| Dokumendiregister | Andmekaitse Inspektsioon |
| Viit | 2.2-9/25/645-2 |
| Registreeritud | 12.03.2025 |
| Sünkroonitud | 13.03.2025 |
| Liik | Väljaminev kiri |
| Funktsioon | 2.2 Loa- ja teavitamismenetlused |
| Sari | 2.2-9 Selgitustaotlused |
| Toimik | 2.2-9/2025 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | Warning Technologies, LLC |
| Saabumis/saatmisviis | Warning Technologies, LLC |
| Vastutaja | Grete-Liis Kalev (Andmekaitse Inspektsioon, Koostöö valdkond, Koolitus- ja ennetustiim) |
| Originaal | Ava uues aknas |
FOR DATA PRIVACY AND FREEDOM OF INFORMATION
Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee / registrikood 70004235
Tom Nash
Yours: 26.02.2025 nr Ours: 12.03.2025 nr 2.2-9/25/645-2
Answer to request Estonian Data Protection Inspectorate received your questions regarding the age of consent for a software system to collect child’s personal data, verified parental consent and overall child privacy laws. Firstly, if information society services are offered directly to a child who is at least 13 years of age, parental consent is not needed according to the Estonian Personal Data Protection Act § 8 (1). It is important to emphasise that this legal provision is only applicable if the service in question is an information society service. Information society services are by definition services which are provided in the form of economic or professional activities at the direct request of a recipient of the services, without the parties being simultaneously present at the same location, and such services involve the processing, storage or transmission of information by electronic means intended for the digital processing and storage of data according to the Information Society Services Act § 2 (1). Therefore, it will be necessary to determine whether or not your service falls within this definition. If so, the child who is at least 13 years old can give consent for processing their personal data. Secondly, the parental consent is needed when the information society services are offered to a child who is below 13 years of age. Additionally, if the service is not information society service, the parental consent is needed even if the child is above 13 years of age. It must be also considered how the processing is lawful if the warning is sent about a child who (or their parent) has not given consent. Pursuant to the Article 5 (1) (a) GDPR personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Therefore, a legal basis is required for processing personal data. Thirdly, Estonia does not have an online system for parental consents. The accounts of the children can be created by the parent and by that process the controller verifies the parent as an adult. We do not recommend collecting additional personal data (driver’s licence etc) to verify the parental consent. Pursuant to the Article 5 (1) (c) personal data shall be relevant and limited to what necessary in relation to the purposes for which they are processed. Collecting a copy of an ID-card or any other form of identification may create higher risks to the rights and freedoms of natural person. Consequently, we recommend conducting a data protection impact assessment (DPIA) before processing personal data due to the fact that processing children’s personal data is likely to result in a high risk processing even without collecting additional data (driver’s licence etc) to verify their parent.1 Lastly, in Estonia we do not have a specific child privacy laws, nonetheless Child Protection Act shall be established in order to form behaviour and way of life which value and promote the development of children in the society. Child Protection Act § 27 (1) states that all persons who 1 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result
in a high risk” for the purposes of Regulation 2016/679. Adopted on 4 April 201, As last Revised and Adopted on 4
October 2017, page 9-10. Website: https://ec.europa.eu/newsroom/article29/items/611236
2 (2)
have a knowledge of a child in need of assistance are required to notify of the child in need of assistance to the local government or to child helpline service 116 111. Additionally, Child Protection Act § 31 (1) states that all persons who have knowledge of a child in danger shall be required to notify of the child in danger immediately through the emergency call number 112. Thus the processing of children’s personal data is already regulated by the Child Protection Act when it comes to notifying of children in need or in danger. However, this is a legal basis for direct notification to a relevant authority, not via platform etc. We have a guideline (in Estonian) which describes the process when a child is in need or in danger occurs and how to act. Unfortunately, we do not have any other data protection specific guidelines on children’s privacy. We recommend conducting a DPIA and researching European Data Protection Board’s guidelines and opinions thoroughly before starting the data processing. Hope this answer helps you. Best regards
Grete-Liis Kalev
lawyer
authorized by Director General
| Nimi | K.p. | Δ | Viit | Tüüp | Org | Osapooled |
|---|