Data protection for children
Persons under the age of 16 are considered children in the General Data Protection Regulation. Germany has not made use of the possibility to establish a lower age limit. Special data protection rules apply to children: Children need the consent of their parents, or at least their agreement, for the use of “information society services”. An information society service is a service provided electronically and at the individual request of the recipient. These could be, for example, online shopping, social networks or other services on the internet. Such services do not necessarily have to be provided commercially, as the Federal Court of Justice ruled in 2017. The verdict can be read here (in German).
When children are informed about the processing of their personal data, special attention must be paid to understandable language. Furthermore, if the child is under 16 years of age, companies must ensure that the holders of parental responsibility have consented or agreed to the processing of the child’s data. However, it is still unclear how it can actually be proven that consent has been obtained from parents and not just from their children. One possibility would be a two-way identification system using a parent’s device, but other technical solutions are also being discussed.
Article 8 GDPR (Conditions applicable to child’s consent in relation to information society services)
1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Source: Regulation (EU) 2016/679 (see also recital 38)