My favourites

Chapter II – Principles (Art. 5-11)

Art 5 GDPR - Principles relating to processing of personal data arrow_right_alt

Art. 6 GDPR - Lawfulness of processing arrow_right_alt

Art. 7 GDPR - Conditions for consent arrow_right_alt

Art. 8 GDPR - Conditions applicable to child's consent in relation to information society services arrow_right_alt

  1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
    Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
  2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Close tabsclose
  • 38
  • 59

Recital 38

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Recital 59

Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

Art. 9 GDPR - Processing of special categories of personal data arrow_right_alt

Art. 10 GDPR - Processing of personal data relating to criminal convictions and offences arrow_right_alt

Art. 11 GDPR - Processing which does not require identification arrow_right_alt