In detail

What rights do children have?

Children have the same rights as adults over their personal data. These are set out in Chapter III and VIII of the GDPR and are also listed below. For more detailed information about how these rights apply to all data subjects, please refer to our Guide to the GDPR. Where these provisions raise child specific issues these are covered below or elsewhere in our pages on Children and the GDPR.

All data subjects, including children have the right to:

  • be provided with a transparent and clear privacy notice which explains who you are and how their data will be processed. See ‘How does the right to be informed apply to children?’;
  • be given a copy of their personal data;
  • have inaccurate personal data rectified and incomplete data completed;
  • exercise the right to be forgotten and have personal data erased. See How does the right to erasure apply to children?;
  • restrict the processing in specified circumstances;
  • data portability;
  • object to processing carried out under the lawful bases of public task or legitimate interests, and for the purposes of direct marketing. See What if I want to market children?;
  • not be subject to automated individual decision-making, including profiling which produces legal effects concerning him or her or similarly affects him or her; See What if I want to make automated decisions  (including profiling) about children?
  • complain to the ICO or another supervisory authority;
  • appeal against a decision of a supervisory authority;
  • bring legal proceedings against a controller or processor; and
  • claim compensation from a controller or processor for any damage suffered as a result of their non-compliance with the GDPR.

When may a child exercise these rights on their own behalf?

A child may exercise the above rights on their own behalf as long as they are competent to do so. In Scotland, a person aged 12 or over is presumed to be of sufficient age and maturity to be able to exercise their data protection rights, unless the contrary is shown. This presumption does not apply in England and Wales or in Northern Ireland, where competence is assessed depending upon the level of understanding of the child, but it does indicate an approach that will be reasonable in many cases. A child should not be considered to be competent if it is evident that he or she is acting against their own best interests.

If you have already decided that a child is competent to provide their own consent then it will usually be reasonable to assume they are also competent to exercise their own data protection rights.

If a child is competent then, just like an adult, they may authorise someone else to act on their behalf. This could be a parent, another adult, or a representative such as a child advocacy service, charity or solicitor.

When may a parent exercise these rights on behalf of their child?

Even if a child is too young to understand the implications of their rights, they are still their rights, rather than anyone else’s such as a parent or guardian.

You should therefore only allow parents to exercise these rights on behalf of a child if the child authorises them to do so, when the child does not have sufficient understanding to exercise the rights him or herself, or when it is evident that this is in the best interests of the child.  

This applies in all circumstances, including in an online context where the original consent for processing was given by the person with parental responsibility rather than the child.

How does this work in practice?

An adult with parental responsibility may seek to exercise any of the child’s rights on their behalf.

If you are satisfied that the child is not competent, and that the person who has approached you holds parental responsibility for the child, then it is usually appropriate to let the holder of parental responsibility exercise the child’s rights on their behalf. The exception to this is if, in the specific circumstances of the case, you have evidence that this is not in the best interests of the child.

If you are confident that the child can understand their rights, then you should usually respond directly to the child. You may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or again if it is evident that this is in the best interests of the child.

What matters is whether the child is able to understand and deal with the implications of exercising their rights. So for example, does the child understand what it means to request a copy of their data and how to interpret the information they receive as a result of doing so?  When considering borderline cases, you should take into account, among other things:

  • where possible, the child’s level of maturity and their ability to make decisions like this;
  • the nature of the personal data;
  • any court orders relating to parental access or responsibility that may apply;
  • any duty of confidence owed to the child or young person;
  • any consequences of allowing those with parental responsibility access to exercise the child’s rights. This is particularly important if there have been allegations of abuse or ill treatment;
  • any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
  • any views the child or young person has on whether their parents should have access to information about them.

What role do child advocacy services have in representing children?

Article 80(1) of the GDPR allows data subjects to appoint properly constituted not-for-profit bodies or organisation (which could include child advocacy services or other organisations representing the interests of children) to exercise their right to:

  • bring a complaint to the ICO or another supervisory authority;
  • appeal against a decision of a supervisory authority; or
  • bring legal proceedings against a controller or processor.

Article 80(2) of the GDPR provides that Member States can legislate to allow such bodies or organisations to exercise these rights on behalf of data subjects without the data subjects’ authorisation.

Under the Data Protection Act 2018 the Secretary of State must review the UK’s provisions for the representation of data subjects under Article 80, including the merits of exercising the power under Article 80(2), with a particular emphasis on the needs of children in this respect.

Depending upon the outcome of this review organisations representing the interests of children may be given a formal role in representing children’s above data protection rights. Further guidance on this will be provided in due course.

Key provisions in the Data Protection Act 2018

Section 189