Does the processing of children’s data require particular protection under the GDPR?

Does the processing of children’s data require particular protection under the GDPR?

The short answer to this question is that yes it does, particularly as children are going to be less aware of the risks involved.

Lawful basis

As with all forms of data, you will need a lawful basis for processing the child’s data. You should consider what basis provides the best protection for the child.

If you rely on the child’s consent as the lawful basis for processing their data there are particular rules if you are offering online services to the child. Only those children over the age of 13 in the UK are able to give their own consent. This is the age being proposed under the UK Data Protection Bill. Unless the online services provided is a preventive or counselling service, consent from someone with parental responsibility will be needed for someone under this age.  If you are targeting a wider European market you must comply with the age limits applicable in each Member State.

The child must be able to understand what they are consenting to. It will not be informed consent if the child cannot understand and it may not be ‘freely given’ if there is a clear imbalance of power. Consideration should be given to the verification process to allow you to assess the child’s age and that the person giving consent, if they are an adult, does have parental responsibility for the child.

If you are relying on performance of a contract as your lawful basis for processing, then you need to consider the child’s ability to agree to the contract and understand the implications of the processing and if you intend to rely on legitimate interests as your lawful basis you must balance these interests against the interests and fundamental rights and freedoms of the child. This requires you to take appropriate measures to safeguard against these risks.

Privacy notices

Privacy notices should be written clearly so that the child is able to understand the contents. Consideration could be given to child friendly ways of presenting the information such as using pictures or cartoon.  It is important that the information is age appropriate.

Solely automated decision making

Children’s personal data should not usually be used to make solely automated decisions about them if these will have a legal, or similarly significant effect upon them.  The exceptions to this are limited and only apply if you have suitable measures in place to protect the interests of the child.


When sending electronic marketing messages to children it is important that you comply with the Privacy and Electronic Communications Regulations 2003, as well as the GDPR and any sector specific guidance on marketing. A business should not exploit any lack of understanding or vulnerability of the child.

The right to erasure

Children have the same rights as adults under the GDPR but the right to erasure will be particularly important when an individual gave their consent as child.

Businesses should therefore consider from the outset how a child’s interests will be protected and build their processes and systems with this in mind. If you would like advice on any of the matters raised in this article, please contact Sarah Wimsett another member of the Employment team.