Empty Link Skip to Content

Fundamental for Processing Children’s Data – Data Protection Commission Responds

Last month, following a public consultation with 27 submissions, the Irish Data Protection Commission (“DPC”) published a report (the “Consultation Report”)[1] detailing the responses it has received to its draft guidance on processing children’s personal data, entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (the “Guidance”).[2] The Consultation Report discusses key themes and trends emerging from the submissions. 

In addition to giving 14 fundamental principles for processing children’s data (the “Fundamentals”), the Guidance contains the DPC’s advice on:

  • particular obligations under the General Data Protection Regulation (“GDPR”) including legal basis requirements (Article 6), digital age of consent verification (Article 8) and transparency (Article 12); and
  • the ability of children to assert their own data protection rights and the ability of parents and guardians to assert data protection rights on their child’s behalf.

In the Consultation Report, the DPC expressed surprise at some responses to the Guidance, indicating that some respondents considered the DPC’s approach excessive. It remains to be seen what effect the public consultation will have on the finalised guidance.

The DPC is clear that no transitional or grace period will be afforded to data controllers following publication of the finalised guidance. Organisations engaging in the processing of children’s data must therefore be cognisant of how they are currently treating this data, with the DPC likely to focus enforcement against those who fail to provide the levels of protection envisaged in the Guidance. 

It appears it will be insufficient for organisations to plead ignorance when it comes to whether they process children’s data, with the DPC making it clear that organisations are expected to know their audience. 

Finally, organisations should be aware of the DPC’s recognition of the ability of both a child and their parents to assert the child’s data protection rights – with the expectation that decisions taken will always represent the child’s best interests.

Next steps

The DPC has said that it aims to publish its finalised guidance this month. Matheson’s Technology and Innovation Group are keeping abreast of developments and we will be delighted to discuss any aspects of the DPC’s guidance with any clients who may be affected by these developments.

For more information, please contact Rory O’Keeffe, or any member of the Technology and Innovation Group.