Step 4: Assess necessity and proportionality
Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? If you use AI, how will you avoid bias and explain its use? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
Lawful bases for processing
Guidance: See Annex C of the code– Lawful basis for processing - for guidance on how to determine the lawful basis you can use when processing personal data.
- Performance of a contract with the data subject (Article 6(1)(b)UK GDPR): where processing is necessary to fulfil a product order (including creating an account, selecting and paying for products, sending products to customers, sharing data with couriers); processing in connection with a competition or prize draw subject to terms governing it.
- Legitimate interests (Article 6(1)(f)UK GDPR): sending enewsletters based on the soft opt-in exception; processing of personal data connected with strictly necessary cookies (security cookies and functionality to enable a service requested by the user); corresponding with customers in response to enquiries; processing of data for fraud prevention purposes; carrying out customer surveys; to administer and protect our business and website; processing to enable sharing of purchase on social media sites. We have completed legitimate interests assessments for all processing activities we carry out on this basis.
Note: Article 6(1)(f) gives you legitimate interest as lawful basis for processing where: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
- Consent (Article 6(1)(a)GDPR): processing connected with the sending of enewsletters where a person has opted-in to receiving them; marketing activities or profiling based on analytics data derived from cookies and order history, processing of personal data in connection with functional/analytics/marketing cookies.
Necessity and proportionality
We consider that our processing achieves the purposes set out in step 2 and does not go beyond what is reasonably necessary to achieve these purposes.
To ensure there is no function creep we only use data for the limited purposes explained in this DPIA.
We ensure data minimisation and proportionality by only asking for data that we need for a current specified purpose.
Transparency and data subject rights
Guidance: Transparency is about being clear, open and honest with your users about what they can expect when they access your online service, see Standard 4 of the AADC – Transparency.
“The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent, and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.”
Examples of good practice in transparency notices can be found on the ICO’s Children’s code Additional resources page pages.
We explain about individuals’ rights in our privacy notice and include an email address which individuals can use to contact us with any questions about their rights and to exercise their rights. Our team members who deal with queries on data protection matters and requests to exercise data subject rights have received basic training on dealing with requests and are familiar with the guidance produced by the ICO.
We use an e-commerce platform, a cookie analytics provider, and a Captcha provider, all of which act as processors. We have entered into Article 28(3) UK GPDR terms with each of these third parties and carried out appropriate security risk assessments.
The Article 28 agreements include a contractual obligation for the processor to use EU SCCs and undertake a risk assessment if or when engaging the services of a sub-processor who is transferring data to a third country.
Transfers of data are made in connection with the sharing of personal data with our third-party analytics cookie provider and e-commerce provider. The analytics provider is based and Europe, and the e-commerce provider is based in Canada. In both cases, the data transfers are covered by adequacy agreements in place with the UK.
Helpful hint: You might find it helpful to consult our guidance on international data transfers from the UK. You should also consult the privacy notices and terms and conditions documents from your e-commerce provider for more details on how they manage international transfers.
Describe how you comply with the Age-Appropriate Design Code: what specific measures have you taken to meet each of the standards in the code?
Best interests of the child
We have considered the interests and rights of the children that use our website, and these interests and rights are reflected in our limited collection and use of their personal data. Users are also able to search for toys based on age (ie through filtering) to ensure that they are presented with products which are age appropriate. Our online shop does not sell any products which we consider could be harmful, nor any age-restricted items.
Data protection impact assessments: We have completed this DPIA which covers all customer data processing activities carried out. We keep this DPIA under review and are aware of the need to update it if we make any changes to our processing of customer personal data. We make the up-to-date version of this DPIA available on our website and refer to it in our privacy notice.
Detrimental use of data
We do not use personal data in any way which could be detrimental to a child’s or any other person’s well-being. Our marketing enewlsetter follows the principles in Committee of Advertising Practice guidance.
Policies and community standards
We follow our terms and conditions and privacy notice and only use data in accordance with these documents. We will delete the accounts of users that do not follow our standards, or are proven to have not been truthful about their age when registering for a user account. We will also delete any data collected against their account.
Guidance: When you set community rules and conditions of use for users of your service, you need to actively uphold or enforce those rules and conditions. Standard 6 of the Code – Policies and community standards confirms that your own published terms, policies and community standards includes, but is not limited to, privacy policies, age restriction, behaviour rules and content policies or standards you adhere to.
As our website only has basic functionality, we do not use privacy settings unless the user creates an account. Account holders privacy is set as high by default. This means we do not collect more data than is necessary to provide the online purchasing and enewsletter services that come with a user account. User account holder data is not visible to other users or services, and there is no access to the users data from third parties for behavioural advertising.
No cookies (apart from strictly essential cookies) are placed before a user consents to such cookies. All other cookies are set as default to “off” and users over the age of 13 are asked to review and consent or not consent to these cookies at the point of entering the website.
Guidance: Privacy settings are a practical way for you to offer children a choice over how their personal data is used and protected. For advice on how to set privacy settings as high by default, see Standard 7 of the Code – Default settings.
We only collect and process the minimum amount of personal data we need for particular activities. Users have a choice over whether to accept cookies and whether to sign up for our newsletter or indicate that they do not want to receive newsletters where we send these to account holders based on the soft opt-in exception.
Data is shared with the third parties described under the heading “Data sharing” in Step 2.
We do not collect or otherwise process geolocation data.
We have analysed the processing we carry out and do not think that any of our it presents a risk which would require us to offer parental controls. Parents or guardians can contact us with any queries they have about our processing of their child’s personal data, ask us to delete the personal information we have collected in connection with their child’s account from our records, and exercise rights on behalf of their child. We confirm the identity of the adult as the parent or guardian of the child before carrying out any of the above.
Guidance: For the purposes of the Children’s Code, Standard 11 refers to how you make it clear to the child if parental controls are in place and if they are being tracked or monitored:
“If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.”
Companies might conform to Standard 11 by using child-friendly and age-appropriate avatars, symbols or pop-up messages (audio or written) to notify children when parental controls are monitoring their online behaviour.
We carry out limited profiling activities to email recommendations of similar products to users based on their order history and browsing activities. We only carry out profiling of users who have consented to the relevant cookies, and only send these emails to users who have opted-in to marketing, or who have not opted-out of marketing when making a previous purchase. Children under 13 years of age are not given the option to opt-in to marketing emails.
We do not offer external advertising to users of the service.
We do not use nudge techniques to encourage children to provide more data or consent to the processing of their personal data. We encourage children to talk to their parents about using our website, and to discuss with them anything in our privacy or cookies policies which they do not understand.
Guidance: Nudge techniques are design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision-making. The code states that ISS should not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections See Standard 13 of the Code – Nudge techniques.
Connected toys and devices
This is not relevant to our processing.
All marketing emails and our generic enewsletter contain an unsubscribe link. Users who have registered for an account also have the option to delete their account at any time (subject to limited data retention in line with our retention policy).
An "I’m not happy“ link is available at the bottom of each web page that links to a video with information on what children should do if they encounter problems on the site, including prompt to get help from trusted adult.
Guidance: Online tools are mechanisms to help children exercise their rights simply and easily when they are online, such as complaints buttons. Standard 15 of the code – Online tools – states that you should provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
Helpful hint: You should review the Children’s code harms framework. The framework is a flexible tool for identifying data-related risks to children that you need to consider when completing your DPIA. It aims to support online services to place children’s best interests at the heart of their services.