Four new guidance notes have been published this week by the Irish Data Protection Commissioner, which are aimed at parents and specifically focused on children’s data protection rights under the GDPR.
Don’t fret – there is nothing really new here. But this is another reminder of the DPC’s top prioritisation of the protection of children and the evolving role parents can play in helping to keep a child’s personal data safe (but remember: it must always be in the child’s best interest).
My child’s data protection rights – the basics
This guidance note looks at some of the issues that can arise when a parent wants to exercise data protection rights (such as the right to access or erasure) on behalf of their child.
The key takeaway here is that children are data subjects in their own right and that there is an important balance between protecting children and respecting their right to privacy, so there may be may be limits on what parents can do or ask for.
Children’s data and parental consent
This discusses the meaning of the ‘digital age of consent’ and sets out when parental consent is and isn’t needed.
It has always been the case that parental consent is only required under Article 8(1) of the GDPR where a data controller is relying on consent under Article 6(1) for its lawful basis for processing and it relates to the offering of an information society service directly to a child under the age of 16 (or the relevant age set by the Member State). However, this often leads to the misconception that consent (and parental consent) is mandatory for all processing of children’s data, which isn’t the case.
This note confirms that consent isn’t always needed for children’s data to be collected – in fact, it is just one of the six legal basis allowed by the GDPR and companies may rely on a different legal basis where appropriate. It also confirms that, just because a parent is asked to give their permission to something (e.g., by accepting terms and conditions), this does not automatically constitute reliance on consent under GDPR as a lawful basis.
What’s more, where parental consent is needed, the DPC confirms that companies only need to make “reasonable efforts” (in the circumstances) to check that consent has actually been given the parent – IDs and birth certificates, for example, are often not appropriate, proportionate (relevant to the nature and potential risks of the processing) or necessary.
Protecting my child’s data
This guidance note is aimed at helping parents understand the rights they have over their children’s data and how to exercise these rights in practice, as well as giving some useful tips on supervising and protecting children’s privacy online.
Are there any limits on my child’s data protection rights?
Here, the DPC addresses some important limits as to how and when children’s data protection rights may be exercised (e.g., not all rights are absolute and will often need to be balanced against other rights and interests), and whether by children themselves or by parents on their behalf.
All the guides are available here.
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/5dcaad168cb6230d740f6dc1/2023-06-26-15-46-15-758-6499b2c7436bdee0ca01af9f.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2024-04-23-13-59-21-031-6627beb90867261767c6aa9e.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2024-04-20-02-31-03-420-662328e76f4c71deb047b31b.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2024-04-22-17-29-47-425-66269e8bd100dba38ac09968.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2024-04-22-14-25-24-832-66267354d100dba38ac021b3.jpg)