Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Personal data and minor in a transport service context


Published on

CIT Workshop 18 June 2019

Published in: Law
  • Be the first to comment

  • Be the first to like this

Personal data and minor in a transport service context

  2. 2. Context • Complex interplay due to a legal patchwork • Processing of personal data in general (GDPR) • No specific rules for children/minors • Mention of “specific protection” (“vulnerable persons”) • Legitimate interest • Further processing • DPIA • Processing of personal data and information society services (article 8 GDPR and member state law – Directive 2015/1535) • Limited scope when compared to all possible data processing activities • Legal capacity of minors (Rome I Regulation) • Article 8.3 GDPR does not impact general contract law • Right to travel alone (member state law)
  3. 3. Context Article 8 GDPR: 1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. 2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology. 3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
  4. 4. Context • Information society service • “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” • Typical examples • Online selling of products and services • Online information services (e.g. online newspapers) • Online advertising • Online professional services • Social media • CJEU case law clarifies scope in case of ‘composite services’
  5. 5. Notion of child and right to travel alone • No specific definition of the notion of “minor” or “child” • National law shall apply to the age of majority • UN Convention of the Rights of the Child: 18 years • 18 years in all EU member states, except Scotland where children are assumed to have full legal capacity from the age of 16 years • Right of minors to travel alone • National law shall determine which documents are required (country of origin and destination, as well as transit countries)
  6. 6. National definitions of underage (13-16 years) • Many member states have applied the possibility to reduce the age limit • 13 years: Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden, UK • 14 years: Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain • 15 years: Czech Republic, France, Greece (pending), Slovenia (pending) • 16 years: Croatia, Germany, Hungary, Ireland, Luxembourg, Netherlands, Poland, Romania, Slovakia • Limited scope • This age limit only applies in the context of information society services offered directly to a child (!) • Some countries have applied a broader approach
  7. 7. National definitions of underage (13-16 years) • How to determine applicable law? • Consent pursuant to article 6.1.a GDPR • Unified approach under GDPR • Consent pursuant to article 8 GDPR • Territorial scope of national law provisions? • No unified approach • Consent under contract law • Rome I Regulation
  8. 8. Consent from or on behalf of minors • Practical approach • Is consent the most opportune legal ground? • If consent is the most opportune legal ground: • Information society service? • National law adopted pursuant to article 8 GDPR • Other context • National law and/or national law adopted pursuant to article 8 GDPR for some countries • Practical issues • How to verify the age of a child? • How to obtain consent? • Do not forget other legal aspects • General contract law – legal capacity: if the child cannot execute an agreement, it will not be possible to invoke contractual necessity
  9. 9. Consent from or on behalf of minors • How to collect consent from legal representatives? • Information society service • Reasonable effort to verify consent is given by holder of parental responsibility, taking into account available technology • Consent forms • E-mail mechanisms • No information society service • Verification obligation? • Keep member state legislation in mind
  10. 10. Consent from or for minors • Example: online purchase of a train ticket (international train travel) • Legal aspects • Contract law (transport service) • Processing of personal data • Information society service: online sale of a ticket (?) • Contractual necessity vs. consent • Traditional processing, e.g. security purposes during onboarding • Legitimate interest vs. consent • Travelling unaccompanied • Documentary requirements • If not processed in an automated manner or stored in a filing system: GDPR does not apply
  11. 11. GDPRAND MINORS, MAYBE NOT SO CLEAR … Johan Vandendriessche Partner | Affluo Professor ICT Law | UGent +32 486 366 234 11