Children’s Data

You are here:
< Back

An individual under the age of 16 is considered to be a child under the EU data protection laws, although individual member states are allowed to set this at a different age, for example the UK state that an individual of 13 or over is able to make their own decisions about their data.

Children require more vigilance in the use of their data because they are likely to be less aware of the risks involved.  You should therefore think about the need to protect them from the outset, and design your systems and processes with this in mind.

Compliance with all of the data protection principles is important but transparency and fairness stand out for particular attention.  A child must be made aware of the personal data you are processing and the impacts of its use.  A very clear privacy notice is essential, written in a manner that a child can understand.

Consent may also prove a challenge, specifically when offering an online service directly to a child, in the UK only children aged 13 or over are able to provide their own consent, but below this age you need to get consent from whoever holds parental responsibility for the child (unless the online service you offer is a preventive or counselling service).

Children must have specific protection when you use their personal data for marketing purposes or creating personality or user profiles.  Equally you should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them. A data protection impact assessment (DPIA) will help you to understand the risks to the child and reduce the risks.

Previous Certifications
Next Codes of Conduct
Table of Contents