• Lawful basis

    As with all forms of data, you will need a lawful basis for processing the child’s data. You should consider what basis provides the best protection for the child.

    If you rely on the child’s consent as the lawful basis for processing their data there are particular rules if you are offering online services to the child. Only those children over the age of 13 in the UK are able to give their own consent. This is the age being proposed under the UK Data Protection Bill. Unless the online services provided is a preventive or counselling service, consent from someone with parental responsibility will be needed for someone under this age.  If you are targeting a wider European market you must comply with the age limits applicable in each Member State.

    The child must be able to understand what they are consenting to. It will not be informed consent if the child cannot understand and it may not be ‘freely given’ if there is a clear imbalance of power. Consideration should be given to the verification process to allow you to assess the child’s age and that the person giving consent, if they are an adult, does have parental responsibility for the child.

    If you are relying on performance of a contract as your lawful basis for processing, then you need to consider the child’s ability to agree to the contract and understand the implications of the processing and if you intend to rely on legitimate interests as your lawful basis you must balance these interests against the interests and fundamental rights and freedoms of the child. This requires you to take appropriate measures to safeguard against these risks.

    Privacy notices

    Privacy notices should be written clearly so that the child is able to understand the contents. Consideration could be given to child friendly ways of presenting the information such as using pictures or cartoon.  It is important that the information is age appropriate.

    Solely automated decision making

    Children’s personal data should not usually be used to make solely automated decisions about them if these will have a legal or similarly significant effect upon them.  The exceptions to this are limited and only apply if you have suitable measures in place to protect the interests of the child.


    When sending electronic marketing messages to children it is important that you comply with the Privacy and Electronic Communications Regulations 2003, as well as the GDPR and any sector-specific guidance on marketing. A business should not exploit any lack of understanding or vulnerability of the child.

    The right to erasure

    Children have the same rights as adults under the GDPR but the right to erasure will be particularly important when an individual gave their consent as child.

    Businesses should, therefore, consider from the outset how a child’s interests will be protected and build their processes and systems with this in mind. If you would like advice on any of the matters raised in this article, please contact Sarah Wimsett another member of the Employment team.

    This content is correct at time of publication

    Can we help?

    Take a look at our Employment & HR page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Key contact:

    Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. Please view our privacy statement for more information