office@euconsent.eu

PPPA-AGEVER-01-2020: “Outline and trial an infrastructure dedicated to the implementation of child rights and protection mechanisms in the online domain”

PPPA-AGEVER-01-2020: “Outline and trial an infrastructure dedicated to the implementation of child rights and protection mechanisms in the online domain”

Digital Age of Consent under the GDPR

by | Oct 26, 2021 | Miscellaneous

euconsent - Digital Age of Consent under the GDPR

The previous Data Protection Directive that regulated the data protection principles and requirements in the EU did not distinguish the measures to be adopted between adults and children regarding the processing of personal data. However, as children increasingly started to access the internet, the regulator had to respond to this shift in the market. In that regard, the GDPR incorporated a separate article that regulates the processing of children’s personal data where children can provide valid consent on their behalf. As per Article 8 of the GDPR, where consent is the most appropriate mechanism to process personal data, ‘in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old’. It is the responsibility of the controller to ‘make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology’.

In cases where the child is below the age of digital consent, the processing will be deemed lawful only if the business operator has obtained the consent of the person who holds parental responsibility for the child. However, the GDPR has given flexibility to the Member States to lower the age threshold provided that it is not below the age of 13. Accordingly, some Member States have kept the digital age of consent at 16. In contrast, others have benefited from this flexibility and allowed the digital age of consent to be 13,14 or 15. The information below presents the relevant legislations that set the legal framework for data protection and regulate the digital age of consent along with the supervisory authorities responsible for ensuring compliance with the data protection regulations in their jurisdiction.

Austria:

  • Relevant legislation: The processing of personal data is regulated under the Federal Act concerning the Protection of Personal Data.
  • Digital age of consent: According to 1§4(4) of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.
  • Supervisory authority: The Austrian Data Protection Authority (Österreichische Datenschutzbehörde, DSB) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Belgium:

Bulgaria:

  • Relevant legislation: The processing of personal data is regulated under the Bulgarian Personal Data Protection Act.
  • Digital age of consent: According to Article 25c of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.
  • Supervisory authority: The Commission for Personal Data Protection (Комисията за защита на личните данни) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Croatia:

  • Relevant legislation: The processing of personal data is regulated under the Act on the Implementation of the General Data Protection Regulation.
  • Digital age of consent: According to Article 19 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.
  • Supervisory authority: The Personal Data Protection Agency (Agencija za zaštitu osobnih podataka) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Republic of Cyprus:

Czech Republic:

  • Relevant legislation: The processing of personal data is regulated under Act No. 110/2019 Coll. on the processing of personal data.
  • Digital age of consent: According to Section 7 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 15 or above are able to provide their own consent.
  • Supervisory authority: The Office for Personal Data Protection (Úřad pro ochranu osobních údajů) acts as the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Denmark:

Estonia:

  • Relevant legislation: The processing of personal data is regulated under the Personal Data Protection Act 2018 in Estonia.
  • Digital age of consent: According to Section 8(1) of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The Data Protection Inspectorate (Andmekaitse Inspektsioon) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Finland:

  • Relevant legislation: The processing of personal data is regulated under the Data Protection Act (1050/2018).
  • Digital age of consent: According to Section 5 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The Office of the Data Protection Ombudsman, and their Office (Tietosuojavaltuutetun toimisto) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

France:

Germany:

  • Relevant legislation: The processing of personal data is regulated under the German Federal Data Protection Act.
  • Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.
  • Supervisory authority: There are several national data protection supervisory authorities in Germany responsible for ensuring compliance with the data protection laws. The Federal Commissioner for Data Protection and Freedom of Information acts as the representative of the national data protection authorities.

Greece:

  • Relevant legislation: The processing of personal data is regulated under the Law No. 4624/2019.
  • Digital age of consent: As per Article 21 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 15 or above are able to provide their own consent.
  • Supervisory authority: The Hellenic Data Protection Authority is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Hungary:

  • Relevant legislation: The processing of personal data is regulated under the Information Self-Determination and Freedom of Information Act.
  • Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.
  • Supervisory authority: The Hungarian Data Protection Authority (A Nemzeti Adatvédelmi és Információszabadság Hatóság) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Ireland:

  • Relevant legislation: The processing of personal data is regulated under the Irish Data Protection Law.
  • Digital age of consent: According to Section 31(1) of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.
  • Supervisory authority: The Data Protection Commission is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Italy:

  • Relevant legislation: The processing of personal data is regulated under the Personal Data Protection Code, Legislative Decree No. 196/2003.
  • Digital age of consent: According to Article 2-quinquies of the Code, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.
  • Supervisory authority: The Italian Data Protection Authority (Garante per la protezione dei dati personali) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Latvia:

  • Relevant legislation: The processing of personal data is regulated under the Personal Data Protection Law of 21 June 2018.
  • Digital age of consent: According to Section 33 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The Data State Inspectorate (Datu valsts inspekcija) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Lithuania:

  • Relevant legislation: The processing of personal data is regulated under the Law on Legal Protection of Personal Data.
  • Digital age of consent: According to Article 6 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.
  • Supervisory authority: The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Luxembourg:

Malta:

  • Relevant legislation: The processing of personal data is regulated under the Data Protection Act.
  • Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The Information and Data Protection Commissioner is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Netherlands:

  • Relevant legislation: The processing of personal data is regulated under the Dutch GDPR Implementation Act.
  • Digital age of consent: According to Article 5 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.
  • Supervisory authority: The Dutch Data Protection Authority is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Poland:

  • Relevant legislation: The processing of personal data is regulated under the Act of 10 May 2018 on the Protection of Personal Data.
  • Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.
  • Supervisory authority: The Personal Data Protection Office is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Portugal:

  • Relevant legislation: The processing of personal data is regulated under Law No. 58/2019.
  • Digital age of consent: According to Article 16, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The National Data Protection Commission (Comissão Nacional de Protecção de Dados) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Romania:

Slovakia:

Slovenia:

  • Relevant legislation: The processing of personal data is regulated under Law No. 94/07 on Protection of Personal Data.
  • Digital age of consent: As per the proposed law, a child should be at least 15 years old to provide consent in relation to the processing of personal data offered through information society services, yet the current digital age limit which is set as 16 under Article 8 of the GDPR applies until the proposed law enters into force.
  • Supervisory authority: The Information Commissioner is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Spain:

Sweden:

  • Relevant legislation: The processing of personal data is regulated under the Data Protection Act (Act 2018:218) with supplementary provisions to the GDPR.
  • Digital age of consent: As per Chapter 2, Section 4 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The Swedish Authority for Privacy Protection (Datainspektionen) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

United Kingdom:

  • Relevant legislation: The processing of personal data is regulated under the Data Protection Act 2018 (DPA 2018).
  • Digital age of consent: According to Section 9 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.
  • Supervisory authority: The Information Commissioner’s Office (ICO) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.
euConsent Consortium

Subscribe to our Newsletter

Do you want to be informed with the progress of euConsent or other related news? 

Thank you for subscribing. A email was sent to confirm your email address. Please check also spam folder.

Share This