The DPC is determined to drive a transformation in how the personal data of children is handled and the Fundamentals represent an important stepping stone in this evolution.


Given that the Fundamentals will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data, all controllers who process children’s data should carefully review this guidance and take its recommendations on board.

The DPC considers that where organisations have conducted (or have failed to conduct) a thorough and meaningful DPIA in relation to the processing of personal data of child users, this will be a relevant factor in any assessment by the DPC of an organisation’s compliance with its obligations under the GDPR, particularly in relation to the controller’s responsibilities under Article 24 (as referenced at the beginning of Section 7) including the obligation to take account of the varying likelihood and severity of risks posed to individuals as result of the processing of their personal data. A child-oriented DPIA is the first step in mitigating risk arising from processing children’s personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects.

About The Fundamentals Collaboration Toolkit

This toolkit is designed to empower SMEs with a collaborative cloud-based templates solution, to simplify compliance with key principles 13 and 14 of the Fundamentals.


  1. 13. DO A DPIA: Online service providers should undertake data protection impact assessments (DPIA) to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (Section 7.1 “Data Protection Impact Assessments”).
  2. Child Rights Impact Assessment: Child Rights Impact Assessment (CRIA) examines the potential impacts on children and young people of laws, policies, budget decisions, programmes and services as they are being developed and, if necessary, suggests ways to avoid or mitigate any negative impacts. This is done prior to the decision or action being set in place.  "Child Rights Impact Assessment" - ENOC
  3. 14. BAKE IT IN: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services (Section 7.2 “Data Protection by Design and Default”).

A GDPR collaborative solution with Google Sheets to help implement and demonstrate compliance with The Fundamentals

View online demonstration of Fundamentals Collaborative Toolkit

Share by: