Looking for an external Data Protection Officer?DATUREX GmbH Dresden

GDPR — Table of Contents

AI-generated summary

This provision sets specific rules for children's consent to information society services, establishing 16 as the default minimum age for valid consent, with Member States able to lower it to no less than 13 years. Controllers must make reasonable efforts to verify that parental consent has been obtained for children below the applicable age threshold.

Art. 8 GDPR

Conditions applicable to child's consent in relation to information society services

(1.)Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

(2.)The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

(3.)Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Source:: EUR-Lex CELEX 02016R0679-20160504
Citation:: OJ L 119, 04.05.2016, p. 1; corrected by OJ L 127, 23.05.2018, p. 2
As of:: 2016-05-04
Retrieved:: 2026-02-25