The Fundamentals set out 14 key principles for organisations to follow when processing children’s data, and should be complied with by all organisations processing children’s data. This includes services that are directed at / intended for, or are likely to be accessed by children. In Ireland, for data protection purposes, a child is somebody under the age of 18 years.
The DPC is determined to drive a transformation in how the personal data of children is handled and the Fundamentals represent an important stepping stone in this evolution.
Given that the Fundamentals will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data, all controllers who process children’s data should carefully review this guidance and take its recommendations on board.
The DPC considers that where organisations have conducted (or have failed to conduct) a thorough and meaningful DPIA in relation to the processing of personal data of child users, this will be a relevant factor in any assessment by the DPC of an organisation’s compliance with its obligations under the GDPR, particularly in relation to the controller’s responsibilities under Article 24 (as referenced at the beginning of Section 7) including the obligation to take account of the varying likelihood and severity of risks posed to individuals as result of the processing of their personal data. A child-oriented DPIA is the first step in mitigating risk arising from processing children’s personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects.
This toolkit is designed to empower SMEs with a collaborative cloud-based templates solution, to simplify compliance with key principles 13 and 14 of the Fundamentals.