Children and the processing of their personal data receive specific attention in the GDPR.
Recital 38 states:
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child."
Controllers must, therefore, be aware of whether they process children's data and ensure that they have adequate safeguards and procedures in place as the following apply to or restrict their processing:
- Article 6(1)(f) - legitimate interest ground for processing - processing personal data of children represents an enhanced risk - Recital 75
- Article 8 - Conditions applicable to child's consent in relation to information society services - in particular consent can not be given by a child below the age of 16 - Introductory text paragraph 7
- Article 12 - fair processing information - Fair processing information "addressed to a child, should be in such a clear and plain language that the child can easily understand" - Recital 58
- Article 17 - right to erasure - is particularly relevant, where "the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child." - Recital 65
- Article 22 - automated decisions, including profiling are not permitted - recital 71.