top of page

Processing Situations 


Consent and children’s data

The GDPR explicitly recognises that children deserve specific protection of their personal data and introduces additional rights and safeguards for children. The GDPR handbook will share some best practices for companies that process – or might process – children’s personal data.

  • If you provide information society services (e.g. web shops, video-sharing platforms, social networking sites, search engines etc.) to a child while relying on consent as the legal basis for the processing, you need to undertake reasonable efforts to obtain and verify parental consent when it concerns users below the age of 16. Reasonable effort should be determined by considering existing technology and the circumstances such as resources and level of risk. Depending on the Member State where you operate, a different age limit may apply as Member States can lower the age limit for parental consent down to 13 years old.

  • Take note that this rule only applies if the services are offered directly to the child, meaning that they either exclusively address children or explicitly focus on them.

  • Also, it does not mean that you always must obtain parental consent for users under the chosen age limit. Only if you make your service available to children, and you rely on consent as your lawful basis (e.g. for any non-core processing, cookies or similar technologies or processing of special category data).



Useful link

  • ICO has issued a code on Age appropriate design: a code of practice for online services, which provides practical guidance on how to ensure your online services appropriately safeguard children’s personal data. Following this code will assist you to process children’s data fairly.

Time for action!

In case you offer information society services directly to children, go check out your national post-GDPR law to find out up until which age parental consent should be obtained.

National age limits for parental consent:



Processing situations_AGE LIMITS.png

When you do not directly offer content to children, but rather offer services that are likely to be accessed by children (<18 years old), you will have to take additional measures to protect their best interest.

bottom of page