GDPR Article 8 deals with the legally-sensitive topic of a child’s consent, in relation to an organisation’s data processing operation that is addressed at length in Article 7.
The difference in wording between the UK and EU version of the law largely revolves around how old a person has to be, before parent responsibility is required.
Conditions Applicable to Child’s Consent in Relation to Information Society Services
- Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
- The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
- Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Conditions Applicable to Child’s Consent in Relation to Information Society Services
- Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 13 years old. Where the child is below the age of 13 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
- The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
- Paragraph 1 shall not affect the general contract law as it operates in domestic law such as the rules on the validity, formation or effect of a contract in relation to a child.
- In paragraph 1, the reference to information society services does not include preventive or counselling services.
To form a legal basis for processing PII, organisations should:
For every point mentioned above, organisations should be able to offer documented confirmation.
Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).
If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.
Organisations should be able to document the reasons for seeking consent, and how it’s to be acquired.
PII stipulations vary from region to region, so organisations need to be continually mindful of any local and/or national laws and regulations that may govern how they obtain consent, along with any special conditions attached to certain data types (e.g. children).
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Article 8 (1) | ISO 27701 7.2.2 | ISO 27701 7.2.8 |
EU GDPR Article 8 (2) | ISO 27701 7.2.3 | None |
Our ‘Adopt, Adapt, Add’ implementation approach makes demonstrating GDPR compliance easier with ISMS.online. A wide variety of powerful features will also be available to you that will help you save time.
By using our intuitive platform, you can map your work across multiple standards and frameworks in a short amount of time.
In case you are unable to achieve your GDPR goals due to a lack of confidence, ability or drive, our in-house experts will be available to assist you or we will recommend a trusted partner to assist you.
Find out more by booking a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.