Parental consent for the processing of children's data according to GDPR

Parental consent for the processing of children's data according to GDPR

GDRP introduces a measure that protects minors. Specifically, in the case of a minor (if a child is not at least 16 years old), consent will also be required from his or her legal representative. How can such consent be verified?

Legal guardian's consent when processing personal data for minors under 16 years of age

The processing of personal data in the case of minors (up to 16 years of age) and the consent of the legal guardian are necessary if you are the operator of a web portal or a mobile application or provide any information services (sale of goods or services):

• You process personal information for online sales, send a newsletter, provide online financial or other remote services.
• You process the personal data of minors with the required consent.

In this case, you must make reasonable efforts to verify the confirmation of this consent.

Good to know

If you process the data as part of order processing, the consent of the legal representative is not necessary. Although it is an information service, processing is the subject of a purchase contract.

On the contrary, if the e-shop operator processes personal data also for the purpose of marketing (newsletter, business offer), not only for the necessary processing of the order, it is obliged to obtain such verification.

How to get such verification?

In practice, it is quite difficult to imagine how a business entity can verify the age of a user under 16, or the user in general. The GDPR states that it is necessary to make 'reasonable efforts' to obtain such consent. What can this mean in practice?

The information service operator (sales, application) will warn and declare that the provided service is not intended for users under 16 years of age. This means that a younger user should not be interested in such a service. Such a statement assumes that the user under 16 years of age has received the consent of his or her legal representative when using the service.

Violation of parental consent

It is the operator's responsibility to demonstrate that, if necessary, he has made reasonable efforts to verify that the legal guardian has consented to a visitor under 16 years of age. A breach may entail a fine imposed by the Office for Personal Data Protection of up to EUR 10 000 000 or up to 2% of the worldwide annual turnover of the company.