Processing data of children and young people in light of the new GDPR

The processing of data of children and young people under the New Regulation 2016/679 of April 27 (General Data Protection Regulation) deserves some considerations expressed in this text by Mariana Marques Leitão.


The recitals to the regulation in question contain references to the protection afforded to minors in relation to their personal data, which are now reinforced. Accordingly, recital 38 states that ‘children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child’. Next, recital 75 states that The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing (…) where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects’.

It is noteworthy that the GRDP expressly reinforces the protection of children’s personal data, establishing a more stringent legal regime for processing operations that deal with their personal data, giving prominence to the environment surrounding the Internet.


Let us look at the evidence:

With regard to the direct provision of information society services to children (definition in Article 1, no. 1, paragraph b) of Directive 2015/1535 of the European Parliament and of the Council by reference to Article 4, paragraph 25) of the GDPR), if the child is under 16 years of age, the processing of data is only allowed if and to the extent that consent is given or is authorized by the holder of parental responsibility over the child, although Member States are free to legislate a lower age for the purposes referred to, provided that the age is not less than 13 years. (see no. 1 of Article 8 of the GRPD).

No. 2 of Article 8 of the GDPR determines that the controller shall “make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology”. It will be for the controller to determine what measures are appropriate in each particular case of the processing task and they should not involve excessive collection of personal data. Assessing the age of the minor must be done by the data collector, since if a child gives his consent and he is not old enough to provide valid consent, this will render the data processing unlawful.


Clear and transparent posture

We further emphasize that, pursuant to no. 1 of Article 12 of the GDPR, the controller is obliged to take appropriate measures to provide the holder with information on the processing, in a “concise, transparent, intelligible and easily accessible, using clear and simple language, especially when the information is directed specifically to children.”

The “new” codes of conduct provided for in Article 40 of the GDPR are also required to specify ‘the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained’. In addition, one of the tasks of the supervisory authority is precisely the promotion of public awareness and understanding of the risks, rules, guarantees and rights associated with data processing, especially in activities specifically targeted at children (see no.1, paragraph b) of Article 57 of the GDPR).

In practical terms, and although they emanated from a regulatory framework in which the GDPR was not yet in force, it is possible to take into account some guidelines already produced by the National Data Protection Commission (NDPC).


Information security in schools

Accordingly, the NDPC, through Deliberation No. 1495/2016 of September 6, 2016, considered that “education and education establishments should develop an internal policy on the conditions required for the provision of personal data in their respective Internet websites, with particular emphasis on reserved areas, as well as segregation of information according to its purpose’. Furthermore, it was understood that “schools should develop a robust information security policy in accordance with the requirements of Articles 14 and 15 of the LPDP, including: strong authentication mechanisms; user management and the allocation of access profiles, in line with the principle of the need to know and periodically renewal of the school community; configuration of platforms in accordance with the same principle; the confidentiality of data transmissions and the registration of accesses (logs)’.


Image collection

On the other hand, any consent obtained by the parents or the minors themselves for the collection of images must, according to the NDPC, be recorded in the individual file of the student, which indicates the concern with the records. Finally, in the deliberation itself, it is emphasized that “educational establishments, by example, should make the whole school community aware of the need to protect personal data and respect the privacy of everyone, in particular children”.

In view of the above-mentioned deliberation, we understand that the National Data Protection Commission itself has defended an increasingly restrictive and protective understanding, which is in line with the notorious national legislative effort to strengthen the protection afforded to entities that may be most unprotected (i.e., minors). We believe that the real strengthening of this protection will only occur with the change of mentalities that are based on a single concern, the superior and real interest of children and young people, and that recognizes the new principles underlying the protection of personal data.

More in Communication