Article 8

Conditions applicable to child's consent in relation to information society services

General Data Protection Regulation · UE 2016/679

Conditions applicable to child's consent in relation to information society services

1.   Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2.   The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3.   Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Luxembourg specificity
loi luxembourgeoise du 1er aout 2018 portant organisation de la Commission nationale pour la protection des donnees et du regime general sur la protection des donnees

In Luxembourg, the child's consent threshold is set at 16, as the law of 1 August 2018 establishing the CNPD and the general data protection regime did not use the lowering option in Article 8(1). A Luxembourg service must therefore obtain parental authorisation for any minor under 16, whereas France, Belgium or other States apply 13, 14 or 15. The CNPD is the sole competent authority (never the APDL).

Luxgap practice: if your service also targets French or Belgian users, never hard-code a single threshold at 16, configure per-jurisdiction detection to apply the correct age and avoid non-compliance in countries with a lower threshold.