Apply Article 8 and Article 9 without turning every sensitive workflow into a generic consent exercise.
Use this guide to record age and parental-consent checks, special-category conditions, DPIA triggers, child-facing transparency, safeguards, and evidence for product, privacy, legal, security, support, HR, and vendor teams.
Structured answer sets in this page tree.
Cited legal and guidance references.
Children's data and special-category data are separate GDPR checks that often appear in the same product or business process. Article 8 adds conditions when consent is the Article 6 basis for an information society service offered directly to a child. Article 9 starts from a prohibition on processing special categories of personal data and then asks whether a specific Article 9(2) condition, safeguards, and evidence support the processing.
Do not start with a single label such as sensitive users or vulnerable data. First decide whether the service is offered directly to a child and relies on consent under Article 6(1)(a). Then decide whether any data falls into Article 9 categories such as health data, genetic data, biometric data used for unique identification, political opinions, religion, trade union membership, sex life, or sexual orientation.
Article 8 does not create a universal age gate for every child-related processing activity. It applies to consent for information society services offered directly to children. Article 9 is broader: if a listed special category is processed, the team must identify a condition in Article 9(2) and keep the supporting law, consent record, safeguard, or operational evidence.
Article 9 begins with a prohibition. Processing is allowed only where a listed condition applies, such as explicit consent, employment and social protection law, vital interests where the person cannot consent, legitimate activities of certain non-profit bodies, data manifestly made public by the data subject, legal claims, substantial public interest under law, health or social care conditions, public-health interest, or archiving, research, or statistical purposes with Article 89 safeguards.
The condition is not enough on its own when the text requires Union or Member State law, professional secrecy, suitable and specific measures, or Article 89 safeguards. The implementation record should identify those safeguards in operational terms: access limits, separation of duties, retention limits, purpose boundaries, security controls, staff confidentiality, and review ownership.
A DPIA is required before processing that is likely to result in a high risk to natural persons. Article 35 specifically calls out large-scale Article 9 processing, large-scale Article 10 processing, systematic and extensive automated evaluation that significantly affects people, and large-scale systematic monitoring of publicly accessible areas.
For child and special-category workflows, the DPIA screen should also look for vulnerability, sensitive data, large scale, innovative technology, profiling, monitoring, data matching, and residual high risk. If several criteria apply, document the DPIA decision rather than treating it as a privacy-office preference.
Article 12 requires concise, transparent, intelligible, and easily accessible information using clear and plain language, especially where information is addressed to a child. A child-facing notice should explain the controller, purposes, data categories, consent choices, withdrawal, rights, retention, sharing, and safeguards in language that matches the intended audience.
The internal evidence should match the external notice. If the notice says location data is optional, the consent log, product settings, DPIA, and access-control record should prove that it is optional. If a special-category condition depends on law or professional secrecy, the evidence should identify that law, role, or confidentiality control.
No. Article 8 applies where consent under Article 6(1)(a) is used for an information society service offered directly to a child. Member States may set a lower age for that purpose, but not below 13. If a team needs a specific Member State age, it should cite grounded Member State law before publishing or implementing it.
No. Article 9(2)(a) is one possible condition, but the GDPR says Union or Member State law may provide that the Article 9 prohibition cannot be lifted by consent. The team must also satisfy Article 6 and any required safeguards, notice, withdrawal, minimisation, retention, and security controls.
A DPIA is required where processing is likely to result in high risk. Article 35 specifically requires one for large-scale special-category processing, and DPIA screening should escalate when child users, vulnerability, profiling, monitoring, innovative technology, large scale, or residual high risk are present.
Sorena can help convert the checks on this page into cited questions, owner assignments, evidence requests, consent records, DPIA screens, and review triggers for EU GDPR work.
Ask cited questions about Article 8, Article 9, DPIA triggers, transparency, safeguards, and evidence using the sources on this page.
Review a child-facing service, special-category workflow, consent design, DPIA screen, or evidence pack with Sorena.
"define and describe the context"
"controls for obtaining consent"
"mandatory for any new high risk"
"clear and plain language"