The GDPR and children

  • Author: Niklas Drexler
  • Last updated: 03.07.2023
  • Category: Data Security

The EU General Data Protection Regulation considers the personal data of children and young people to be particularly vulnerable because, according to the legislator, children are less aware of the risks and their rights than adults.

The primary legal basis for the protection of children's data is Article 8 of the GDPR, which Recital 38 aims to make easier to understand.

Not everything about data protection and children is obvious at first glance. Data protection for children, which is explicitly regulated, is one of the most important changes in the GDPR and brings changes for companies that target their offers to children in particular. Among other things, parental consent will now be required in many cases.

Art. 8 GDPR explains in paragraph 1 which compliance rules apply to personal data in the context of children. There are two basic cases to consider:

1. the child has reached the age of 16 - the processing of personal data is lawful.

2. the child has not reached the age of 16 - the lawfulness of the processing of the child's personal data depends on the consent of the parents on behalf of or with the consent of the child.

In this context, paragraph 2 requires the responsible party to make reasonable technical efforts to obtain consent.

The regulation also contains an opt-out clause allowing EU member states to lower the age limit from 16 to a minimum of 13. Germany has not made use of this, but other countries such as Austria have. For companies offering services across the EU, these differences are significant.

Day-care centres, schools and clubs are also subject to data protection requirements.

If the day care centre, the school or the club is collecting personal data, the institution has to

- provide information about the initial collection of data and subsequent access to data from other sources.

- If necessary, ask parents to consent.

Certain basic information - such as the child's name, address, tetanus vaccination status, family doctor's address, and certain medical conditions of the child - may be collected without consent if it is necessary for the child's care, education, or the operation of a football club. However, written parental consent is required for anything beyond this basic information.

Data protection should not only protect personal data, but also the personal rights of children and young people. Here, the issue of "photos" comes up again and again. Photos are personal data and are protected by other laws, such as the law on copyright in works of art. Anyone who publishes photos of other children (e.g. on Instagram, Facebook, the bulletin board at kindergarten, etc.) needs to be particularly careful and familiar with the scope of "Children and the GDPR".

Photographing children and sharing such photos requires parental consent. Individuals should also take care when taking pictures of other people's kids (watch out for the backgrounds of the pictures) if they are going to post them on social networking sites. Consent must be given in writing - by all legal guardians - and can be revoked at any time. As you can see, this is a sensitive issue!

Curious smart little girl typing on laptop alone, clever cute child using computer online without permission, forbidden internet content parental protection, pc control and security for kid concept
© fizkes / | #216819599

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group essential
Name Matomo
Technical name
Expire in days 72
Privacy policy
Use Use without cookies
Group external media
Name Calendly
Technical name __cf_bm,__cfruid,OptanonConsent
Provider Calendly LLC
Expire in days 365
Privacy policy
Use To arrange appointments via the provider Calendly
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Name Contao HTTPS CSRF Token
Technical name csrf_https_contao_csrf_token
Provider Contao
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Technical name PHPSESSID
Provider Contao
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again