On 23 April 2020, the Personal Data Protection Authority (DPA) issued an announcement regarding the protection of children’s personal data. The DPA published eight brochures containing practical recommendations for children, parents and product/service developers to ensure the effective protection of children’s personal data. The DPA’s announcement is available online here (in Turkish).
The DPA stated that, especially in these times of a pandemic outbreak, children have been spending a significant amount of time online, and that they are vulnerable to the risks related to their online activities due to the weaker parental supervision on the internet and the children’s lack of awareness regarding the processing of their personal data. In this respect, the DPA urged parents to increase their knowledge and self-awareness regarding protection of their children’s personal data and guide their children accordingly. The DPA also required product/service developers to pay due consideration to compliance with Law No. 6698 on Protection of Personal Data (“Data Protection Law“) in this regard.
The DPA’s brochures for children contain explanations on the importance of privacy notices, risks concerning online platforms and the appropriate measures such as creating secure passwords. Brochures for adults provide recommendations on how parents can protect their children from online risks, noting that adults must increase their awareness of the protection of their children’s personal data.
The DPA also provided guidance for product and service developer data controllers on the subject matter. Accordingly, data controllers must comply with the fundamental principles under the Data Protection Law, limit their processing activities as necessary in accordance with the data minimization principle, prepare privacy notices suitable to the perception level of children, which contain pictures and visuals, and take high-level technical and organizational measures such as systems to verify the age of the children.
The DPA’s guidance on children’s data is similar to the practices for processing children’s data under the General Data Protection Regulation (GDPR). According to the GDPR, data controllers processing the personal data of children under a certain age based on consent must initially obtain the parent’s or legal guardian’s explicit consent. Data controllers must also take technical measures to verify the data subjects’ ages and prepare privacy notices suitable for children. The DPA also provides similar explanations on the processing of children’s personal data, stating that data controllers must send privacy notices and explicit consent forms to the parents/legal guardians when necessary and take the necessary measures to ensure data security.
The DPA continues to provide guidance on data controllers’ obligations under the Data Protection Law. Further to the DPA’s instructions, data controllers processing children’s personal data must abide by the data minimization principle, prepare privacy notices suitable for children and take technical and organizational measures to ensure high-level data protection.
Please stay up to date with further developments through the Esin Attorney Partnership Coronavirus Helpdesk.