Under the GDPR, children’s personal data require a higher level of protection than usual. Minors have exactly the same rights over their personal data as adults, but they cannot give consent to the processing of their personal data due to incapacity. Both the UN Convention on the Rights of the Child and the Child Protection Act require researchers to always set the child’s best interests as a primary consideration in decisions concerning children. Therefore, account must always be taken of what children want or prefer, even if their parents or guardians have given their consent for the child.
2.15.1. Minors cannot give consent but must be asked to assent to the processing of their data
The legal framework for personal data protection presupposes that the signatory of a contract or consent giver has the power of representation. Estonian law considers that a person aged 18 years or over has legal capacity, so the consent of the parent or other legal representative is required in the case of a minor. However, the law allows the legal capacity of minors to be extended: for example, under section 8 of the Data Protection Act, children aged 13 years or over have the right to give their consent to the use of information society services (e.g. social media). No such exception has been granted for research, and using IT solutions to collect personal data does not make a study an information society service.
However, under the GDPR, the rights of minors must be considered: minors should be informed about the processing of their personal data and their free will must be respected. In the case of research, it is good practice to ask minors for their assent to the study, even if this is not consent in legal terms. If the minor does not assent to the processing of their personal data, involving the person in the study is not allowed, even if the parent has given consent. Unintentional involvement is contrary to the code of conduct for research integrity and the principle of fair processing of personal data. The same applies where a minor wants to withdraw their assent but the parent has not withdrawn their consent – fair processing and respect for the child’s autonomy require the researcher to take account of the child’s wishes.
2.15.2. Children must be informed about the use of their data in plain and clear language
In the case of consent-based studies, information should also be provided to children for whom a separate information form may be drawn up. It must be in age-appropriate wording or in the form of images, icons or animations. At the same time, children should be given an easy opportunity to ask questions.
Read more: Irish Data Protection Commission, 2021 report “Children Front and Centre: Fundamentals for a Child- Oriented Approach to Data Processing”, which provides recommendations for taking into account the best interests of the child and communicating information to children |
2.15.3. Legitimate interest cannot be the legal basis for processing a child’s personal data
Although the legitimate interest is exceptional in research, the GDPR does not explicitly prohibit processing children’s personal data based on legitimate interest. However, this requires weighing the best interests and rights of the child. The emphasis of the GDPR implies that the rights and interests of the child take precedence over the normal consideration of legitimate interest.