February 6, 2020

Specific Data Protection and Privacy for Children

The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) contains several specific provisions in relation to the relevant rights of children and the respective obligations of controllers and processors of their personal information. Indeed, children merit specific protection with regard to their personal data. This note provides an outline of the relevant provisions of the GDPR and applicable Cyprus legislation.

The GDPR provides, inter alia, that children are most likely to be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Therefore, specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. In fact, the GDPR further stipulates that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Importantly, in accordance with the principle of transparency the GDPR requires that any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

Furthermore, the data subject’s the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ is particularly relevant where the data subject has his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. In addition, automated procession and decision making which produces legal effects concerning him or her or similarly significantly affects him or her should not concern a child.

Lawfulness of processing

Article 6 (1) of the GDPR provides that processing shall be lawful only if and to the extent that at least one of the factors stated thereunder applies, including, but not limited to, processing being necessary for the purposes of the legitimate interests pursued by the controller or by a third party. However not where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Conditions applicable to child's consent in relation to information society services

The GDPR stipulates under article 8 (1) that where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. In this respect, pursuant to Article 8 (3) of the GDPR aforesaid paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Indeed, as regards Cyprus, Article 8 (1) of Cyprus Law 125(I) of 2018 (LAW PROVIDING FOR THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND FOR THE FREE MOVEMENT OF SUCH DATA) (“Law”), provides that when the offering of information society services directly to a child is based on the child’s consent, the processing of personal data shall be lawful where the child is at least 14 years old. Whereas, in accordance with Article 8 (2) of the Law For a child younger than fourteen (14) years old, the processing of personal data referred to in subsection (1) shall be lawful when consent is given or authorised by the holder of parental responsibility over the child.

It is noteworthy that article 8 (2) of the GDPR provides that the controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

Transparent information communication and modalities for the exercise of the rights of the data subject

Pursuant to Article 12 (1) of the GDPR, inter alia, the controller shall take appropriate measures to provide any information and any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child [emphasis added].

Codes of conduct

Article 40 (1) of the GDPR stipulates that the Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR. In this regard, Article 40 (2) thereof further provides amongst other things that associations and other bodies representing categories of controllers or processors may prepare codes of conduct, for the purpose of specifying the application of the GDPR, such as with regard to the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained.


Article 57(1) of the GDPR further stipulates, inter alia, that activities addressed specifically to children shall receive specific attention.

Cyprus Office of the Commissioner for Data Protection (“Commissioner”)

The Commissioner has a communicated relevant information for children. A

A description of personal information is provided along with guidelines in relation to the provision of minimum personal data of a child or his or her family subject to consent by parents or guardians in the appropriate documentation.

Further reference is made to social networks including Facebook, Twitter, Instagram and other applications, where children may responsibly register if 14 years of age. Whereas, parents’ or guardians’ consent is required before the age of 14.

The Commissioner also provides useful advice in relation to internet use by children such as:

  • no online upload without parents’ permission
  • awareness that anything uploaded online cannot be deleted
  • no online upload of information, photos or videos of friends without the consent of their parents
  • activation of privacy settings on social networks
  • no communication with unknown persons


Of course the competent regulatory authority plays a crucial role in implementation and enforcement of the GDPR and corresponding national legislation as well as respective guidelines, and should be consulted as appropriate. There are many obligations, rights are strengthened and this is clearly demonstrated by the doubling of complaints and questions received and investigated by the Commissioner.

To sum up, the GDPR and national legislation substantially changed data privacy rules. By now organisations in the EU or organisations outside the EU which process personal data of EU residents should be in a position to demonstrate that they fulfil the necessary requirements for compliance. Key issues and practical considerations arise which impact the majority of organisations and address gaps in compliance, however. It is particularly important for organisations to increase awareness through training of all stakeholders involved to create a culture that supports data protection and privacy throughout relevant business processes.

Our Data Protection Practice Group

Our Data Protection practice group helps SMEs and large organisations in a wide range of sectors to comply with the GDPR and national legislation, and the relevant guidelines of the Commissioner for Personal Data Protection.

Our technical associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercise, in line with the rapid shifts in technological disruption.

We advise on the appropriate safeguards that must be implemented in the Digital Age, particularly considering the substantial risks and potential consequences involved.

  • Data Security and Privacy Awareness
  • Data Protection Implementation and Compliance
  • Privacy Policy and Notice
  • Data Privacy Impact Assessment
  • Data Protection Officer
  • Data Security and Privacy Management
  • Technology and Cybersecurity

Please do not hesitate to contact us if you require further information or support on such matters.

K. A. Kourtellos & Co LLC has been selected by Global Law Experts (GLE) as Data Protection Law Firm of the Year in Cyprus – 2020 at the 11th Annual GLE Awards.

Copyright © 2020 K. A. Kourtellos & Co LLC
K. A. Kourtellos & Co LLC is regulated by the Cyprus Bar Association
magnifiercrossmenuarrow-up linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram