While the Dutch Civil Code states that those who have not reached the age of eighteen are considered minors, according to the GDPR, you are already considered an adult at sixteen. Until then, under the GDPR, you are regarded as a child. Because children often cannot fully comprehend the consequences of processing their personal data, they are seen as a vulnerable group that requires additional protection. Therefore, (additional) specific rules apply to the processing of their personal data.

In this article, we focus and limit ourselves to the additional rules under the GDPR regarding obtaining consent for the processing of children’s personal data, including health data in health apps.

To protect children, it has been determined that consent from the authorized parent or guardian is required to rely on “consent as the basis for processing.” The adult who has authority over the child will typically be able to make a better decision on behalf of the child. This consent is valid only when freely given, specific, informed, unambiguous, and understandable. How does this fit into current practice?

1. Specific consent is linked to the right to information, leading to informed consent. Prior to granting consent, the data subject must be informed about the processing of personal data, enabling them to make an informed decision and understand what they are agreeing to. This means that the information must be clear and understandable to the data subject (the child). The child must understand what happens to their personal data, who processes the data, why, etc., and the parent or guardian granting consent must also be aware of this. The information must be targeted towards that person as well.
2. To address this lack of clarity, it is advisable for every provider of a health app for children to prepare a privacy statement for the child and a privacy statement and consent form for the parent or guardian. This way, the child can understand what it is about, and the authorized individual is informed and empowered to make an informed decision. The privacy statements and consent form should be made available before the child’s data is processed.
3. Additionally, consent is valid only when the parent or guardian has been able to make a free choice, without the child being disadvantaged if consent is not given. Furthermore, consent must be sought for a specific processing purpose, not in general. Moreover, consent for the processing of health data must be “explicit.” This means that explicit confirmation of consent must be given through a direct statement, such as ticking a box saying “I give consent to…” at the bottom of a completed web form.
4. Finally, it is important for the data controller (the software developer in this case) to be able to demonstrate that valid consent has been obtained. It should be verified whether the person granting consent had the authority to do so. In other words, did the respective person have authority over the child in question?

It is not easy to verify whether a health app is being used by a child. After all, not all children have their own identification documents. The European Article 29 Working Party [1] has indicated that appropriate checks should be conducted to verify if a user is indeed older than sixteen, as claimed by the user. If the user states that they are not yet sixteen, this can be accepted without further verification. In this case, the authorized parent or guardian must grant consent for the processing of the child’s personal data.

The GDPR stipulates that the data controller must make “reasonable efforts” to verify whether the authorized parent has given consent for the processing or has authorized the granting of consent. The Dutch Data Protection Authority has not yet provided clarity on how to fulfill this open norm.

To ensure that the authorized parent or guardian of the child has provided the required consent, it must be demonstrated that the relevant person is genuinely authorized to give consent for this purpose.

In theory, parental authority can be demonstrated with an extract from the public Authority Register or from the Personal Records Database (BRP). However, in practice, the Authority Register only contains judicial decisions regarding authority, and therefore, it does not indicate automatic authority. Additionally, an extract from the BRP can only be requested by legally authorized organizations. This means that developers of health apps do not have the right to obtain such extracts.

[1] The Article 29 Working Party was replaced by the European Data Protection Board (EDPB) under the General Data Protection Regulation (GDPR).

So, what is a practical solution that reasonably allows us to assume that the person who granted consent was authorized to do so? Requesting a copy of a passport is one option to verify this authorization, but it is only permitted in exceptional cases. If it is still desired to use a copy of an identity document for verification, the Citizen Service Number (BSN) and the passport photo on the identity document should be shielded, for example, by using the “KopieID” app provided by the Ministry of the Interior or by otherwise concealing the data.

The WP29 suggests asking the parent or guardian to make a payment of €0.01, including a brief confirmation in the transaction description that the holder of the bank account is the authorized parent or guardian of the child. Another method that does not require payment is an iDIN check, where individuals can use their own bank login credentials to verify their identity. Another example mentioned by the WP29 and the European Commission is conducting an email verification: an email is sent to the parent or guardian, requesting an explanation to confirm their parental responsibility.