicit consent must be obtained from the person exercising parental responsibility – the parent or guardian. Their consent serves as a safeguard for the well-being of the minor.

By understanding the nuances of consent and parental responsibility, your company can ensure a secure and enjoyable experience for minors.

Join us as we delve deeper into the world of GDPR and Privacy Policy concerning minors and discover how your company can unlock the potential while preserving the innocence of our young adventurers. To learn more about what the regulation about minor users is, check out our post about minors on the internet.

Twitter's policy on parental consent
Example from Twitter.com
  1. When a minor’s personal data is used for marketing purposes or for creating a user/visitor profile
  2. When children are directly provided services that collect their personal data

A little more practical…

For example, consent is necessary for social networking sites that give minors access to free games or family insurance, music download platforms, and online gaming marketplaces.

But let’s be careful…

When your company provides services directly to minors, leading to the collection of their personal data, consent remains essential. However, there’s a fine line – if your organization offers prevention services or advice directly to a child, consent from a parent or guardian is not required. This exemption is vital for the well-being of minors seeking assistance independently.

Of course! Within a reasonable timeframe, the controller of the personal data of each company/organization must check whether the consent has actually been given by the person with parental responsibility for the minor, even requesting information necessary to confirm their identity and consent.

The controller is the person appointed by each company/organization and has the competence to determine the purposes and means of processing. For more information, take a look at our article on Privacy Policy.

But what about minors over 16?

In this case, there is no requirement for consent from a parent/guardian. On the contrary, the minors themselves give their consent.

Specifically, through what actions is consent given?

Consent must be a clear affirmative action demonstrating agreement or acceptance to the processing of personal data. It may be given either by a written or an oral statement. Flexibility is the key to cater to everyone’s needs.

In particular, it could include filling in a field when visiting a website or a statement or behavior clearly stating, in that context, that the data subject accepts the proposal to process their personal data.

Therefore, the silence, the pre-filled boxes or the inactivity of the user/visitor do not constitute their consent!!!

At the same time, the controller is required to verify the age of the minor through screening questions or various other actions on the website. Finally, in order for the minors to fully understand what they consent to and what they do not consent to, the language used by each company must be:

  • Informational
  • Plain
  • Understandable

Conclusions

Join us on the journey of transparency and consent! We’re here to provide you with information, clear language, and respect for your rights. Our commitment is to create a secure digital space where everyone feels in control of their personal data. Together, we can create a digital world where consent is valued and privacy is protected for all users, young and old alike.

Author

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer