--- title: "EU GDPR Children and Special-Category Data Guide" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/children-and-special-categories" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/children-and-special-categories" author: "Sorena AI" description: "source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "Article 8 GDPR" - "Article 9 GDPR" - "children's consent" - "special categories of personal data" - "DPIA" - "transparency notices" - "children's data" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Children and Special-Category Data Guide source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. *Artifact Guide* *EU GDPR* ## GDPR children's data and special-category checks Apply Article 8 and Article 9 without turning every sensitive workflow into a generic consent exercise. Use this guide to record age and parental-consent checks, special-category conditions, DPIA triggers, child-facing transparency, safeguards, and evidence for product, privacy, legal, security, support, HR, and vendor teams. Children's data and special-category data are separate GDPR checks that often appear in the same product or business process. Article 8 adds conditions when consent is the Article 6 basis for an information society service offered directly to a child. Article 9 starts from a prohibition on processing special categories of personal data and then asks whether a specific Article 9(2) condition, safeguards, and evidence support the processing. ## Separate the Article 8 and Article 9 questions Do not start with a single label such as sensitive users or vulnerable data. First decide whether the service is offered directly to a child and relies on consent under Article 6(1)(a). Then decide whether any data falls into Article 9 categories such as health data, genetic data, biometric data used for unique identification, political opinions, religion, trade union membership, sex life, or sexual orientation. Article 8 does not create a universal age gate for every child-related processing activity. It applies to consent for information society services offered directly to children. Article 9 is broader: if a listed special category is processed, the team must identify a condition in Article 9(2) and keep the supporting law, consent record, safeguard, or operational evidence. - Record whether consent is the Article 6 lawful basis; if not, explain why Article 8 is not the operative consent rule. - For Article 8 consent, record whether the child is at least 16 or whether a grounded Member State rule lowers the age, never below 13. - If the child is below the applicable age, record how consent was given or authorised by the holder of parental responsibility. - For Article 9 data, name the exact category and the Article 9(2) condition rather than writing sensitive data as a catch-all. - Keep Article 8 and Article 9 conclusions separate in the ROPA, DPIA, privacy notice, consent log, and product approval record. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary legal text for Article 8 children's consent, Article 9 special-category processing, Article 12 transparency, and Article 35 DPIA triggers. ## Handle consent and parental authorisation without over-collecting When Article 8 applies, the controller must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility, taking available technology into account. The evidence should show what was checked, why the method was proportionate to the risk, and why it did not collect more personal data than needed. Do not publish a country-by-country age table unless the relevant Member State rule is grounded. A safer artifact records the default GDPR age of 16, flags that Member States may lower it to no less than 13, and requires Member State legal confirmation before launch in a specific Member State. - Evidence to keep: age-screen design, consent wording, parental-authorisation method, verification rationale, withdrawal path, and product change history. - Low-risk checks should avoid identity-document collection when a lighter method can show reasonable effort. - Higher-risk services should justify stronger age or parental-responsibility checks and the retention of verification evidence. - When a child reaches the applicable age of digital consent, define how the user can confirm, modify, or withdraw an earlier parental consent. - Consent withdrawal, account deletion, and right-to-erasure flows should be tested for child accounts and not only adult accounts. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 8 states the age threshold, the Member State lower-age floor, and the reasonable-efforts verification duty. - [CNIL PIA templates](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - CNIL template material supports keeping consent controls, child-adapted language, user-rights controls, and risk-treatment records in the DPIA file. ## Choose an Article 9 condition and attach safeguards Article 9 begins with a prohibition. Processing is allowed only where a listed condition applies, such as explicit consent, employment and social protection law, vital interests where the person cannot consent, legitimate activities of certain non-profit bodies, data manifestly made public by the data subject, legal claims, substantial public interest under law, health or social care conditions, public-health interest, or archiving, research, or statistical purposes with Article 89 safeguards. The condition is not enough on its own when the text requires Union or Member State law, professional secrecy, suitable and specific measures, or Article 89 safeguards. The implementation record should identify those safeguards in operational terms: access limits, separation of duties, retention limits, purpose boundaries, security controls, staff confidentiality, and review ownership. - Explicit consent under Article 9(2)(a) must be for specified purposes and should not be used where Union or Member State law says the prohibition cannot be lifted by consent. - Substantial public interest, public health, employment, social protection, research, and statistical conditions require a legal basis or safeguards that must be named in the record. - Health, genetic, and biometric workflows need extra review because Member States may maintain or introduce further conditions or limitations. - Special-category fields in vendor contracts and processor instructions should name the actual data type, not merely cite Article 9. - If the team cannot identify an Article 9(2) condition and required safeguards, the processing should not be approved. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 9 lists the special categories, the prohibition, the exceptions, and the extra Member State flexibility for genetic, biometric, and health data. ## Trigger a DPIA when risk factors stack up A DPIA is required before processing that is likely to result in a high risk to natural persons. Article 35 specifically calls out large-scale Article 9 processing, large-scale Article 10 processing, systematic and extensive automated evaluation that significantly affects people, and large-scale systematic monitoring of publicly accessible areas. For child and special-category workflows, the DPIA screen should also look for vulnerability, sensitive data, large scale, innovative technology, profiling, monitoring, data matching, and residual high risk. If several criteria apply, document the DPIA decision rather than treating it as a privacy-office preference. - Run a DPIA screen before launch for health features, biometric identification, child-targeted services, profiling, monitoring, or large-scale support and HR datasets. - Seek the DPO's advice where a DPO is designated and keep the advice with the DPIA record. - If processors are involved, require enough information to assess the processing, risks, safeguards, sub-processors, and incident handling. - If residual high risk remains after mitigation, consult the supervisory authority before processing under Article 36. - Review the DPIA when a product, technology, data category, child audience, retention period, transfer, or risk environment materially changes. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35 sets the DPIA threshold and explicitly includes large-scale special-category processing. - [Data Protection Commission - Data Protection Impact Assessments](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - DPC guidance supports using DPIAs to identify and mitigate data-protection risks early, documenting risk decisions, and involving project, DPO, processor, and data-subject perspectives where appropriate. - [CNIL PIA methodology](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - CNIL methodology supports the structured PIA record: context, fundamental principles, data-security risks, controls, validation, and monitoring over time. ## Make notices and evidence usable for children and reviewers Article 12 requires concise, transparent, intelligible, and easily accessible information using clear and plain language, especially where information is addressed to a child. A child-facing notice should explain the controller, purposes, data categories, consent choices, withdrawal, rights, retention, sharing, and safeguards in language that matches the intended audience. The internal evidence should match the external notice. If the notice says location data is optional, the consent log, product settings, DPIA, and access-control record should prove that it is optional. If a special-category condition depends on law or professional secrecy, the evidence should identify that law, role, or confidentiality control. - Keep a child-facing notice or layered explanation for services offered directly to children. - Attach the Article 8 age and parental-authorisation rationale to the consent log. - Attach the Article 9(2) condition, safeguards, and special-category data map to the ROPA and DPIA. - Keep proof that rights workflows can handle child accounts, parental contacts, and special-category records without exposing data to the wrong person. - Keep change records for age gates, consent screens, privacy notices, data categories, processors, retention rules, and security controls. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12 supports child-appropriate transparency, and Articles 13, 14, 15 to 22, and 34 connect notice, rights, and breach communications. - [CNIL PIA templates](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - CNIL templates support recording consent controls, rights controls, security controls, risk treatment, and validation evidence. *Recommended next step* *Placement: before sources* ## Build the Article 8, Article 9, DPIA, and transparency evidence in one place Sorena can help convert the checks on this page into cited questions, owner assignments, evidence requests, consent records, DPIA screens, and review triggers for EU GDPR work. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask cited questions about Article 8, Article 9, DPIA triggers, transparency, safeguards, and evidence using the sources on this page. - [Talk through implementation](/contact.md): Review a child-facing service, special-category workflow, consent design, DPIA screen, or evidence pack with Sorena. ## Primary sources - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for Article 8 children's consent, Article 9 special-category processing, Article 12 transparency, Article 35 DPIAs, and Article 36 prior consultation. - Quote: "protection of personal data" - [Data Protection Commission - Data Protection Impact Assessments](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - DPIA guidance for high-risk project screening, documentation, stakeholder involvement, DPO advice, processor assistance, and residual-risk escalation. - Quote: "identify and mitigate" - [CNIL PIA methodology](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - PIA methodology support for context mapping, fundamental-principles review, security-risk assessment, formal validation, and continuous monitoring. - Quote: "continuous improvement process" - [CNIL PIA templates](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - Template support for consent controls, child-adapted language, data-subject rights, security controls, and risk-treatment evidence. - Quote: "controls for obtaining consent" ## Related Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. - [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/children-and-special-categories