Children and the GDPR
Children and the GDPR

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Children and the GDPR
  • Key guidance
  • General obligations under the GDPR
  • Key concepts and definitions for the processing of children’s personal data
  • The general approach to processing children’s data
  • Data protection by design and by default
  • Data protection impact assessments
  • Lawful basis for processing children’s data
  • Special categories of personal data
  • Information society services (ISS)
  • more

This Practice Note considers how the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) as it applies in the UK should be complied with in regard to children’s personal data. The GDPR regime expressly recognises that the processing of children’s personal data requires specific protection and provides enhanced protection for children’s personal data. This Practice Note is also relevant to organisations which aren’t actively seeking to process children’s personal data (eg designing a product aimed at adults) since they will need to consider whether they may inadvertently end up processing childrens’ personal data (eg if a child accesses that service).

Anyone wishing to process children’s personal data in the UK or EEA must comply with the GDPR regime as it applies under applicable national laws and derogations. For further background on the scope of the GDPR regime and its extra-territorial reach in a number of circumstances—see Practice Notes: The General Data Protection Regulation (GDPR)—Material scope and Extra-territorial reach under the GDPR.

In the UK, the Data Protection Act 2018 (DPA 2018), implements a limited number of provisions and permitted derogations into UK law in connection with the GDPR and regard should be had to the provisions of the DPA 2018 in so far as relevant to the specific arrangements. For further information and background on the DPA 2018, see Practice Note: The Data