The Fundamentals

Welcome to The Fundamentals Collaborative Toolkit

The Fundamentals set out 14 key principles for organisations to follow when processing children’s data, and should be complied with by all organisations processing children’s data. This includes services that are directed at / intended for, or are likely to be accessed by children. In Ireland, for data protection purposes, a child is somebody under the age of 18 years.

Learn more

The DPC is determined to drive a transformation in how the personal data of children is handled and the Fundamentals represent an important stepping stone in this evolution.

The Fundamentals for a Child-Oriented Approach to Data Processing

Given that the Fundamentals will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data, all controllers who process children’s data should carefully review this guidance and take its recommendations on board.

7.0 Tools to ensure a high level of data protection for children

The DPC considers that where organisations have conducted (or have failed to conduct) a thorough and meaningful DPIA in relation to the processing of personal data of child users, this will be a relevant factor in any assessment by the DPC of an organisation’s compliance with its obligations under the GDPR, particularly in relation to the controller’s responsibilities under Article 24 (as referenced at the beginning of Section 7) including the obligation to take account of the varying likelihood and severity of risks posed to individuals as result of the processing of their personal data. A child-oriented DPIA is the first step in mitigating risk arising from processing children’s personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects.

Learn more

About The Fundamentals Collaboration Toolkit

Button

This toolkit is designed to empower SMEs with a collaborative cloud-based templates solution, to simplify compliance with key principles 13 and 14 of the Fundamentals.

13. DO A DPIA: Online service providers should undertake data protection impact assessments (DPIA) to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (Section 7.1 “Data Protection Impact Assessments”).
Child Rights Impact Assessment: Child Rights Impact Assessment (CRIA) examines the potential impacts on children and young people of laws, policies, budget decisions, programmes and services as they are being developed and, if necessary, suggests ways to avoid or mitigate any negative impacts. This is done prior to the decision or action being set in place. "Child Rights Impact Assessment" - ENOC
14. BAKE IT IN: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services (Section 7.2 “Data Protection by Design and Default”).

A GDPR collaborative solution with Google Sheets to help implement and demonstrate compliance with The Fundamentals

View online demonstration of Fundamentals Collaborative Toolkit

Child Rights Impact Assesment (CRIA)

Child Rights Impact Assessment: examines the potential impacts on children and young people of laws, policies, budget decisions, programmes and services as they are being developed and, if necessary, suggests ways to avoid or mitigate any negative impacts. This is done prior to the decision or action being set in place. "Child Rights Impact Assessment" - ENOC

View demo