The GDPR and children
- Author: Niklas Drexler
- Last updated: 03.07.2023
- Category: Data Security
The EU General Data Protection Regulation considers the personal data of children and young people to be particularly vulnerable because, according to the legislator, children are less aware of the risks and their rights than adults.
The primary legal basis for the protection of children's data is Article 8 of the GDPR, which Recital 38 aims to make easier to understand.
Not everything about data protection and children is obvious at first glance. Data protection for children, which is explicitly regulated, is one of the most important changes in the GDPR and brings changes for companies that target their offers to children in particular. Among other things, parental consent will now be required in many cases.
Art. 8 GDPR explains in paragraph 1 which compliance rules apply to personal data in the context of children. There are two basic cases to consider:
1. the child has reached the age of 16 - the processing of personal data is lawful.
2. the child has not reached the age of 16 - the lawfulness of the processing of the child's personal data depends on the consent of the parents on behalf of or with the consent of the child.
In this context, paragraph 2 requires the responsible party to make reasonable technical efforts to obtain consent.
The regulation also contains an opt-out clause allowing EU member states to lower the age limit from 16 to a minimum of 13. Germany has not made use of this, but other countries such as Austria have. For companies offering services across the EU, these differences are significant.
Day-care centres, schools and clubs are also subject to data protection requirements.
If the day care centre, the school or the club is collecting personal data, the institution has to
- provide information about the initial collection of data and subsequent access to data from other sources.
- If necessary, ask parents to consent.
Certain basic information - such as the child's name, address, tetanus vaccination status, family doctor's address, and certain medical conditions of the child - may be collected without consent if it is necessary for the child's care, education, or the operation of a football club. However, written parental consent is required for anything beyond this basic information.
Data protection should not only protect personal data, but also the personal rights of children and young people. Here, the issue of "photos" comes up again and again. Photos are personal data and are protected by other laws, such as the law on copyright in works of art. Anyone who publishes photos of other children (e.g. on Instagram, Facebook, the bulletin board at kindergarten, etc.) needs to be particularly careful and familiar with the scope of "Children and the GDPR".
Photographing children and sharing such photos requires parental consent. Individuals should also take care when taking pictures of other people's kids (watch out for the backgrounds of the pictures) if they are going to post them on social networking sites. Consent must be given in writing - by all legal guardians - and can be revoked at any time. As you can see, this is a sensitive issue!