Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter II Principles

Article 8 Processing of personal data of a child

October 2013

Article 8(1)

1. For the purposes of this Regulation, in relation to the offering of goods or services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or legal guardian. The controller shall make reasonable efforts to verify such consent, taking into consideration available technology without causing otherwise unnecessary processing of personal data.

Article 8(1a)

1a. Information provided to children, parents and legal guardians in order to express consent, including about the controller’s collection and use of personal data, should be given in a clear language appropriate to the intended audience.

Article 8(2)

2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Article 8(3)

3. The European Data Protection Board shall be entrusted with the task of issuing guidelines, recommendations and best practices for the methods of verifying consent referred to in paragraph 1, in accordance with Article 66.

Article 8(4)

4. (deleted)

[Source: October 2013]

Recital 29

(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. Where data processing is based on the data subject’s consent in relation to the offering of goods or services directly to a child, consent should be given or authorised by the child’s parent or legal guardian in cases where the child is below the age of 13. Age-appropriate language should be used where the intended audience is children. Other grounds of lawful processing such as grounds of public interest should remain applicable, such as for processing in the context of preventive or counselling services offered directly to a child.

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 8 sets out further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them.

[Source: January 2012 | Context: Proposal from the European Commission]

Article 8(1) [Amended: October 2013]

1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.

Article 8(2)

2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Article 8(3) [Amended: October 2013]

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.

Article 8(4) [Amended: October 2013]

4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 29 [Amended: October 2013]

(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]