GDPR and minors



During the past week we have been able to read the fine that Google is going to pay, as the owner of YouTube, for having used the personal data of minors for advertising data.


I am the father of a 13-year-old girl and I am very concerned about the sites she browses when she is not with me and what personal information she shares. I guess this happens to many parents. I hope that everything I have taught her will make her be responsible and apply this knowledge.


And what does the GDPR say about minors?

Before answering the question, I will briefly explain what a “recital” is, since there have been some people who have asked me for a little more explanation of this concept that I used in my previous article on the GDPR: “Introduction to the GDPR in predictive medicine”.


A recital serves to reason the content of the operative part, that is, the articles of the legislation. It is, to put it in simple words (although it is not very exact), the “philosophy” that explains why the legislation says what it says.


The recitals should be read by introducing the formula “Considering the following:”


That said, the philosophy that explains and inspires the operative part on minors in the GDPR is recital 38:


Considering the following:


Children deserve specific protection of their personal data, since they may be less aware of the risks, consequences, guarantees and rights concerning the processing of personal data. Such specific protection should apply, in particular, to the use of children’s personal data for marketing, personality or user profiling purposes, and to the collection of personal data relating to children when using services offered directly to a child. The consent of the holder of parental authority or guardianship should not be necessary in the context of preventive or counseling services offered directly to children.


Article 8 of the regulation, entitled “Conditions applicable to the child’s consent in relation to information society services”, is the one that develops the legislation in this area:


When Article 6, paragraph 1, letter a) applies, in relation to the direct offer to children of information society services, the processing of a child’s personal data shall be considered lawful when the child is at least 16 years of age. If the child is under 16 years of age, such treatment will only be considered lawful if the consent was given or authorized by the holder of parental authority or guardianship over the child, and only to the extent that it was given or authorized. Member States may establish by law a lower age for such purposes, provided that this is not less than 13 years.

The data controller will make reasonable efforts to verify in such cases that consent was given or authorized by the holder of parental authority or guardianship over the child, taking into account available technology.

Paragraph 1 shall not affect the general provisions of the contract law of the Member States, such as the rules relating to the validity, formation or effects of contracts in relation to a child.

As this is an important issue, the treatment of minors’ data, especially if they are of a special nature such as genetics, we are currently working on digitizing a process that allows parents to request a genetic analysis for their child in a simple way. through our platform. The biggest challenge, from the point of view of the GDPR, is to make article 8.2 possible, in relation to the fact that from the platform we want to automatically verify that the consent was given or authorized by the holder of parental authority.


Parents can currently authorize the treatment of their children’s genetic data through a genetic analysis from a Genetic Counseling and with an off-line procedure. The geneticist expert will explain whether or not it is necessary to carry out the genetic analysis on the minor and the parents will be able to acquire said analysis, after the doctor’s prescription, through the application after verification on our part that they are really the child’s guardians.


As I have explained in an article and on social networks, a few months ago I carried out a nutrigenetic analysis that has given me the tools so that once I have lost 57 kilos, I am not recovering them. In a few months I plan to carry out this same analysis on my daughter and provide the means, if necessary, so that my daughter does not have to follow a diet to lose weight in the future and avoid risks associated with obesity.


Carlos Martín, CTO of medmesafe


Twitter: https://twitter.com/cmdearcos

Facebook: https://www.facebook.com/cmdearcos

LinkedIn: https://www.linkedin.com/in/cmdearcos/

Project manager of the architecture service in SEPE Central Services - Procesia WEB and API architecture service coordinator - INECO Former CTO - medmesafe