The Fundamentals set out 14 key principles for organisations to follow when processing children’s data, and should be complied with by all organisations processing children’s data. This includes services that are directed at / intended for, or are likely to be accessed by children. In Ireland, for data protection purposes, a child is somebody under the age of 18 years.
The DPC is determined to drive a transformation in how the personal data of children is handled and the Fundamentals represent an important stepping stone in this evolution.
Given that the Fundamentals will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data, all controllers who process children’s data should carefully review this guidance and take its recommendations on board.
The DPC considers that where organisations have conducted (or have failed to conduct) a thorough and meaningful DPIA in relation to the processing of personal data of child users, this will be a relevant factor in any assessment by the DPC of an organisation’s compliance with its obligations under the GDPR, particularly in relation to the controller’s responsibilities under Article 24 (as referenced at the beginning of Section 7) including the obligation to take account of the varying likelihood and severity of risks posed to individuals as result of the processing of their personal data. A child-oriented DPIA is the first step in mitigating risk arising from processing children’s personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects.
This toolkit is designed to empower SMEs with a collaborative cloud-based templates solution, to simplify compliance with key principles 13 and 14 of the Fundamentals.
View online demonstration of Fundamentals Collaborative Toolkit
Child Rights Impact Assessment: examines the potential impacts on children and young people of laws, policies, budget decisions, programmes and services as they are being developed and, if necessary, suggests ways to avoid or mitigate any negative impacts. This is done prior to the decision or action being set in place. "Child Rights Impact Assessment" - ENOC
13. DO A DPIA: Online service providers should undertake data protection impact assessments (DPIA) to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (Section 7.1 “Data Protection Impact Assessments”)
14. BAKE IT IN: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services (Section 7.2 “Data Protection by Design and Default”).
The Information Commissioner’s Office (ICO) has today issued a series of recommendations to game developers to help ensure they protect children when playing their games and comply with data protection laws. The recommendations are based on our experiences and findings during a series of voluntary audits of game developers, studios and publishers within the gaming industry.
The Act is modelled on the UK’s Age-Appropriate Design Code. The Act applies to businesses that provide an online service, product or feature “likely to be accessed by children” under the age of 18 (“covered businesses”).
This toolkit will help you understand some of the AI-specific risks to individual rights and freedoms and provides practical steps to mitigate, reduce or manage them.