Consent and minors
We should now focus on two important aspects relating to the issue of consent and the position of minors from the perspective of the GDPR.
According to Article 6(1)(a) of the GDPR, the processing of personal data is considered lawful if data subjects provide their consent to this processing for one or more specific purposes. Thus, if the consent of data subjects is obtained, controllers and processors may process personal data of individuals. While different views on the notion of consent can exist, its definition can be found in Article 4(11) GDPR. It is an indication of data subjects’ wishes that is given freely and is specific, informed and unambiguous. This is a way for data subjects to signify agreement to the processing of personal data that relate to them and this can be done by a statement or by a clear affirmative action.
Article 7 of the GDPR specifies conditions for consent. If data subjects have given their consent to the processing of personal data, the controller must be able to demonstrate this. It is possible to use a written declaration for giving consent. In this case, if consent is also requested for other matters, the request for consent to the processing must be distinguished from these other matters. It is to be presented in an intelligible and easily accessible form and the language used should be clear and easy to understand. For instance, if individuals are asked to give consent to the use of their property and in addition consent to the processing of their personal data is requested, the consent request with regard to the processing must be distinguishable from the other type of consent request. If the requirements in relation to consent are not met and a part of a written declaration of consent violates the GDPR, this part is not considered binding.
If you give consent to the processing of personal data, it does not mean that your personal data can indefinitely be processed. Data subjects may withdraw their consent at any time, but the processing taking place before the withdrawal is still considered lawful. Before a person gives his or her consent, he or she must be informed about the possibility of withdrawing it and it must be as easy to withdraw the consent as to give it. How can one determine whether consent was freely given? Among other things, attention should be paid to the fact whether it is required to give consent for the performance of a contract, such as in case of providing certain services. If consent is requested but it is not necessary for this performance, it cannot be regarded as freely given. Also, when data subjects have no free choice or cannot refuse or withdraw their consent without any negative consequences, it is not freely given.
© “Children” by lenkafortelna via Pixabay
Consent and minors
The GDPR seeks to protect all data subjects in the EU. In the modern age of digital technologies and widespread use of social media, children, their rights and interests should not be forgotten because they also make part of the group of individuals whose personal data can be processed. Children are in need of specific protection with respect to their personal data as indicated in Recital 38 of the Regulation. They are not as well-informed about their rights and adults, and their rights thus require sufficient protection. There are provisions in the GDPR specifically focusing on minors.
Article 8 GDPR specifically deals with the issue of providing consent and children. When information society services are provided directly to a child that needs to give consent, the processing of personal data of a child can be lawful if the child is at least 16 years old. If a child is younger than 16 years, the processing can be considered lawful only when consent is given and authorised by the parent or legal guardian of the child. These requirements do not affect the general contract law of EU Member States such as the rules on the validity, formation or effect of a contract in relation to children. It is allowed for EU Member States to introduce laws that set a lower age threshold for these purposes: the age of a child, however, cannot be lower than 13 years. It is a task of the controller to use all available technology in order to verify that consent is indeed given or is authorised by the parent or legal guardian.
© University of Groningen