Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR And Processing Children’s Data

by Adam Brogden
in Blog

02-Sep-2019 12:16

If you process data about children you need to take extra precautions. Take a look at this information from the ICO.


Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

If you process children’s personal data then you should think about the need to protect them from the outset and design your systems and processes with this in mind. Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data.

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child. If you are relying on consent as your lawful basis for processing, when offering an online service directly to a child, in the UK only children aged 13 or over are able to provide their own consent.

For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service. Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.

You should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them. You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.


Click here to take a look at the full article and checklists on the ICO website.

Need more help? Call us anytime.

Good luck all.