gdpr-parental-consent
GDPR Parental Consent Verification
Overview
Article 8 of the GDPR establishes that when information society services are offered directly to a child, the processing of personal data based on consent is lawful only where the child is at least 16 years old. Member States may lower this threshold to a minimum of 13 years. Where the child is below the applicable age threshold, consent must be given or authorised by the holder of parental responsibility. The controller must make reasonable efforts to verify that the person giving consent holds parental responsibility, taking into consideration available technology. This skill provides a comprehensive framework for implementing Art. 8 compliance, drawing on EDPB Guidelines 5/2020, national implementations, and enforcement precedents.
Legal Foundation — Article 8 GDPR
Art. 8(1) — Conditions for Child's Consent
Where Article 6(1)(a) (consent) applies in relation to the offer of information society services directly to a child, the processing shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
Art. 8(2) — Verification Obligation
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Art. 8(3) — Other Lawful Bases Unaffected
Article 8(1) does not affect the general contract law of Member States such as rules on the validity, formation or effect of a contract in relation to a child.