Consent for processing children's data in the EU
Please give an overview of the topic you wish to discuss, and your particular situation.:
We are a Market Research firm based in ***. We conduct market research surveys on Gen Z and Millenials (13-39) and just moving to international data collection. We use panel providers so do not have our own panel of participants. I'm trying to write our first Privacy Notice and am struggling with stating rights for revoking parental consent to processing of children's data. While we collect sensitive information like (gender, age, ethnicity, etc) we do not collect email address, names, addresses which would be personally identifiable. Howevever, to ensure data integrity we do collect IP Address automatically in our surveys along with other geolocation data. This is only used to ensure survey participants are truly from where they say they are from and that they are not repeat participants for that particular survey. After the survey is complete and we have reviewed for accuracy we remove that information from the data rendering the other data anonymous. If we tell them they can withdraw consent even within that 14 day period though the likelihood of use locating the exact record for that respondent is very slim. Is it ok to state that? For example: "If the legal basis for processing is parental consent you have the right to withdraw your consent for processing. Due to the limited information we collect, however, location of the data may not be possible. However, we will make every effort to do so. If you wish to withdraw consent to the processing of your child’s data please email ***."
Any help greatly appreciated.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
From the user experience that you described in this survey, the withdrawal of consent has a narrow timeframe which is fine, it can be also shorter, you can decide to erase data after reaching the purpose of processing which is to verify the identity of the teenage participant to the survey. So you can also implement a system that lets you a small amount of personal data for a limited period and develop only anonymous data. In this case, withdrawal of consent will be possible for a short period of time, but it is fine until you state it in the privacy notice.You can set different data retention periods, i.e., you may say that you are going to process localization data for 24 hours, IP address for 2 days, etc., and that at the end of processing you will keep anonymous data, removing all personally identifiable information.
If you need more information about how to implement data subjects rights, these articles may help:
- Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
- Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
- Four main questions for obtaining and managing data subjects’ consent under GDPR https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Jun 01, 2021