The status of a child as a particularly protected person under the GDPR

Entry

Children are among the most vulnerable internet users, and their personal data – according to the GDPR – requires special protection. Reasons include a lack of full awareness of the consequences of sharing information online, the risk of manipulation, and commercial profiling. In practice, this means that data controllers must apply higher standards of security, transparency, and consent verification to children's data. This article provides a practical explanation of children's rights under the GDPR , the obligations of data controllers, and the proper processing of minors' data in online and offline services.

Does the GDPR introduce separate provisions for children?

The GDPR does not create a separate section on children's data, but Recital 38 of the regulation explicitly states that children require "special protection." The GDPR treats children as individuals whose rights and freedoms are at greater risk, so all provisions that can be interpreted more broadly or more narrowly should be interpreted in favor of the child.

The most important sources of child protection in the GDPR are:

• Recital 38 of the GDPR – a key interpretative signal.
• Art. 6 GDPR – the interests of the child take precedence over the interests of the controller.
• Art. 8 GDPR – principles of consent in information society services.
• Art. 12-14 GDPR – obligation to provide information in “clear and plain language”.
• Art. 22 GDPR – prohibition of making decisions about children based solely on automation.
• Art. 25 GDPR – privacy by design & privacy by default.

Child protection does not result from a single provision, but from the entire structure of the regulation.

Why is children's data subject to special protection? 

Children's data are protected in a special way because minors do not fully understand the risks and consequences of sharing information about themselves.

The most important risks:

1. Preserving information for years to come

Data shared at the age of 10–13 may “come back” in adulthood – for example, in recruitment processes, in social contacts or when assessing creditworthiness (digital traces).

2. Susceptibility to manipulation

Minors are more sensitive to:

• influence techniques in advertising,
• FOMO mechanisms,
• behavioral targeting,
• dark patterns.

3. Risk of commercial profiling

Profiling children for marketing purposes is assessed very restrictively – in many cases it is even unacceptable.

4. Increased harmfulness of violations

Leaks of children's data can have long-term consequences, not just "momentary" ones as in the case of adult users.

When is parental consent required when processing a child's data?

Parental consent is mandatory when an information society service is offered directly to a child under 16 years of age.

This includes, among others:

• online applications and games,
• educational platforms,
• social media,
• newsletters for children,
• registering accounts in online stores.

Parental consent is only required if:

1. The service is aimed at children,
2. The basis for processing is consent ,
3. The child is under 16 years of age.

How should an administrator verify parental consent?

A reasonable verification mechanism is required , e.g.:

• e-mail verification + parental statements,
• payment of PLN 1 to the parent's account,
• logical steps to confirm the parent-child relationship.

The following methods are not allowed:

• invasive (e.g. sending document scans),
• inadequate (e.g. NIP or PESEL requests).

What information must the administrator provide to the child? 

They must be:

• easy,
• understandable,
• briefly,
• preferably with graphic elements.

The administrator should ensure:

• plain language,
• avoiding legal jargon,
• iconography,
• interactive messages,
• understandable examples.

Can children be profiled for marketing purposes? 

As a rule, no .
Profiling is only permitted in exceptional, particularly justified cases.

Prohibited practices:

• behavioral advertising for children,
• designing content that increases screen time,
• data sales,
• dark patterns encouraging purchases.

How to apply the privacy by design principle in services for children?

The administrator should:

Privacy by design and privacy by default mean that systems created for children must protect their data to the maximum extent possible by default.

The administrator should:

1. Provide default privacy settings

• private profile,
• no location,
• social features disabled,
• no public friends lists.

2. Limit the data collected

Data minimization must be demonstrated.

3. Eliminate dark patterns

• prohibited default consents,
• hidden buttons,
• difficulties in withdrawing consent.

4. Perform a DPIA

In children's services – almost always required.

If the project involves children, a DPIA is in practice mandatory.

What are the consequences for the administrator for violating children's data? 

The Personal Data Protection Office assesses:

• understanding risk,
• implemented security measures,
• DPIA execution,
• proper verification of consents,
• language of communication.

Fines: up to EUR 20 million or 4% of turnover.

FAQ – frequently asked questions

Summary and recommendations

Children, as individuals particularly protected by the GDPR, require administrators to implement higher standards of security, data minimization, and transparency. Administrators should:

• use simple language,
• avoid marketing profiling,
• implement privacy by design,
• verify parental consent,
• document risks (DPIA).

This article is for informational purposes only and does not constitute legal advice.
Legal status as of November 18, 2025.

This article is for informational purposes only and does not constitute legal advice.

Legal status as of November 18, 2025

Author:

Olga Jacykowska

Trainee attorney
+48 795 888 714 | o.jacykowska@kglegal.pl

Series editor:

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl