Children and the GDPR
Children and the GDPR

The following Practice Compliance guidance note provides comprehensive and up to date legal information covering:

  • Children and the GDPR
  • Key guidance
  • General obligations under the GDPR
  • Key concepts and definitions for the processing of children’s personal data
  • The general approach to processing children’s data
  • Data protection by design and by default
  • Data protection impact assessments
  • Lawful basis for processing children’s data
  • Special categories of personal data
  • Information society services (ISS)
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

This Practice Note considers how the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) as it applies in the UK should be complied with in regard to children’s personal data. The GDPR regime expressly recognises that the processing of children’s personal data requires specific protection and provides enhanced protection for children’s personal data. This Practice Note is also relevant to organisations which aren’t actively seeking to process children’s personal data (eg designing a product aimed at adults) since they will need to consider whether they may inadvertently end up processing childrens’ personal data (eg if a child accesses that service).

Anyone wishing to process children’s