Changes in consent and data protection of minors

The General Data Protection Regulation (GDPR) establishes new guidelines about the consent of minors in the processing of their personal data in order to increase the privacy of information.

The data of minors are not considered sensitive data, but they are given special protection in the section 38 of the European Regulation 2016/679.

The European Regulation makes it clear that consent must be collected in a clear and unambiguous manner and must be verifiable. Therefore, the privacy notice must be written in a language that the minors can understand. Otherwise, the consent would not be collected legitimately according to the new Regulation.

In which fields are these data processed? These processings have a defined profile:

  • Students by educational centers
  • Consumers
  • Leisure
  • Health

From what age on will the procssings of personal data be legal?

The use of personal data in the field of information society services in minors – such as, for example social networks – will be legal as long provided that they are over 16 years old. However, the Regulation makes it possible to lower this age and that each Member State establishes its own limit, always with a lower limit of 13 years.

In the case of Spain, this age is currently set at 14 years, but with the GDPR implementation it is reduced from 14 to 13 years to adapt the Spanish system to the General Data Protection Regulation.

The personal data of minors may be processed, but the GDPR has expressly forbidden the obtaining of data from minors that allow obtaining information about their family unit, as well as sociological, economic data…

Who should give the consent?

When the minor is 13 years old, he or she will be able to consent to the processing of his data by himself or herself. In case that the his or her age is less than 13 years, the consent must be granted by the “parental authority”.

The consent must always be prior to the collection of the minor’s data.

Who should verify the consent obtained by the minors?

The controller will be in charge of verifying that the consent that has been granted by the parents or guardians is valid.

To demonstrate this consent by the controller, it is advisable to collect it through documents stating the authorization by the parent or guardian. Besides, it is important to do so at the first moment when the personal data of the minor will be collected.

We must also keep in mind that in the case that we are going to make use of images or videos in which minors appear, we must have the express prior consent for it.


Do you deal with data of minors and you do not know how to apply the new GDPR changes? Pridatect can help you! Contact us!

Share this article


Article written by

Lisa Hofmann

Chief of Legal Operations de Pridatect | Especialista legal certificada en protección de datos por la institución alemana de servicios relacionados con la seguridad TUEV. Con amplia experiencia en ayudar a empresas en el cumplimiento de la privacidad.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars