The goal of information security is to protect an organisation’s business processes. This means responsibility for the security of the entire operating system and the ability to resist any activities that threaten the availability, authenticity, integrity, and confidentiality of data processed in the system or the services provided and accessed through the system, according to the Estonian data protection regulator.

The information assets include all IT resources – hardware, software, various data communication devices, etc. However, people working in an organisation and customers can also be considered information assets. Therefore, it can be said that data protection and information security are like two sides of the same coin: data protection determines the basic principles of personal data processing, while information security helps to implement these principles. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Beyond the simple fact that it makes good business sense to ensure information security and protect assets, the obligation to implement information security comes among other things from data protection laws, which state that personal data security must be ensured by appropriate and secure measures. This means that each situation must be assessed individually. To start with: 

• Map out what your organisation does and what business processes it involves. 
• Identify the assets you have in place—whether they’re customer data, documents, employees, information systems, or security equipment. 
• Don’t forget your “global defense zone”: your physical office, home office, coworking spaces, and other locations where your organisation’s assets and information might be located.
• If something major happens in any of these components, you need to know immediately if and how it will impact your organisation.

As a general approach, try to process as little personal data as necessary and only when needed, stresses the Estonian regulator.

List of AI companies signed up to the EU Code of Practice

The Commission has published the full list of signatories to the EU’s generative AI Code of Practice initiative so far, known also as the Code of Practice for General Purpose AIs (GPAIs), published on July 10, 2025. This will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods.

Among signatories there are: Amazon, Anthropic, Google, IBM, OpenAI, Microsoft, Mistral AI and a dozen other companies, (some signatories may not appear immediately on the list). In addition, xAI signed up to the Safety and Security Chapter; this means that it will have to demonstrate compliance with the AI Act’s obligations concerning transparency and copyright via alternative adequate means.

The code has also been complemented by Commission guidelines and the Q&A on key concepts related to general-purpose AI models. 

More legal updates

European Biotech Act: The Commission opened a consultation, until 10 November, as part of the development of the European Biotech Act. It will propose a series of measures to create an enabling environment to accelerate the transition of biotech products from laboratory to factory and to the market, while maintaining the highest safety standards for the protection of the population and the environment. The act will address growing dependencies in biotech on data, storage, computing power, and AI. 

In the EU, biotechnology reached a gross value added in 2022 of 38.1 billion euros: the highest contribution came from medical and pharmaceutical biotechnologies, and the fastest-growing area was industrial biotechnology. At the same time, European biotech companies face an opportunity gap, with the US having twice as many early-stage venture capital deals and three times as many late-stage deals. Over the last six years, 66 of the 67 biotech companies going public have targeted the US NASDAQ rather than European stock markets. 

California privacy updates: The California Privacy Protection Agency (CPPA) has filed a judicial action seeking to enforce an investigative subpoena against Tractor Supply Company, a Fortune 500 company that bills itself as the nation’s largest rural lifestyle retailer. The CPPA’s petition alleges that Tractor Supply failed to comply with a subpoena seeking information about the company’s compliance with the California Consumer Privacy Act of 2018. The petition marks the CPPA’s first public disclosure of an ongoing investigation into a company and its first judicial action to enforce an investigative request. The agency has been investigating whether Tractor Supply failed to honour Californians’ right to opt out of the sale and sharing of their personal information online. 

More from supervisory authorities

GDPR from A to Z:  The German Federal Data Protection Commissioner (BfDI) has updated a catalogue that provides a compact compilation of the most important legal texts: the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In addition to the legal texts and the references to the GDPR, it contains explanations of specific topics and vague legal terms.

Data memorisation in LLMs: Additionally, the BfDI has finished its consultation on processing personal data in large language models in a way that complies with data protection laws. Civil society, industry, and scientific groups were all included in the consultation. It looked for information about the limits of anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of the rights of data subjects under the GDPR in AI systems.

AI in healthcare: The EU Publication Office offers a study on on the deployment of AI in healthcare. Present-day healthcare systems face several complex challenges, including rising demand due to an ageing population, increasing prevalence of chronic and complex conditions, rising costs, and shortages in the healthcare workforce. AI has the potential to address some of these by improving operational efficiency, reducing administrative burdens, and enhancing diagnosis and treatment pathways. 

E-store data minimisation

The Latvian DVI explains what is the minimum amount of data to place an order in an e-store. In order to ensure the fulfillment of an order, certain personal data must be collected and processed. This process can be conditionally called a mutual agreement. The following data is required to place an order:

• customer’s name and surname (for indication in a supporting document, for example, an invoice);
• email address (for sending invoices and order status messages);
• phone number (to ensure delivery, the courier also receives this information);
• delivery address or parcel machine address (depending on the selected delivery method).

The merchant must be able to clearly indicate why each type of data is necessary. For example, first and last name is necessary to fulfill a legal obligation. Other data, on the other hand, is necessary to fulfill the requirements of the contract. For example, if the service is “intangible” (online courses), first name, last name and email address are sufficient, which are necessary for sending the invoice and access data. A merchant may also need additional information if the product or service is individually tailored to the customer (eg, tailored clothing, selection of skin care products manufacturing of spectacles).

Customer data may only be used for the purposes originally specified. It may not be transferred to other parties unless there is a legal basis for this, such as the customer’s consent, a legal obligation or a legitimate interest. It may also be justified to use the data for related purposes such as archiving, if this does not conflict with the original purpose of obtaining the data.

Data deletion request

The DVI has also tried to answer the question: Should the deletion request itself be erased if someone has asked for data processed with their consent to be deleted? If a person withdraws consent to the processing of their data and requests the deletion of all data related to this consent, the organisation is obliged to stop processing this data as soon as possible and delete it, unless there is another legal basis for continuing to store or use it. This means that all data that was collected on the basis of consent must be deleted (eg, the person being removed from the list of recipients of commercial communications).

However, the request document itself, by which the person withdraws consent, as well as the organisation’s response to it, cannot be deleted at the same time as the aforementioned data, since the basis for processing such information is not the person’s consent within the meaning of the GDPR. They may be stored to fulfill the institution’s interests in managing its documentation and ensuring the protection of its rights (so that, if necessary, it can be confirmed that the request has been received, fulfilled and when it occurred).

More official guidance

Biometrics: Canada’s Privacy Commissioner has published guidance on biometrics for the public and private sectors. While biometrics can enhance security and help in service delivery, they can also raise privacy issues. Biometric information is intimately linked to an individual’s body and is often unique, and unlikely to vary significantly over time. It can reveal sensitive information such as health information or information about race and gender characteristics. The guidance among other things addresses key considerations for organisations when planning and implementing initiatives involving biometric technology – transparency, safeguarding data, and accuracy, including testing for biometric systems.

IoT data security: America’s NIST finalized its ‘Lightweight Cryptography’ Standard to Protect Small Devices. Four relevant algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics. The standard is built around a group of cryptographic algorithms in the Ascon family, which NIST selected in 2023 as the planned basis for its lightweight cryptography standard . They require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices. For more technical information on the standard, visit the NIST Lightweight Cryptography Project page. 

Optus data breach in Australia

The Australian Information Commissioner has filed civil penalty proceedings against Optus (telecommunications), following an investigation in relation to the data breach made public by Optus on 22 September 2022. The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. This included names, dates of birth, home addresses, phone numbers and email addresses, passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information.

Based on this case the Australian regulator asks all organisations to: 

• implement procedures that ensure clear ownership and responsibility over internet-facing domains
• ensure that requests for customers’ personal information are authorised to access that information
• layer security controls to avoid a single point of failure
• implement robust security monitoring procedures to ensure any vulnerabilities are detected and that any incidents are responded to in a timely manner
• appropriately resource privacy and cyber security, including when outsourced to third party providers
• regularly review practices and systems, including actively assessing critical and sensitive infrastructure, and act on areas for improvement in a timely manner.

Voiceprint for authentication purposes

The Swiss Federal Data Protection Commissioner has examined whether PostFinance (a retail banking and business client) is violating data protection regulations when using voice recognition as a means of authentication. It concluded the investigation on 16 May with a ruling instructing PostFinance to obtain the express consent of the person concerned when creating voiceprints for voice recognition and to delete voiceprints for which no consent has been explicitly given.

Voiceprints are a type of biometric data. Under data protection law, they are considered sensitive personal data if they enable the identification of an individual. Unlike a password, it cannot be recreated in case of misuse. 

In other news

Meta AI: According to the privacy advocacy group Noyb, just 7% of consumers want Meta to utilise their personal information for AI, despite the fact that over 75% of users were aware of Meta’s ambitions. Noyb has commissioned the Gallup Institute to survey 1,000 Meta users in Germany in order to learn more.

In May this year, Meta decided to begin using EU personal data to train its AI systems by just asserting that they had a “legitimate interest” under Article 6 of the GDPR. Although nearly two-thirds of the participants claim to have heard about Meta’s announcement, just 40% of Instagram or Facebook users can recall seeing the in-app message that was concealed under a notification menu, (or can recall the email notice that was sent with a subject line designed to make people ignore it).

But as people age, knowledge about this issue increases significantly, while women are less inclined to give AI their data.

IBAN: The IBAN can in some cases allow a hacker to issue illegitimate direct debit orders. The hacker can also, more directly, usurp another person’s IBAN by communicating it when creating a direct debit mandate as part of a subscription to a service. In order to reduce the risk of fraudulent use of your IBAN and minimise its consequences, the French regulator CNIL recommends:

• Monitor your bank account transactions regularly and block your bank account if necessary.
• Contact your usual bank advisor if you have any doubts.
• Check the list of authorised creditors (eg, the beneficiaries of direct debits) in your online banking space.
• When receiving a pre-filled direct debit mandate, or an alleged update of it, be vigilant about the information describing the creditor.

One click was nothing. But you gave away a lot

As digital technology allows for limitless information sharing with just a single click, the Latvian DVI is launching an educational public awareness campaign to encourage every digital user, but especially young people, to realise that personal data is a value, not an accidental footprint left on the internet. The campaign emphasizes that seemingly harmless digital actions, such as posting your photos on social networks, participating in a free game, or clicking the “I agree” button without reading the contents of a document, can mean widespread and irreversible data transfer consequences that are not always easy to predict or reverse.

Similarly, Privacy International publishes a series of educational case studies to answer the question of “Why privacy matters” for schoolchildren, workers, people with disabilities, protestors and even sports fans and many others. Here are some outstanding points of the analyses:

• When surveillance creeps into classrooms and digital learning platforms, it threatens the freedom of pupils to feel safe to explore ideas, make mistakes and develop into their own unique selves.
• Employers are using surveillance to monitor, control, and exploit workers in ways that many may not even be aware of.
• The growing threat of intrusive surveillance such as AI-powered facial recognition in stadiums risks turning a vibrant cultural space into one of control and suspicion.
• Privacy is a universal right, but for people with disabilities, it’s often compromised in the very systems designed to support them.
• In society, dissent – especially through protest – is vital for progress, change, and holding power accountable. Without privacy, protestors risk losing their voices, and their own safety.
• Migrants have the same right to a private life and to be free from intrusive surveillance as anyone else. Yet, for people on the move, this right to privacy is under constant threat.

In case you missed it

Meta’s “story” photos: The Icelandic data protection regulator explains that Meta launched a feature that goes through photos on your phone and suggests what to post on Facebook. The social media app automatically selects photos or videos from your phone and sends them to Meta’s servers. The photos are then processed using artificial intelligence to display post suggestions in “Story”.

This is done without the user having specifically uploaded the photos or videos to the social media platform for publication there. Since this may be a significant intrusion into people’s privacy, and since the regulator has received reports that people have not realised that this feature has been enabled, the regulator provided the instructions on how to disable the feature:

• Open the app on your phone.
• Press + at the top of the screen.
• Tap “Story”.
• In the top right corner: Press the “Settings” gear.
• At the bottom is “Camera roll settings”.
• Turn off “Get camera roll suggestions when you’re browsing Facebook”.

Political advertising in the EU: Google and Meta announced that they will suspend all political advertising services in the EU due to the application of the Political Advertising Transparency and Targeting Regulation in October 2025, the Estonian regulator reports. The implementation of the new regulation will bring a number of operational and legal requirements that are difficult to implement. As a result, Google has decided to suspend all political advertising services, including on YouTube, until there is greater clarity on the implementation of the regulation. However, Meta believes that the implementation of the new regulation will make the current transparency and targeting systems too complex and ineffective, significantly reducing the ability of advertisers to reach the electorate.

The post Data protection digest 2-17 Aug 2025: “Data protection says what should be done, information security says how we do it” – Estonian regulator appeared first on TechGDPR.

What does this mean around the world?

Countries such as the United States and United Kingdom are increasingly moving towards reliance on these technologies. Countries in the EU are also recording findings of some trial projects related to the use of Facial Recognition Technology. However, as the technology continues evolving and becomes increasingly more widespread, concerns arise in relation to potential consequences of using said technologies. A majority of concerns focus on biases and consequences in relation to law enforcement. In addition, concerns with regard to all individuals’ privacy rights are also at the forefront of the discussion, including: 

• Whether an indiscriminate recording of all individuals captured by cameras is aligned with the principle of data minimization;
• Concerns on the lawfulness and transparency of the use of said technology, as further discussed below; and
• Appropriate processing of special categories of personal data in accordance with legal requirements. 

Both the GDPR and its UK equivalent (the ‘UK-GDPR’) provide for some legal framework setting standards for the use of this technology. However, the departure of the UK from the EU in 2020 means that the two jurisdictions are now implementing entirely different approaches when it comes to the use of Artificial Intelligence. This blog post analyses said differences, and the implications thereof, with a focus on FRTs.

The history of public surveillance systems in the EU and the UK

Looking at the history of implementation of public surveillance systems in the EU and in the UK, sets the stage to highlight the difference in framework that applies to this day. 

Public authorities and private actors have implemented video surveillance as one of the measures to ensure security since the middle of the 20th century. Camera systems such as CCTV have been increasingly appearing in UK cities since the 1950s, and have progressively evolved technologically. As a result, we are now at the point where South London will be installing its first permanent facial recognition cameras.

Similarly, Germany saw its first shift in the usage of cameras for public security reasons in the 1960s.  By the 2000s, the majority of large European cities were deploying CCTV systems.

However, based on this history and according to researchers, the evolution in technical capabilities of CCTV and its respective use in the EU has always lagged behind that of the UK. One of the reasons for this was a lack of constitutional protections for the right of privacy. Meanwhile, EU countries have demonstrably had a stricter approach to privacy even prior to the Data Protection Directive passed in 1995. The EU has implemented further protective measures since, such as the AI Act. 

How does the use of facial recognition change between the EU and the UK?

While both jurisdictions use Facial Recognition Technology with the goal of enhancing public and national security, they differ vastly in how extensively they have applied it in practice.

The main difference is in its application, which is in turn related to the current regulatory differences. In the EU, current deployments of RBI systems are primarily experimental and localised. Examples of case studies include Facial Recognition Cameras at Brussels Airport, Facial Recognition at Hamburg G20, and the DragonFly Project in Hungary. There is currently no example of fully implemented and permanent FRT or RBI systems in the EU.

Additionally, the UK’s implementation of such systems is a current point of discourse across the country. As an example, part of MET police deployment policy for overt implementation of live facial recognition to locate people on a Watchlist is to be able to implement Live Facial Recognition onto “hotspots” for a number of crimes, ranging from theft and drugs to terrorism and human trafficking. 

Additionally, the use has extended to private companies, such as the retail and hospitality sector, to take advantage of the technology to enhance security and prevent theft and revenue loss.

Regulatory similarities

In both the EU and the UK, the GDPR regulates the usage of all data processing technologies, including Facial Recognition Technology. The UK also implemented the regulation at national level with the Data Protection Act 2018. Therefore, a number of legal requirements, and issues of public concern are common for both jurisdictions:

• Data needs to be processed lawfully, fairly and in a transparent manner. Where public interest can be an applicable legal base for public authorities and law enforcement (albeit not without justification). However, private companies are required to jump through more hurdles to justify the necessity and proportionality, and outright lawfulness, of the use of FRTs, typically under legitimate interest;
• Processing of biometric data means that Art. 9 special categories of personal data are being processed, adding an extra layer to the lawfulness argument. Such categories of data can only be processed pursuant to one of the exceptions listed in the Article 9. Again, reliance on substantial public interest could be an option, but not without having to make a balancing exercise, which leads to: the requirement to carry out a Data Protection Impact Assessment in accordance with Art. 35.3, where the usage of said technology arguably meets all 3 criteria;
• Further considerations and concerns include breaches to the principles of purpose and storage limitation, and data minimisation. 

What is the regulatory approach to facial recognition in the EU?

However, in the EU, the newly implemented AI Act regulates the specific usage of real-time remote biometric identification systems in its Article 5. The article outright bans the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage and the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, although the latter comes with exceptions. These include:

• Search for abducted individuals, and victims of human trafficking and sexual exploitation;
• Prevention of a specific, substantial and imminent threat to life or threat of terrorism; and
• Localisation of a person suspected to have committed a criminal offence listed in Annex 2 of the Act (which does not include property damage, theft and/or burglary). 

Said exceptions, however, must still take into account rights and freedoms of the individuals involved. Additionally, Article 27 of the AI Act require a fundamental rights impact assessment and law enforcement authorities registering the system in the EU database according to Article 49.

How does the regulation framework differ in the UK?

Since its departure from the EU due to Brexit, the regulation of such technologies in the UK is entirely different. There is currently no AI-specific regulation in place. UK Parliament is currently discussing the only related legislation for the usage of such technologies, namely the Data Protection and Digital Information Bill.

Importantly, the draft of this bill demonstrates how the UK’s approach is opposite to that of the EU, possibly leading to less regulation. For example, through the abolishment of the Biometrics and Surveillance Camera Commissioner (BSCC). The underlying argument is that the removal of this office, in a period of fast technological change, will result in the loosening of safeguards designed to raise standards and protect citizens, and may ultimately result in the deployment of technologies that are not in the public interest. 

That is not to say that the use of said technologies will go entirely unchecked. The Information Commissioner Office made a statement about the usage of said technologies and calls for the responsible and lawful use of Facial Recognition Technology, and published guidance on appropriate use of Biometric recognition systems. However, the guidance still relies on mostly GDPR-based principles and rules. It does not add anything new to the conversation on the increased use of FRTs by law enforcement agencies or private companies, which might have legal implications for individuals. Therefore, the status quo remains that in comparison with the EU, the UK remains a regulatory sandbox for the use of such technologies. As a result, concerns arise about the ways this compliance vacuum could be exploited and relevant risk for individuals. 

Looking forward

Despite the technology being substantially more regulated in the EU, there is still criticism on the general use of FRTs, even with the existence of the GDPR and AIA rules in relation to the technologies. The vagueness of the definitions in the AI act, the changes made to the AI Act draft from an outright ban for the technologies to an approach with “exceptions” and the lack of clarity on the implementation of these technologies by private companies outside of law enforcement agencies.

The post Comparing the UK and EU’s framework on facial recognition technology appeared first on TechGDPR.

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations’ Convention on the Rights of the Child. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children’s data.

Art. 8 GDPR’s requirements and the age of digital consent

Art. 8 of the GDPR is the only article that regulates the processing of children’s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.

Growing concerns about the processing of children’s data

One of the main issues that information society services face in regards to the processing of children’s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age to gain access to platforms where no extra assurance is required. 

UK’s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. 

It is therefore unsurprising that Meta and TikTok have been the two biggest companies being fined for violations in regards to misuse of children’s data by the Irish and UK’s data protection authorities respectively. In fact, the UK’s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. 

It becomes clear that the development and implementation of more stringent age assurance techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children’s Code, to be applied to online services likely to be accessed by children as a code of practice.

Age assurance mechanisms

Amongst 15 other standards that the Code implements, there is the need to ensure that the product and its features are age-appropriate based on the ages of the individual users. To be able to do so, the code requires that the age of users is established with the appropriate level of certainty, based on the risk level of the processing and taking into account the best interest of the child. Therefore, it is also crucial under the code, to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of children’s data, to evaluate said risk level.

The code suggests some additional age assurance mechanisms that information society services may put in place, and the UK’s children’s rights foundation 5Rights has identified additional ones and its possible use cases, advantages and risks. Some of these include: 

• Hard Identifiers, such as sharing one’s ID or Passport or other identifying information. Those are considered to provide a high level of assurance, but raise concerns in regards to data minimisation and might otherwise lead to a disproportionate loss of privacy. Organizations are generally advised to implement appropriate storage limitation periods for those, limited to what is needed to verify an individual’s age once, making it tricky to demonstrate having checked that information, for compliance. Youtube and Onlyfans are examples of ISS that makes use of this mechanism to give access to age-restricted content.
• Biometric data relies on the use of artificial intelligence to scan for age-identifiers on a person’s face, natural language processing or behavioral patterns. It is more commonly used through facial recognition. However, it presents a high degree of risk due to the use of special categories of data, risk of discrimination by biased artificial intelligence and the effective profiling that takes place. Whilst it does provide a high level of assurance, it also requires a very stringent mechanism in place in order to ensure data is processed safely. GoBubble is a social network site made for children in schools that has been using this kind of age assurance technology, by requesting users to send a selfie upon sign up. Meta is also currently in the process of testing this method of age assurance, by working with Yoti, one of the leading age assurance technology developers.

• Capacity testing allows services to estimate a user’s age through an assessment of their capacity. For example, through a puzzle, language test or a task that might give an indication of their age or age range. Whilst this is a safe and engaging option for children, and does not require the collection of personal data, it might not be as efficient at determining the specific age of a user. The Chinese app developer BabyBus uses this type of methodology in its app, by providing a test where users are asked to recognise traditional Chinese characters for numbers.

More examples and use cases of age assurance mechanisms are provided in the 5Rights report. 

Therefore, although it may be difficult to strike a balance between appropriately verifying users’ age prior to sign up, and avoiding over-intrusive measures to do so, it is apparent that solely relying on the user being truthful about their age is no longer sufficient for the majority of platforms, especially when processing vast amounts of personal data, sensitive data or use personal data for targeted advertising. With the growing number of very young children accessing the internet, it is important to ensure that they are protected, their fundamental rights respected, and relevant data protection provisions are fulfilled. In recent years, large steps have been made in the development of alternative secure identity and age verification technologies. The tools are therefore available for organizations to ensure that their GDPR requirements are also met in this respect. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Processing children’s data and implementing age assurance mechanisms appeared first on TechGDPR.