1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Article 8 of the GDPR aims to protect children’s data and ensure that any processing of such data is lawful, fair and transparent.
The processing of personal data concerning children needs careful consideration as they need more awareness of the potential risks of sharing their data, especially when targeting children for advertising purposes or allowing them to create user profiles on a platform.
A child is someone under 16 years in the context of giving consent to processing their personal data. A child can give consent above this age.
The holder of the parental responsibility must authorise the consent of a child below this age limit.
The GDPR allows member states to lower this age limit to 13 years, but it cannot be set higher than 16 years. Some countries have chosen to set lower age limits than 16.
Article 8 of the GDPR applies to companies offering online services targeting children, which includes social media, gaming, educational platforms and websites.
Companies need to take extra precautions to verify the child’s age and obtain valid consent from the holder of parental responsibility if the child is below the age of 16.
Additionally, companies must provide information appropriate to the child’s age to comply with article 13. Furthermore, it must provide easy ways for the holder of parental responsibility to withdraw consent.
It is not required to ask for the parent’s consent in the case of preventive or advisory services offered directly to a child. These services target children in need of help, and the parent’s consent is not necessary.
Educational institutions do not need consent from parents to process children’s data as long as the school is processing data to perform its duties.
Educational institutions, e.g. public schools, are processing children’s data as official authorities, and their legal premise would therefore not be consent, but article 6(1)(e).
The school will need to ask for consent if they want to use the child’s data for advertising purposes, e.g. sharing its picture on the school’s website.
Learn the basics of GDPR in the course 1-Hour GDPR Introduction: The Basic Facts for Employees.