Support Centre

EU: Age of consent for children

Recitals 38 and 75 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') stipulate that children are vulnerable natural persons who merit specific protection, and, therefore, such protection should apply to the use of personal data of children for the purposes of marketing, creating personality or user profiles, and the collection of personal data with regard to children when using services offered directly to a child.

Radachynskyi / Essentials collection / istockphoto.com

In addition, Article 8(1) of the GDPR, which concerns the conditions applicable to a child's consent in relation to information society services, stipulates that the processing of personal data of a child shall be lawful where the child is at least 16 years old. If the child is younger than 16 years old, the processing of his/her data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Moreover, Article 8(1) states that Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. This article aims to map out the use of this opening clause across Europe and each EU Member State.

Austria

Pursuant to Section 4(4) of the Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2019)1, in relation to an offer of information society services made directly to a child, a child can lawfully consent to the processing of their personal data if they are at least 14 years old. For all other data processing activities which are not related to an offer of information society services, children can in any case validly consent if they are at least 14 years old.

Belgium

Article 7 of Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data2 outlines that in relation to the offer of information society services directly to a child, the processing of the personal data shall be lawful where the consent is given by children of at least 13 years old.

Bulgaria

The Protection of Personal Data Act 20023 (last amended in 2019) lowers the age for valid consent given from 16 to 14 years old in relation to the offer of information society services directly to a child, and where the data subject is under 14 years old, processing of data is lawful only if consent is given by the parent/legal guardian who is exercising the parental rights, or by the guardian of the data subject.

Cyprus

Article 8(1) of the Law 125(I) of 2018 Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data4 ('the Cyprus GDPR Implementation Law') stipulates that when providing information society services directly to a child based on the child's consent, the processing of personal data is lawful if the child is at least 14 years old. Additionally, Article 8(2) of the Cyprus GDPR Implementation Law outlines that for a child under the age of 14, the processing of personal data is lawful when consent is provided or approved by the individual who has parental responsibility for the child.

Czech Republic

Pursuant to Section 7 of the Act No. 110/2019 Coll. On Personal Data Processing5, the age of the child required for consent to the processing of his/her personal data in relation to information society services without the necessity to obtain additional consent of the legal representative is lowered to a minimum of 15 years old and there is no addition national rule of regulation which specifically cover the processing of children's data.

Denmark

Section 6(2) of the Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data6 ('the Danish Data Protection Act') outlines that processing of children's data in relation with direct offering of information society services is lawful only if the child is no younger than 13 years old. Section 6(3) of the Danish Data Protection Act highlights that the processing of data of children who are 13 years old or younger is lawful to the extent that consent is given or approved by the parent or legal guardian of the child.

Estonia

According to Section 8(1) of the Personal Data Protection Act 20187, if Article 6(1)(a) of the GDPR applies in connection with provisions of information society services directly to a child, the processing of the child's personal data is permitted only where the child is at least 13 years old.

Finland

The applicable age of consent in relation to information society services offered directly to a child is 13 years old. If the consent is obtained for any other types of processing, such as the use of photographs or direct marketing purposes, the age applicable for consent is determined in accordance with the general rules of the Finnish Act on Child Custody and Rights of Access (361/1983)8.

France

Under Article 45 of the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended)9, the age for valid consent is 15 years old in relation to the offer of information society services. However, for other processing activities, such as processing necessary to perform an online contract with a minor, this provision for does apply, due to the definition of information society services by Directive 98/48/EC amending Directive 98/34/EC10 Laying Down a Procedure for the Provision of Information in the Field of Technical Standards and Regulations. In addition, when the child is younger than 15 years old, the consent will need to be provided jointly by the minor and his/her parent or legal guardian.

Germany

The Federal Commissioner for Data Protection and Freedom of Information has not made use of its right to provide a lower age of consent in relation to information society services as permitted under the Article 8 of the GDPR.

Gibraltar

Article 11 of the Data Protection Act 200411 outlines that Article 8(1) of the GDPR references to 16 years are to be read as references to 13 years.

Greece

Article 21 of the Law No. 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions12 states that, when processing data within the framework of information society services, a child must be at least 15 years of age to give consent.

Guernsey

Under the Data Protection (Bailiwick of Guernsey) Law, 201713, information society services cannot be directly offered to a child under the age of 13 years old.

Hungary

Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information as amended by Act XXXVIII of 201814 does not provide for deviations from the GDPR in relation to the offer of information society services directly to a child, and, therefore, the processing of personal data of a child shall be lawful where the child is at least 16 years old.

Iceland

According to Article 10(5) of the Law 90/2018 on Privacy and Processing of Personal Data (only available in Icelandic15), in relation to the offer of information society services directly to a child, the processing of personal data of a child under 13 years old is subject to parental or legal representative consent.

Ireland

Section 31(1) of the Irish Data Protection Law provides that the digital age of consent for Ireland is 16 years old. Therefore, this is the minimum age at which a child may provide their consent to the processing of their personal data in respect to information society services.

Isle of Man

The GDPR and LED Implementing Regulations 2018 16 outline that consent in relation to information society services must be given by persons older than 13.

Italy

Article 2-quinques of the Personal Data Protection Code, Legislative Decree No. 196/2003 (a consolidated version with amendments made by Legislative Decree 10 August 2018, no. 101, Provisions for the Adaptation of the National Legislation to the Provisions of the General Data Protection Regulation (Regulation (EU) 2016/679))17 provides that children who have reached the age of 14 years old can validly express their consent to data processing in relation to the offer of information society services and where the child is younger than 14 years old, consent must be given by the holder of parental responsibility over the child.

Jersey

The Data Protection (Jersey) Law 201818 stipulates in its Article 11(4) that a child under the age of 13 may not give valid consent to the processing of his or her personal data by a controller for the purposes of an information society service, and that valid consent on behalf of that child may be given a person with parental responsibility for him or her.

Latvia

Section 33 of the Personal Data Protection Law of 21 June 2018 ('the Latvian Data Protection Law') (only available in Latvian19) outlines that the age at which information society services may be offered directly to a child has been set at 13 years old. The Latvian Data Protection Law does not regulate other data processing situations, and, therefore, usually the child will be able to grant valid consent to processing of his/her personal data starting from 18 years of age.

Liechtenstein

The age of consent is 16 as the national legislator has not made use of its right to provide for a lower age of consent in relation to information society services as permitted under Article 8 of the GDPR.

Lithuania

Law No. XIII-1426 of 30 June 2018 amending Law No I-137420, the age of consent of a child in relation to the offer information society services is 14 years old.

Luxembourg

Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR21 does not provide specific rules regarding the processing of children's data or age of consent. Therefore, in Luxembourg a person may only give their consent in relation to the processing of their personal data when they are at least 16 years old, as provided by Article 8(1) of the GDPR.

Malta

Processing of Child's Personal Data in Relation to the Offer of Information Society Services Regulations22 state that the processing of personal data of a child in relation to the offer of information society services shall be lawful where the child is 13 years old.

Netherlands

Article 5 of the Act Implementing the GDPR23 stipulates that the minimum age provided by Article 8(1) of the GDPR also applies in respect to providing consent for the processing of personal data in connection with any other type of services offered to children.

Norway

Section 5 of the Law of the Processing of Personal Data (Personal Data Act) of 15 June 201824 provides that the age of consent in relation to the offer of information society services is 13 years old.

Poland

Act of 10 May 2018 on the Protection of Personal Data does not deviate from the Article 8(1) of the GDPR, and, therefore, the age of consent under the GDPR applies.

Portugal

Article 16 of Law No. 58/2019, which Ensures the Implementation in the National Legal Order of the General Data Protection Regulation (Regulation (EU) 2016/679) on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of such Data25 establishes that in relation to the offer of information society services directly to a child, the processing of the personal data based on consent shall be lawful if the child is at least 13 years old.

Romania

Under Law No. 190 of 18 July 2018 on the Implementation of the General Data Protection Regulation (Regulation (EU) 2016/679)26 no specific national requirements have been adopted, and therefore the age of consent under the GDPR applies.

San Marino

Article 7 of the Law 21 December 2018 No. 171, Protection of Individuals with Regard to the Processing of Personal Data27 outlines that if the processing of data is based on consent in relation to offering of information society services, the data processing of a child is lawful if the child is at least 16 years old and if the child is under the age of 16 years old such processing is lawful only if there is the consent of the parent of legal guardian.

Serbia

The Law on Personal Data Protection 201828 does not mention the processing of children’s data, however, Article 10 notes that consent for processing of data on deceased persons may be given by children above 15 years of age.

Slovakia

Act No. 18/2018 Coll. On Protection of Personal Data and on Amendments to certain Acts29 does not set a lower age level, and therefore the age of 16 years set under the GDPR applies.

Spain

Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights30 sets the age of the child at 14 years for the processing of data based on the child's consent.

Switzerland

The Federal Act on Data Protection ('FADP') of 19 June 199231 does not mention the processing of children’s data.

Sweden

Chapter 2(4) of the Law 2018:218 with Additional Provisions to the GDPR32 states that, when offering information society services directly to a child who lives in Sweden, the processing of personal data may be permitted on the basis of the child's consent, if the child is at least 13 years old.

UK

Section 9(a) of the Data Protection Act 201833 reduces the age of children's consent from 16 to 13 years.

How OneTrust DataGuidance helps

OneTrust DataGuidance provides a suite of privacy solutions designed to help you monitor regulatory developments, mitigate risk, and achieve global compliance. With focused guidance around core topics, comparative Cross-Border Charts, a daily customised news service, and expert analysis, OneTrust DataGuidance provides industry leading solutions to design and support your entire privacy programme.

OneTrust DataGuidance offers a dedicated GDPR Portal which can be used by organisations to understand and compare implementation of the GDPR across Member States as well as a Benchmarking Chart which compares the GDPR to other global laws in California, Brazil and Japan. The Benchmarking Chart provides an analysis of legislation based on their scope, key definitions, legal basis, the rights they provide, and their approach to enforcement. Each topic includes relevant articles and sections from the two laws, a summary of the comparison, and a detailed analysis of the similarities and differences between legislation.

Lucian-Gabriel Burcea Privacy Analyst
[email protected]


1. Available at: https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
2. Available at: https://www.dataprotectionauthority.be/sites/privacycommission/files/documents/Act_30_07_2018_final.pdf
3. Available at: https://platform.dataguidance.com/legal-research/personal-data-protection-act-2002-last-amended-2019
4. Available at: http://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/2B53605103DCE4A4C225826300362211/$file/Law%20125(I)%20of%202018%20ENG%20final.pdf
5. Available at: https://www.uoou.cz/en/assets/File.ashx?id_org=200156&id_dokumenty=1837
6. Available at: https://www.datatilsynet.dk/media/6894/danish-data-protection-act.pdf
7. Available at: https://www.riigiteataja.ee/en/eli/523012019001/consolide
8. Available at: https://www.finlex.fi/fi/laki/ajantasa/1983/19830361
9. Available at: https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460
10. Available at: http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31998L0048
11. Available at: https://www.gibraltarlaws.gov.gi/articles/2004-01o.pdf
12. Available at: http://www.et.gr/idocs-nph/search/pdfViewerForm.html?args=5C7QrtC22wFqnM3eAbJzrXdtvSoClrL8WkQtR1OJjJd5MXD0LzQTLWPU9yLzB8V68knBzLCmTXKaO6fpVZ6Lx3UnKl3nP8NxdnJ5r9cmWyIq-BTkXB0ftEAEhATUkJb0x1LIdQ163nV9K--td6SIuds9RIyPETWLSFD4zcFf2-lLHxYHSxxOkklXrnr4upOT
13. Available at: http://www.guernseylegalresources.gg/CHttpHandler.ashx?id=112599&p=0
14. Available at: http://njt.hu/translated/doc/J2011T0112P_20190426_FIN.pdf
15. Available at: https://www.stjornartidindi.is/Advert.aspx?RecordID=55860204-b174-41c8-bf50-7f36e88eb051
16. Available at: https://www.legislation.gov.im/cms/images/LEGISLATION/SUBORDINATE/2018/2018-0145/GDPRandLEDImplementingRegulations2018_1.pdf
17. Available at: https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29
18. Available at: https://www.jerseylaw.je/laws/enacted/Pages/L-03-2018.aspx
19. Available at: https://likumi.lv/ta/id/300099-fizisko-personu-datu-apstrades-likums
20. Available at: https://www.e-tar.lt/portal/lt/legalAct/43cddd8084cc11e8ae2bfd1913d66d57
21. Available at: https://cnpd.public.lu/dam-assets/fr/legislation/droit-lux/Act-of-1-August-2018-on-the-organisation-of-the-National-Data-Protection-Commission-and-the-general-data-protection-framework.pdf
22. Available at: https://idpc.org.mt/en/Legislation/SL%20586.11.pdf
23. Available at: https://zoek.officielebekendmakingen.nl/stb-2018-144.html
24. Available at: https://lovdata.no/dokument/NL/lov/2018-06-15-38
25. Available at: https://dre.pt/diario/resources/15100.pdf
26. Available at: https://www.dataprotection.ro/servlet/ViewDocument?id=1685
27. Available at: https://www.consigliograndeegenerale.sm/on-line/home/archivio-leggi-decreti-e-regolamenti/documento17105723.html
28. Available at: https://platform.dataguidance.com/sites/default/files/zakon-o-zastiti-podataka-o-licnosti_en.pdf
29. Available at: https://platform.dataguidance.com/sites/default/files/zakon-o-zastiti-podataka-o-licnosti_en.pdf
30. Available at: https://platform.dataguidance.com/legal-research/act-no-182018-coll-protection-personal-data-and-amendments-certain-acts
31. Available at: https://www.admin.ch/opc/en/classified-compilation/19920153/index.html
32. Available at: https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218
33. Available at: https://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf