The DPC considers that where organisations have conducted (or have failed to conduct) a thorough and meaningful DPIA in relation to the processing of personal data of child users, this will be a relevant factor in any assessment by the DPC of an organisation’s compliance with its obligations under the GDPR, particularly in relation to the controller’s responsibilities under Article 24 (as referenced at the beginning of Section 7) including the obligation to take account of the varying likelihood and severity of risks posed to individuals as result of the processing of their personal data. A child-oriented DPIA is the first step in mitigating risk arising from processing children’s personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects.

The DPC, having examined in detail the additional protections required under the GDPR in relation to child users, has identified a number of practical recommended measures (see Section 7.2) to create safer, more appropriate and more privacy-respecting online environments for children to play, interact, learn and create than currently exists. 

During  2021/2022 we engaged in a consultation and observation process with the Data Protection Commission (DPC) Ireland, to digitally transform Section 7 tools into an online collaboration Child-Oriented DPIA and Data Protection by Design and Default toolkit with Microsoft 365 Excel. This toolkit empowers organisations with a dynamic cloud-based templates solution, to simplify compliance with the following two key principles of the Fundamentals:

1. 13. DO A DPIA: Online service providers should undertake data protection impact assessments (DPIA) to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (Section 7.1 “Data Protection Impact Assessments”).
2. 14. BAKE IT IN: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services (Section 7.2 “Data Protection by Design and Default”).

Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka-AZOP) and Data Protection Commission Ireland during their every day work noticed that there is still a lot of ambiguities in the application of the GDPR by the SMEs. These findings are also supported by a large number of written queries and even greater number of phone calls which this two authorities receive on daily basis. It is essential to emphasize that SMEs are still struggling with the implementation of the GDPR and sometimes do not even know how to begin in order to align their business activities with the GDPR requirements.