How to Demonstrate Compliance With GDPR Article 8

Conditions Applicable to Child’s Consent in Relation to Information Society Services

Book a demo

office,building.,skyscraper.,exterior,of,building

GDPR Article 8 deals with the legally-sensitive topic of a child’s consent, in relation to an organisation’s data processing operation that is addressed at length in Article 7.

The difference in wording between the UK and EU version of the law largely revolves around how old a person has to be, before parent responsibility is required.

GDPR Article 8 Legal Text

EU GDPR Version

Conditions Applicable to Child’s Consent in Relation to Information Society Services

  1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
  2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

UK GDPR Version

Conditions Applicable to Child’s Consent in Relation to Information Society Services

  1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 13 years old. Where the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
  2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  3. Paragraph 1 shall not affect the general contract law as it operates in domestic law such as the rules on the validity, formation or effect of a contract in relation to a child.
  4. In paragraph 1, the reference to information society services does not include preventive or counselling services.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 7.2.2 (Identify Lawful Basis) and EU GDPR Article 8 (1)

To form a legal basis for processing PII, organisations should:

  • Seek consent from PII principals.
  • Draft a contract.
  • Comply with various other legal obligations.
  • Protect the ‘vital interests’ of the various PII principals.
  • Ensure that the tasks being performed are in the public interest.
  • Confirm that PII processing is a legitimate interest.

For every point mentioned above, organisations should be able to offer documented confirmation.

Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).

If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.

Supporting ISO 27701 Clauses

  • ISO 27701 7.2.8

ISO 27701 Clause 7.2.3 (Determine When and How Consent Is to Be Obtained) and EU GDPR Article 8 (2)

Organisations should be able to document the reasons for seeking consent, and how it’s to be acquired.

PII stipulations vary from region to region, so organisations need to be continually mindful of any local and/or national laws and regulations that may govern how they obtain consent, along with any special conditions attached to certain data types (e.g. children).

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 8 (1)ISO 27701 7.2.2ISO 27701 7.2.8
EU GDPR Article 8 (2)ISO 27701 7.2.3None

How ISMS.online Help

Our ‘Adopt, Adapt, Add’ implementation approach makes demonstrating GDPR compliance easier with ISMS.online. A wide variety of powerful features will also be available to you that will help you save time.

By using our intuitive platform, you can map your work across multiple standards and frameworks in a short amount of time.

In case you are unable to achieve your GDPR goals due to a lack of confidence, ability or drive, our in-house experts will be available to assist you or we will recommend a trusted partner to assist you.

Find out more by booking a demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.