¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

Throughout the text of the GDPR the personal data rights of children are consistently referred. As the GDPR itself states, “children merit specific protection” therefore:

• any information and communication addressed to a child, should be in such a clear and plain language that the child can easily understand (Recital 58 GDPR); and

• specific protection should apply, in particular, to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child (Recital 38 GDPR).

The reasoning for this specific protection is clear, ‘[children] may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’ (Recital 38 GDPR).

Does the firm offer any legal services to children?

It is important for the firm to identify if it provides any legal services directly to children. This could occur, for example, when the firm has a practice in the areas of family law, wards of court, entertainment law, etc.

What is a child?

The Data Protection Act 2018 states that where the GDPR refers to “child”, this shall be taken to be a reference to a person under 18 years of age (s.29 of the DPA 2018).

However, where a digital service is being offered to a child on the legal basis of consent to process the child’s personal data, parental consent must be obtained where the child is below the ‘age of digital consent’, which can vary in different Member States. In Ireland, the age of digital consent has been specified as 16.

Is a specific privacy notice directed at children required?

If the firm offer any services directly to persons under the age of 18, privacy notices should be drafted to cater for children. Even where the firm does not offer services directly to children, where the personal data of children is processed by the firm, it may be appropriate to communicate to the children about how their data is processed. As mentioned above ‘any information and communication addressed to a child, should be in such a clear and plain language that the child can easily understand’.

Does the firm review how it protects the personal data of children?

Where the personal data of children is processed by the firm, the firm should be continuously considering items such as data protection by design to ensure that only necessary data is collected. The lawful basis for processing analysis (see Guidance 6 above) is critically important particularly given the increased complexities involved in processing children’s data on the basis of consent or the greater weight that may be given to the rights of the child in a ‘legitimate interests’ balancing test if the processing is based on that lawful basis.

Guidance from the Data Protection Commission on children's data

The DPC has published the final version of its guidance “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing”.

The Data Protection and Intellectual Property Law Committee has produced a summary of the DPC’s guidance ‘GDPR & Children’s Data: What Lawyers Need to Know'. 

Children's data checklist

• Identify if your firm offers any services to children

• If required, have you drafted privacy notices directed at children?

• If offering any online services to children and relying on consent as the lawful basis for processing, have you a process to verify that the children are of sufficient age to be able to consent to the processing. If under the age of competence, have you a process for securing parent/guardian consent?

• Do you regularly review how you protect children’s personal data?

Return to GDPR Guidance and templates >