Digital Age of Consent under the GDPR

GDPR incorporated a separate article that regulates the processing of children’s personal data where children can provide valid consent on their behalf. As per Article 8 of the GDPR, where consent is the most appropriate mechanism to process personal data, ‘in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old’. It is the responsibility of the controller to ‘make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology’.

In cases where the child is below the age of digital consent, the processing will be deemed lawful only if the business operator has obtained the consent of the person who holds parental responsibility for the child. However, the GDPR has given flexibility to the Member States to lower the age threshold provided that it is not below the age of 13. Accordingly, some Member States have kept the digital age of consent at 16. In contrast, others have benefited from this flexibility and allowed the digital age of consent to be 13,14 or 15. The information below presents the relevant legislations that set the legal framework for data protection and regulate the digital age of consent along with the supervisory authorities responsible for ensuring compliance with the data protection regulations in their jurisdiction.

Austria:

Relevant legislation: The processing of personal data is regulated under the Federal Act concerning the Protection of Personal Data.

Digital age of consent: According to 14(4) of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.

Supervisory authority: The Austrian Data Protection Authority (Österreichische Datenschutzbehörde, DSB) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Belgium:

Relevant legislation: The processing of personal data is regulated under the Act of 30 July 2018 on the Protection of Individuals with Regard to the Processing of Personal Data.

Digital age of consent: According to Article 7 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Data Protection Authority (L’Autorité de protection des données (APD)) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Bulgaria:

Relevant legislation: The processing of personal data is regulated under the Bulgarian Personal Data Protection Act.

Digital age of consent: According to Article 25c of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.

Supervisory authority: The Commission for Personal Data Protection (Комисията за защита на личните данни) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Croatia:

Relevant legislation: The processing of personal data is regulated under the Act on the Implementation of the General Data Protection Regulation.

Digital age of consent: According to Article 19 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The Personal Data Protection Agency (Agencija za zaštitu osobnih podataka) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Republic of Cyprus:

Relevant legislation: The processing of personal data is regulated under Law 125(I) of 2018 Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data.

Digital age of consent: According to Article 8(1) of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.

Supervisory authority: The Commissioner for the Protection of Personal Data (Το Γραφείο Επιτρόπου Προστασίας Δεδομένων) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Czech Republic:

Relevant legislation: The processing of personal data is regulated under Act No. 110/2019 Coll. on the processing of personal data.

Digital age of consent: According to Section 7 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 15 or above are able to provide their own consent.

Supervisory authority: The Office for Personal Data Protection (Úřad pro ochranu osobních údajů) acts as the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Denmark:

Relevant legislation: The processing of personal data is regulated under Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

Digital age of consent: According to Section 6(2) of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Danish Data Protection Agency (Datatilsynet) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Estonia:

Relevant legislation: The processing of personal data is regulated under the Personal Data Protection Act 2018 in Estonia.

Digital age of consent: According to Section 8(1) of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Data Protection Inspectorate (Andmekaitse Inspektsioon) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Finland:

Relevant legislation: The processing of personal data is regulated under the Data Protection Act (1050/2018).

Digital age of consent: According to Section 5 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Office of the Data Protection Ombudsman, and their Office (Tietosuojavaltuutetun toimisto) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

France:

Relevant legislation: The processing of personal data is regulated under Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended).

Digital age of consent: According to Article 45 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 15 or above are able to provide their own consent.

Supervisory authority: The National Commission on Informatics and Liberty (Commission nationale de l’informatique et des libertés, CNIL) is the supervisory authority responsible for ensuring compliance with the data protection laws.

Germany:

Relevant legislation: The processing of personal data is regulated under the German Federal Data Protection Act.

Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: There are several national data protection supervisory authorities in Germany responsible for ensuring compliance with the data protection laws. The Federal Commissioner for Data Protection and Freedom of Information acts as the representative of the national data protection authorities.

Greece:

Relevant legislation: The processing of personal data is regulated under the Law No. 4624/2019.

Digital age of consent: As per Article 21 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 15 or above are able to provide their own consent.

Supervisory authority: The Hellenic Data Protection Authority is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Hungary:

Relevant legislation: The processing of personal data is regulated under the Information Self-Determination and Freedom of Information Act.

Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The Hungarian Data Protection Authority (A Nemzeti Adatvédelmi és Információszabadság Hatóság) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Ireland:

Relevant legislation: The processing of personal data is regulated under the Irish Data Protection Law.

Digital age of consent: According to Section 31(1) of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The Data Protection Commission is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Italy:

Relevant legislation: The processing of personal data is regulated under the Personal Data Protection Code, Legislative Decree No. 196/2003.

Digital age of consent: According to Article 2-quinquies of the Code, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.

Supervisory authority: The Italian Data Protection Authority (Garante per la protezione dei dati personali) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Latvia:

Relevant legislation: The processing of personal data is regulated under the Personal Data Protection Law of 21 June 2018.

Digital age of consent: According to Section 33 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Data State Inspectorate (Datu valsts inspekcija) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Lithuania:

Relevant legislation: The processing of personal data is regulated under the Law on Legal Protection of Personal Data.

Digital age of consent: According to Article 6 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.

Supervisory authority: The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Luxembourg:

Relevant legislation: The processing of personal data is regulated under the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The National Data Protection Commission (Commission nationale pour le protection des données, CNPD) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Malta:

Relevant legislation: The processing of personal data is regulated under the Data Protection Act.

Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Information and Data Protection Commissioner is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Netherlands:

Relevant legislation: The processing of personal data is regulated under the Dutch GDPR Implementation Act.

Digital age of consent: According to Article 5 of the Law, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The Dutch Data Protection Authority is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Poland:

Relevant legislation: The processing of personal data is regulated under the Act of 10 May 2018 on the Protection of Personal Data.

Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The Personal Data Protection Office is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Portugal:

Relevant legislation: The processing of personal data is regulated under Law No. 58/2019.

Digital age of consent: According to Article 16, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The National Data Protection Commission (Comissão Nacional de Protecção de Dados) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Romania:

Relevant legislation: The processing of personal data is regulated under Law No. 190 of 18 July 2018 on the implementation of the GDPR (Regulation (EU) 2016/679).

Digital age of consent: If a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The National Supervisory Authority for Personal Data Processing is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Slovakia:

Relevant legislation: The processing of personal data is regulated under Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts.

Digital age of consent: According to Section 15 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 16 or above are able to provide their own consent.

Supervisory authority: The Office for Personal Data Protection is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Slovenia:

Relevant legislation: The processing of personal data is regulated under Law No. 94/07 on Protection of Personal Data.

Digital age of consent: As per the proposed law, a child should be at least 15 years old to provide consent in relation to the processing of personal data offered through information society services, yet the current digital age limit which is set as 16 under Article 8 of the GDPR applies until the proposed law enters into force.

Supervisory authority: The Information Commissioner is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Spain:

Relevant legislation: The processing of personal data is regulated under the Spanish Data Protection and Digital Rights Act 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights.

Digital age of consent: According to Article 7 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 14 or above are able to provide their own consent.

Supervisory authority: The Spanish Data Protection Agency (Agencia Española de Protección de Datos) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

Sweden:

Relevant legislation: The processing of personal data is regulated under the Data Protection Act (Act 2018:218) with supplementary provisions to the GDPR.

Digital age of consent: As per Chapter 2, Section 4 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Swedish Authority for Privacy Protection (Datainspektionen) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.

United Kingdom:

Relevant legislation: The processing of personal data is regulated under the Data Protection Act 2018 (DPA 2018).

Digital age of consent: According to Section 9 of the Act, if a provider relies on consent as lawful basis for the processing of personal data in relation to information society services offered directly to children, only children aged 13 or above are able to provide their own consent.

Supervisory authority: The Information Commissioner’s Office (ICO) is the supervisory authority that is responsible for ensuring compliance with the data protection laws.