At the present time’s Türkiye and around the world, children who grow up amidst technology leave digital footprints containing personal data, just like any other digital users. According to the data from the “Survey on Information Technologies Usage Among Children” conducted by TURKSTAT, 82.7% of children aged 6-15 regularly use the internet in Türkiye. Processing the personal data of children who live so intertwined with the internet and technology is inevitable.
According to Article 1 of the United Nations Convention on the Rights of the Child, except for the early legal adulthood situation, every individual is considered a child until the age of eighteen. In Türkiye, a “child” is defined as a person who has not reached the age of eighteen in both the Child Protection Law and the Turkish Penal Code.
The point that data controllers should pay particular attention to when processing children’s data is the principle of the Best Interest of the Child… According to Article 3 of the United Nations Convention on the Rights of the Child, the best interest of the child is the primary consideration in all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities, or legislative bodies.
There is no specific regulation regarding the processing of children’s personal data in Law No. 6698 on the Protection of Personal Data (KVKK), leading to uncertainty and potential issues in practice. One of the most common problems encountered is determining how to obtain explicit consent when the data subject is a child. To understand the processing of children’s personal data, one must refer to the custody provisions of the Turkish Civil Code. Custody entails all rights of parents over the persons and assets of their minor or incapacitated children, established for the purpose of ensuring their care and protection. According to Article 335 of the Turkish Civil Code, non-adult children are under the custody of their parents. Therefore, the authority to give consent or authorization for actions requiring legal capacity and to act on their behalf lies with the parents.
The “Regulation on Personal Health Data” in its 8th article titled “Access to Children’s Health Data” states that parents can access their children’s health records through e-Nabız without the need for any consent. Discerning children, however, can regulate their parents’ access to their health records via e-Nabız.
The Personal Data Protection Board issued Decision No. 2020/622 dated 11.08.2020, which states that considering the best interest of the child, personal data protection rights should be considered as a relative right closely related to the individual. In the case covered by the decision, the request made by the individual, who had not yet reached the age of 18, for the deletion of the health report from the records, was not responded to. Subsequently, the legal representative, the father, filed a complaint with the Board. The decision referred to the provisions of the Civil Code regarding the discernment of minors and made a distinction based on whether the minor had discernment.
The guide titled “Guidelines for Product and Service Developers to be Considered” published by the Personal Data Protection Board specifies the precautions to be taken when processing children’s data:
- Data processing activities/quantity should be kept to a minimum in line with the principle of data minimization when processing children’s personal data in products and services.
- If the product or service is intended for children, informative texts suitable for children’s comprehension level, supported if necessary with pictures and visual effects, should be prepared within the scope of the obligation to inform, using a clear and simple language.
- Age verification systems should be used, taking into account existing technology. (For example, questions that only a child of that age can answer can be asked to verify consent and age.)
- In cases where children’s data is processed, a proactive approach should be adopted to take technical and administrative measures at the highest level.
- Appropriate policies and mechanisms should be developed to enable children to be aware of their rights and exercise them.
The processing of personal data of children is stated in Article 8 of the European General Protection Regulation (GDPR) titled “Conditions Applicable for the Child’s Consent to Information Society Services”, in relation to the provision of information society services directly to a child, if the child is at least 16 years old. It has been stated that the processing of the child’s personal data is lawful.. If the child is below 16 years of age, such processing activity is only lawful if consent is given or authorized by the holder of parental responsibility over the child. The Regulation also allows EU member states to set their own age limit, provided that it is not below 13 years.
The term “information society services” mentioned in Article 8 of the GDPR generally refers to any service provided electronically, usually for a fee or upon request. In this context, all educational, gaming, and social media applications used by children can be considered information society services. However, there is no explicit provision on how parental consent can be obtained in the same law. Nevertheless, the law’s third paragraph states that the data controller must “make reasonable efforts, taking into consideration available technology, to verify that consent is given or authorized by the holder of parental responsibility over the child.”
Since Law No. 6698 on the Protection of Personal Data is largely derived from the EU Data Protection Directive 95/46/EC, and there is no specific provision regarding children’s personal data in the said directive, there is no separate provision in our law for the protection of children’s personal data. Considering the crucial importance of processing children’s personal data, it should be thoroughly examined within our country’s personal data protection legislation.
