Page 1

Children and young people
rights to
digital platforms
A guide for actors

Page 2

Behind the guidance are the Data Inspectorate, the Children's Ombudsman and the Swedish Media Council.

2

Children's and young people's rights on digital platforms

Page 3

PREFACE

Protect and strengthen children
and the rights of young people
When children's and young people's everyday

lives increasingly take place in digital
environments, it is of the utmost importance that their freedoms and rights are safeguarded there, precisely
as in the physical world.
Children and young people move quickly and get used to between different services, but it is not
always synonymous with realizing risks or understanding consequences - consequences
which may also lie far into the future.
Regulating the internet is often difficult. Legislation is sometimes complicated
to interpret, the language is far from the language used by those concerned and
Perspectives are seldom as holistic as they may need to be when viewed
an event from a child's perspective. Something we can be said to be obliged to do,
since the Convention on the Rights of the Child became law in Sweden on 1 January 2020.
That is why we, three government agencies with a special responsibility to protect
children and young people and strengthen their rights, chosen on the basis of our various
areas jointly produce this guide.
The purpose of the guidance is to provide general support primarily on the basis of an
perspective (where the Data Protection Regulation, GDPR, is a key piece of legislation) and
a child rights perspective (based on the Convention on the Rights of the Child). The guide contains
also some advice based on the legislator's intentions regarding protection
children from harmful media exposure.
With the guidance, we focus primarily on actors who create and are responsible for
different digital environments where it is common for children and young people to be. Regardless
if you own or create websites, Swedish-language platforms or have one
own Youtube channel, we hope you will enjoy the guide.
We are convinced that we are together - when we put the best interests of the children first
- will succeed in creating safe, secure, digital environments, adapted to children
and the needs of young people.
Stockholm 2020
The Data Inspectorate
The Children's Ombudsman
State Media Council

Children's and young people's rights on digital platforms

3

Page 4

Content
Preface 3

Chapter 1: Introduction 5
Safe digital environments for children and young people

5

The best interests of the child - in accordance with the Convention on the Rights of the Child

6

The rights of the child - according to the Data Protection Regulation

7

Protect children from harmful media exposure

10

Checklist the guide briefly

13

Chapter 2 14
1

What is required to process names, photos and other personal information

14

2 Opportunity to give consent

20

3 Risk assessment

25

4 Requirements for deletion and information

29

5 Online tools

33

6 Save and protect personal information

34

7 Age control

35

8 Share personal information

36

9 Use personal data for marketing purposes

38

10 Geo-location data

39

11 Parental control

40

12 Profiling

42

13 Nudging

43

14 Connected toys

44

More information and guidance 47

4

Children's and young people's rights on digital platforms

Page 5

CHAPTER 1: INTRODUCTION

Secure digital environments
for children and young people
Sweden must be the best in the world at using the possibilities of digitalisation. The
is the goal of the government's digitalisation strategy. The digital world is influencing
society at all levels and as citizens we get used to most things going well
to do digitally, whether it's about contacting authorities, do
errands or perform tasks.
For children and young people, the digitalisation of school and access to
connected devices have a major impact on their daily lives. Even younger children should according to
the preschool curriculum get access to digital tools. After school, many devote
children and young people daily spend a large part of their free time on streaming media, games and
social platforms.
From a child rights perspective, it is clear that digitalisation is in need
safe and secure digital environments adapted to children and young people. The government has
drew attention to the need for so-called digital security through enhanced security
and integrity within the framework of the digitization strategy. The strategy points out that
private and public actors need to act responsibly and that
requires secure digital systems that protect personal privacy. In practice
This means that in the development and use of digital tools and
services need to follow the rules that exist for the protection of children and young people.
Hopefully this guide can make it easier for anyone who creates and
is responsible for various digital environments and wants to help make children and young people safe
digital environments. It can be read as a summary of what you have to
think in accordance with the Convention on the Rights of the Child, the Data Protection Regulation and the right of children to
protection against harmful media.

Children's and young people's rights on digital platforms

5

Page 6

Best interest of the child
- according to the Convention on the Rights of the Child
Sweden adopts UN Convention on the Rights of the Child (Convention on the Rights of the Child)
as early as 1990. As of 1 January 2020, the Convention on the Rights of the Child is also Swedish The Convention on the Rights of the Child
basic principles
law. This means that the rights in the Convention on the Rights of the Child can be applied as
Swedish law and that children are seen as rights holders and thus get a stronger one
Article 2 - every child
have the same rights
legal position.
and equal value.
The Convention on the Rights of the Child contains universal provisions aimed at supporting
Article 3 - child custody
the child's needs for safety, health, well - being, family relationships, physical,
take should be considered at all
psychological and emotional development, identity, freedom of speech and integrity
decisions concerning children.
to form their own opinions and the right to be heard. Children's Ombudsman
Article 6 - every child
have the right to life and
the man is a state authority with the task of representing children and young people
winding.
rights and interests based on the Convention on the Rights of the Child.
As the creator of and responsible for a digital environment, it is important to have knowledge Article 12 - every child
has the right to express
on the rights of the child in order to ensure that children are protected and can
its meaning and get it
respected.
developed in the digital environment. Based on the 54 articles of the Convention on the Rights of the
Child, it is an article
3 one of the basic principles we will highlight in particular in this guide.
In addition to the basic
Article 3 states that the best interests of the child shall be taken into account in all actions and decisions
which:
iperna there
are a number
concerns children. The Convention on the Rights of the Child explicitly points to the role of adults provisions
in protecting
that mayand
extra relevant
promote the best interests of the child. Everyone who creates services aimed at children and youngbepeople
children and adolescents
can contribute by making every decision concerning the offer and its design
rights online. IN
have the best interests of the child in focus and the Convention on the Rights of the Child as a starting
point.
this guide
are articles about children
In order to put the child in focus and have a child rights perspective, basic
opinion and information
knowledge of the Convention on the Rights of the Child. The different articles are related and
freedom of movement (Article 13)
should be seen as a whole. Not all rights are relevant to all issues involved
and the right to private
and family life (article
children, but in order to ensure a child rights perspective, at least
16) and Article 17 on
The four basic principles of the Commission permeate the issue.
the role of mass media
particularly relevant, as well
Article 19 (physical or
psychological violence) and article
36 (protection against other
exploitation).

Read more
www.barnombudsmannen.se/barnombudsmannen/barnkonventionen/
www.barnombudsmannen.se/globalassets/dokument-for-nedladdning/
publications / en-skrift-om-barnkonventionen-uppdat.pdf

6

Children's and young people's rights on digital platforms

Page 7

The child's rights - according to
the Data Protection Regulation
This guide describes selected parts of the requirements that data protection
the Regulation, or the General Data Protection Regulation (GDPR), sets when
children's and young people's personal data are processed for different purposes.
GDPR with the rules on data protection is based on the EU Charter on
fundamental rights. The rules are related to the individual's right to
respect for their private and family life, which applies under the European Convention.
A protection for personal integrity is also found in the Swedish constitution; government
ingsformen. Both the GDPR and the European Convention apply as law in Sweden.
The Data Protection Ordinance is directly applicable as law in Sweden and throughout the EU.
Swedish law may not be in conflict with the ordinance.
The data protection rules apply throughout the EU and aim to create a uniform one
and equivalent level of protection of personal data. There are data protection
authorities in each EU country that monitors compliance with the rules. In Sweden, this is
The Data Inspectorate (which from 1 January 2021 is called the Privacy Protection
authority).
The Data Protection Regulation highlights children in particular and states that
Son data deserves special protection, as children may be less aware
on the risks, consequences and safeguards involved and on their rights when appropriate
applies to the processing of personal data.
This is reflected in a special rule about children who say that children
over 16 years of age can consent to the use of their personal data for the use of
information society services, such as social media or chat programs. Each
Member State has had the option of lowering the designated age in this
and in Sweden it has been decided that children over the age of 13 may consent in these cases.
The GDPR contains a

number of basic principles that can be said to be the core
in the Regulation and which are important to understand and apply. The principles mean
among other things, that you who are responsible for handling information about children:
• may only collect personal data for specific, specifically stated and justified
purpose.
• may not process more personal data than is necessary for the purposes.
• has to ensure that the personal data is correct.

Children's and young people's rights on digital platforms

7

Page 8

• has to delete the personal data when they are no longer needed.
• has to protect personal data, for example so that unauthorized persons may not
access to them and that they are not lost or destroyed.
• need to be able to show that and how you live up to the Data Protection Ordinance.

Concept of data protection regulation
A prerequisite for being able to apply the Data Protection Regulation is that you understand
what certain key concepts mean, such as personal data controller,
personal data assistant and registered.
The person responsible for personal data is the organization (for example a limited company, foundation,
association or authority) which determines the purposes for which the information is to be provided
treated and how the treatment should be carried out. It is therefore not the head of a worksplats or an employee who is responsible for personal data. Even a natural person can
be responsible for personal data, which is the case for individual companies, for example. I väFor this reason, we address representatives of the organization responsible for personal data
and says "you should think about" etcetera.
The personal data assistant is the person who processes personal data for a
on behalf of the son data controller. A personal data assistant is always outside it
personal data controllers' own organization. A personal data assistant can be
a natural or legal person, public authority, institution or other body.
For example, cloud service companies or other external providers are often used by
IT services as a personal data assistant. A personal data assistant and its personal
may only process personal data in accordance with instructions from the
responsible and agreements must be reached between the parties.
Joint personal data responsibility is when several actors decide together
and is responsible for one and the same treatment. Then they have a common person information responsibility.
By the data subject is meant the person whose data is processed.
More definitions can be found later in the guide.

Obligations and rights
The Data Protection Regulation contains both obligations for those who process
personal data and rights of the individuals whose data are processed. To
the obligations must take into account the basic principles set out
above. Here are some of the rights that apply to both children and adults:
• The right to know who processes personal data, for what and why?
• The right to access the personal data of an organization, costfreely, and to obtain a copy in an available format.
• The right to object to an organization processing personal data without
that consent has been given, unless the public interest takes precedence. The right to when as
preferably object to receiving so-called direct advertising, ie advertising that goes directly
to the recipient.
• The right to have information corrected if it is incorrect, incomplete or
incorrect when processed by an organization.

8

Children's and young people's rights on digital platforms

Page 9

• The right to have information deleted is also called the right to be forgotten. Rightapplies if someone's information is no longer needed or processed
illegal. Other rights, such as freedom of expression, must also be protected. Because
you can not always delete personal data that is displayed through, for example
search via a search engine.
• The right to move data is about when individuals' data is used by
a company after consent has been given or an agreement has been signed. Then can
the data is returned or transferred to another company at the request of
the individual. This is called the right to "data port capability".
• The right to receive information if personal data is lost means that
the information holder must inform the Data Inspectorate of
personal data incidents that pose a risk to the privacy of individuals. If
the incident poses a high risk to an individual, the individual must also be informed
race personally.

Remember!
The terms GDPR and the Data Protection Regulation are used synonymously in the guide
and it is the same rules that are meant. When several actors are involved in, for example
a service or platform, each party must take responsibility for its part in accordance with
Regulation and other applicable rules. GDPR does not apply to the extent that it should
infringe on rights under the Freedom of Expression Act (YGL). This makes that
the rules usually do not apply to the publication of personal data on the internet in those cases
are databases with publishing certificates and mass media companies automatically
protected databases.

To think of!
The information in this guide is based on the GDPR, the rules of which apply in
throughout the EU. The guidance does not claim to account for all data
protection rules globally. The guidance has taken inspiration from a statutory statute
code of conduct from the UK Data Protection Authority ICO (Age
appropriate design: a code of practice for online services). It has, however
not the same status as the UK Code of Conduct but should be read as
usual government information about the rules that exist.

Children's and young people's rights on digital platforms

9

Page 10

Protect children from harm
media influence
How can children be protected from harmful media influences in digital environments? What
means harmful media impact and what does it have to do with the design of
digital services?
The concept can be divided into several different areas, including:
• harmful media content,
• harmful communicative action,
Harmful interaction design and
• harmful handling.
The first three are especially important to know for those who create and are responsible
for various digital services.
By harmful media content is

meant content that can lead to children being affected
of negative consequences. It can be about violence, horror and pornography.
Such content may lead to an experience of strong fear or
discomfort at the moment or that the child later finds it difficult to sleep, dreamsHarmful
nightmares or do not dare to do things it usually does. But
media content is
Harmful media content can also be demanding
content that can
exposure but affects the child in the long run, such as propaganda,
advertising or problematic beauty ideals.
lead to children

suffer from negatives
consequences."

Harmful communicative action involves

some form of
social interaction. Examples of this are cyberbullying, hatred, threats,
virtual rapes or incitement against ethnic groups. It can be about
acts that are primarily directed at someone or someone with direct hostility
intentions or actions performed without the practitioner thinking about how the action
affects others. Today, anyone with access to technology can publish
content in the form of, among other things, text, image and sound. Many digital services
contains forums for this, for example in the form of chat functions where users
can interact. User-generated media content may remain long after
the actual time of publication and it can be spread to more than what is actually
gene set aside.
Also so-called dependent issues or problematic use of screens
is considered harmful communicative action.

10

Children's and young people's rights on digital platforms

Page 11

Harmful interaction design refers

to a design of the user experience
leading children and young people to choices that may be harmful to them, such as
to provide sensitive personal information or personal photos.
Harmful handling is

out of focus for guidance and affects negatives
effects of sedentary and excessive media use such as obesity,
sleep problems and wear and tear injuries.

How are children protected?
In many areas of society, children have been judged to have special needs
protection. Their rights must also be respected.
Protecting children from harmful content is one such area, as children
may be less critical and therefore more receptive to different types of messages.
Measures to protect children from harmful media exposure - in law and
self-regulation

According to the Marketing Act, it is forbidden to send direct mail to children
under the age of 16 and to direct direct purchase calls to minors. In radio and
The Television Act contains provisions with restrictions on content with violent
rings and pornographic images. The Convention on the Rights of the Child contains writings on
including the right of children to a safe upbringing and the right to freedom of expression.
According to the data protection rules, children's (and others') personal data must be protected.
There are also codes of conduct to counter, for example, online hate and
voluntarily agreed provisions covering industry actors, for example
business ethics rules on special care regarding market communication aimed at children and young people.

Protection against harmful media content
Children can be protected from harmful media content through, for example, age limits
established by the Swedish Media Council for films that are shown in public and broadcast
the conditions that regulate when during the day certain types of content may be broadcast via
linear TV. The Internet is not regulated in the same way, but for everyone who provides
services where children and young people can come into contact with harmful media content
important to consider the Convention on the Rights of the Child and children's rights.

Children have a special need for protection
The Convention on the Rights of the Child is important in preventing children from being harmed
content. According to the regulations, children have the right to apply, receive and distribute
information and thoughts of all kinds. But children also have the right to protection from information
information that may be harmful to them, as well as protection against invasion of privacy and
such as may damage the child's honor or reputation. Children also have the right to special
protection of their privacy and personal data, in particular with regard to targeted
advertising or collecting data from services specifically targeted at children.

Children's and young people's rights on digital platforms

Page 12

AV Directive (Audiovisual Media Services Directive)
Has been implemented in Sweden mainly through the Radio and Television Act,

commercial communications with descriptions of in-depth violence

with rules about TV and pay-TV. The regulations are about

of a realistic nature or with pornographic

including the design of advertising, advertising volume and

images should not be provided in such a way that it

placement of advertisements, protection of minors and

there is a significant risk that children may see these, if any

content that incites hatred. The directive has

not for special reasons is nevertheless justifiable. The supplier shall

recently adjusted, which requires changes in the Radio and Television Act

also take steps to ensure that such videos, television programs and

which are essential for actors responsible for digital

messages do not have a content referred to among other things

platforms. A new chapter on video sharing platforms

in the provisions of the Penal Code on unlawful threats, incitement,

introduced into the law. There is a requirement that a supplier of one

ethnic groups, illegal depictions of violence and child pornography

video sharing platform shall take appropriate action:

nografibrott. The new rules are proposed to enter into force on

11

user-generated videos, TV shows or audiovisual

December 1, 2020.

Different degrees of maturity affect
When deciding what is harmful content, you take it into account
children's emotional and intellectual maturity, which develops continuously.
The older children get, the greater their ability to handle and relate
to situations they are faced with. Also children's ability to assess risks and
Understanding the consequences of one's actions is something that develops over time
“Children risk for
time. Younger children may, for example, lack the tools needed to
deal with scary media content or understand the consequences
vulnerability is thus
of publishing photos or disclosing personal information. The grade of
also a factor that
protection is thus affected by how the target group looks and by different children
need to be considered
ages and degree of maturity.

when

to create digital
environments where children
is located. ”

More vulnerable than others

Some children are at greater risk of being harmed by the media.
Children with neuropsychiatric disabilities (NPF) generally use
media more than average. They also state to a greater extent that they have been exposed
for threats, bullying or that someone has been mean to them on the internet. Even children
with intellectual disability indicates to a greater extent that someone has been stupid
against them on the internet. Children's risk of vulnerability is thus also a factor that
need to be taken into account when creating digital environments where children are.

Examples of authorities in the area
State Media Council
The Swedish Consumer Agency
The authority for press, radio and television
Chancellor of Justice
The police

12

Children's and young people's rights on digital platforms

Page 13

Checklist
- the guide in brief
• Let the Convention on the Rights of the Child and the best interests of the child permeate your service!
• Keep track of important concepts! Personal information is not just a name
and address without any information that can be linked to a person.
• For what purposes do you need personal information? The purposes
decides, among other things, what information you may collect, how
as long as they can be saved and if you can share the information.
• Without support in the Data Protection Regulation, GDPR, you will not get
use personal data! Consent and agreement are examples
on legal grounds that may make it lawful to deal with
personal data.
• GDPR-secure your consents! Consent must be given as a clear
willing expression, without pressure with the ability to at any time
recall it.
• Provide information on how to use the information about children!
The information must be child-friendly when you turn to children.
• Make a risk assessment before the personal data is collected! The
is a legal requirement and helps you plan the actions you need
take to protect personal data.
• Be prepared to manage individuals' rights according to
the Data Protection Regulation, such as requests for extract from the register and
deletion!
• Process as little personal data as possible and take it into account
integrity aspects and child protection in planning and design
of services and systems.
• Counter threats and hatred on your platforms and protect children from
harmful media impact!

13

Children's and young people's rights on digital platforms

Page 14

CHAPTER 2

1. What it takes to get
process names, images and
other personal information?
Consent is not always required - but is sometimes necessary
A common misconception is that you always have to have people's consent to get
publish or otherwise process their personal data. It's not like that. What
which, on the other hand, is always needed according to the rules of the Data Protection Regulation is some form
for legal reasons. Without a legal basis, it is forbidden to process
personal data. If you want to process personal data, you must therefore find one
provision of the Regulation (a legal basis) which is appropriate to support what you
must do, otherwise the processing is illegal. There is no other legal basis such as
works in this context, consent may be the only option. It is required then
that the consent meets a number of criteria for being legally valid, such as that
it must be informed and voluntary and can be revoked. Here it can be worth it
to remind that children are not always considered old enough to consent.

read more about
how the legal basis consent is used legally in section two,
page 20. There is also information on at what age children can begin to conceive
decisions on their personal data.

Personal data and personal data processing
Is all kinds of information that can be linked to a living person

personal data, unless it is a sole proprietorship.

son. This can be a name, address and social security number.

The registration number of a car can be a personal data,

more. Photos of people are also classified as personal data.

if it can be linked to a natural person. Personal data

Yes, even audio recordings stored digitally can

processing is everything you do with personal data: collect

be personal data even if none is mentioned

in, save, share, sort, publish and so on.

name in the recording. A company number is usually not one

14

Children's and young people's rights on digital platforms

Page 15

The legal bases
Below are the legal bases in which organizations in private business
primarily uses.
Consent

Can under certain conditions be used as a legal basis for a
processing of personal data.
Agreement

Can be used as a legal basis for processing children's personal data about
it is necessary to fulfill what has been agreed in an agreement. Agreement
can only be used if the child is old enough to in the individual case
be able to decide over their personal data.
Legal obligation

Laws or regulations mean that you sometimes have to process certain personal data in your
Operation.
Balancing of interests

Means that the person responsible for personal data asks himself about the interests of the organization.
then weighs heavier than the individual and whether the treatment can be considered
necessary for the current purpose of the person responsible. If the answer is yes is
processing is legal on the basis of the legal basis of balancing interests.
Agreements and
legal obligation as a legal basis. For public activities can also
personal data are processed as part of a public interest and regulatory
exercise (the most common legal basis for public activity). Consent
and balancing of interests can usually not be used as a legal basis in public
Operation.

read more about
the conditions for consent, children's ability to consent and when the minor is
can decide on their personal data in section two, page 20.

To think about - when choosing a legal basis!
Why does personal data need to be processed? The purposes

different purposes. To use person data to deliver

sets the framework for what is allowed and decides which

a product to a customer and to send advertising to the customer is

appropriate legal basis.

examples of two different purposes.

The Data Protection Regulation requires that

In most cases, consent is neither the easiest nor the most appropriate

the purposes. The reason is that it is not okay to collect

alternative, inter alia because the person who has given his

enter more person data than is needed for the concrete

think can take it back at any time. Then the personal

purpose identified.

the data processing cease.

It may be relevant to apply different legal bases for

15

Children's and young people's rights on digital platforms

Page 16

Is there an agreement?
Consent is usually not needed when there is an agreement with a person. In the case of
pelvis an online purchase, the customer expects to have their goods delivered. To the item
in order to be delivered, the store needs to use certain personal data, which
its address. The information necessary to fulfill the agreement is given
thus treated with the agreement as a legal basis. If the business wants to use
personal data for purposes other than the fulfillment of the agreement, for example for
to send advertising, the customer must give his consent.

Balancing of interests
If an agreement is missing and it is difficult to use consent, it is often possible
to rely on a balance of interests, which is the most flexible legal basis
the one of all. Then it is required that the intended processing of personal data is necessary
for a purpose relating to a so-called legitimate interest, and that of the individual
interest in the protection of their personal data does not outweigh the legitimate
the interest of the business.
What interests in a business are then justified? For example, treatment
of personal data that is absolutely necessary to prevent fraud, but
processing of personal data for direct marketing is also considered to be one
legitimate interest. Even if there is a legitimate interest, you have to judge
if the intended processing of personal data is necessary to fulfill it
legitimate interest. Do you consider that you can use the balance of interests you need
you also make sure that the protection of privacy does not outweigh it
individual case. That assessment is determined by the impact of the personal data
the action has on the privacy. In summary, it works
a balance of interests often when the persons, whose data one wishes to process,
expects some processing of personal data.
The fact that children need special protection is an important component to take into account
to the balance of interests. Can you show that you are within the framework of the planned
personal data processing can protect children's personal data, provide sufficient
information and otherwise protect the children's integrity so it affects the possibility of
you to legally use their personal data on the basis of a balance of interests.

Tip!
Which interest weighs the most?
To determine which interest weighs the most, a child impact assessment can
to be done. The analysis must show the consequences and effects that may arise for children
at different action options.
• How are children affected by different action alternatives?
• What will be the consequences for children who are in vulnerable situations and
where there is a high risk that the rights are violated or where the rights cannot
fully met?

16

Children's and young people's rights on digital platforms

Page 17

To think of!
• Children are individuals with different conditions.
• Take into account age and maturity.
• Choice of legal basis must be documented. Among other things, because the
you whose data is processed have the right to receive information about the legal
the reason.
• The legal basis must be determined before the personal data is collected.

Internet publishing
If what is published on the internet contains personal data is required, as at
all processing of personal data, a legal basis. In some cases, it is obvious that
consent is required, for example when it comes to information concerning children with
protected identity. What legal basis is appropriate for internet publishing
is determined by the context, such as how privacy-sensitive information is involved.
Are you unsure of how to look at a publication in the Data Protection Ordinance
meaning, it is always wise to ask the consent of the persons concerned. In typical
harmless publications, in the context of many people involved
such as a company's mingling photos from an event, it can usually be more
appropriate to support the processing of personal data on, for example, a
ning. Keep in mind that pictures and other personal information about children are always considered special
worthy of protection. Children may find it more difficult to anticipate the risks of leaving
information and understand what right to protection they have for their information.
In some cases, the rules of the Data Protection Regulation do not apply to
even if they contain personal data. For constitutionally protected public
GDPR is largely not applicable. For example, have a magazine
website and also webcasts under certain conditions an automatic
constitutional protection. Examples of constitutionally protected websites are the evening paper.
see and dn.se. Others whose databases are not subject to an automatic constitutional
protection can apply for a certificate of publication that provides a corresponding constitutional
protection of their websites. Examples of websites with constitutional protection
through publication certificates are eniro.se and hitta.se.
Do you have a platform that is not fully covered due to constitutional protection
of the data protection rules, there are other rules that will be relevant to you. The one who
operates the constitutionally protected business is obliged to appoint and notify one
responsible publisher to the Swedish Press, Radio and Television Authority. The publisher is legal
responsible if a violation of freedom of expression is committed, for example incitement against an ethnic group, slander
or insult. Furthermore, the law on responsibility for electronic bulletin boards
requirements for the person who owns or is responsible for a site. The one who provides the service
must remove posts that involve, for example, incitement against ethnic groups, incitement,
illegal depiction of violence, child pornography offenses and copyright infringement.

17

Children's and young people's rights on digital platforms

Page 18

Who should take responsibility for the legal basis when there are several actors
involved?
At all types of activities (such as services and platforms) where several actors
are involved, it is important that all parties are aware of their responsibilities
for the ongoing processing of personal data. Several parties can bear responsibility
at the same time. At the same time as you have access to personal data, you must
ask yourself the question: What responsibility do we have for the tasks? It is important that you
if you are responsible as a personal data controller or personal data assistant.
What these terms mean was explained in Chapter One.
As a business responsible for personal data, think of these legal requirements:

• You are responsible for ensuring that the processing takes place in accordance with data protection regulations.
all the provisions of the Regulation.
• You can entrust the actual processing of personal data (for example
all the practical work with a service, the management of your customer register
and so on), but the person data responsibility can never be handed over.
• You must establish a so-called assistant agreement between you and the personal data
the assistant.
If you have the role of personal data assistant, think about these legal requirements:

• You may only process personal data in accordance with instructions from it
person responsible for personal data and you may not hire another assistant without
obtain prior written permission from the person responsible for the data.
• Some obligations imposed on personal data controllers also apply to you,
such as keeping records of treatments, to ensure an appropriate security
level and in some cases to appoint a data protection officer.
Both the personal data controller and the personal data assistant can be subject
for supervision or administrative penalty fees and become liable for damages.
This guide is primarily aimed at actors, with children as
target group, but it can be good to know that even guardians (and everyone
private individuals) have a responsibility for personal data processed by them.
If you process personal data under the management of a company, such as at work,
however, it is the workplace that is responsible or an assistant. Parents of children who
are large enough to decide for themselves about their personal data needs
be able to support their personal data processing, by their child (or others) personal data
information, on a legal basis.
Keep in mind that the processing of personal data is affected by the so-called
the private exemption is not covered by the GDPR. This applies to the processing of personal data
poisons that a natural person performs as part of activities of a purely private nature
or which is related to his household. However, the exception does not apply when one
private person publishes personal data in a way that makes the data
accessible to an indefinable number of people, for example through open public
cering on the internet. Then you must always follow the rules of the Data Protection Ordinance.

read more about
parental control in section eleven, page 40.

18

Children's and young people's rights on digital platforms

Page 19

More information
Advice on how to make one
balancing of interests and information
on all the legal bases:
www.datainspektionen.se/lagar--regler/
the Data Protection Regulation / legal basis /
balancing of interests /

What does public interest and the exercise of authority mean?
www.datainspektionen.se/lagar--regler/dataskyddsforordningen/rattslig-grund/
authority-exercise-and-tasks-of-public-interest /

As for when using the legal basis agreement for
online services - see guidance from the data protection authorities
cooperation bodies:
www.datainspektionen.se/globalassets/dokument/eu/avtal-som-rattslig-grundwhen-using-online-services.pd f

Here is how a child impact assessment can be done:
www.barnombudsmannen.se/barnombudsmannen/publikationer/genomforaConvention on the Rights of the Child

What applies to the processing of personal data for public activities?
www.datainspektionen.se/

Measures that the Data Inspectorate can direct at the person who breaks, or
risks breaking the rules:
www.datainspektionen.se/om-oss/arbetssatt/tillsyn/vad-kan-tillsynen-leda-till/

19

Children's and young people's rights on digital platforms

Page 20

Opportunity to give consent
Can children and young people decide for themselves
personal information?
According to the data protection rules, children over the age of 13 can consent to their personal
toxins are used in the use of information society services.
Examples of such services are social media, blogs, internet forums, video
sharing platforms, chat programs, online games, apps with games or more
content.
There is no specific age limit for when a child can consent to
that personal data is processed in other situations, according to the GDPR.

Age and maturity affect
How can one then think in situations other than those concerning information gathering?
the services of the stove? In the case of children under 13 years of age should always be the guardian
consent is obtained. The parents have the main responsibility for the child's upbringing and
development based on what is considered to be the child's best interests. Children over 16 years have
generally a certain right to act independently in society and can for example
dispose of their own earned income. Someone who has turned 16 should as well as a rule
be able to give a valid consent to the processing of personal data.
But what then applies to children between 13 and 16 years? Well, then need
“The age limit will be
in each situation, the child is assessed in that particular context
can be considered to be able to understand the consequences of a consent.
a balance between
Factors that are important for the assessment are, for example, how
the right to participate
sensitive personal data that the child must provide, how
and the risk to the child
how long they should be saved, the child's age and maturity.
You must decide whether the child can anticipate the consequences
maltreated."
which the processing of personal data may entail and about the child
can understand what he agrees to.
The age limit is a balance between the right to participate and the risk of
the child gets sick. It is in relation to this risk important to ensure the right that
every child has. The child has the right to receive information adapted to his or her age and

20

Children's and young people's rights on digital platforms

Page 21

maturity and the right to express their views and take part in actions and decisions such as
affects the child's life.
Although the ability to absorb more complex information and understand
the sequences of their actions develop continuously as older children get older
large differences between different individuals. To understand the consequences of that
for example, disclosing their personal information, some children may need more support than
what is expected based on their chronological age.
This applies in particular to children with special needs, such as children with intellectual
or disabilities.
Because the age of children and young people is so important for the possibility of
allow them to give consent that is legal, it may in some cases be necessary to
do age checks.

Tip!
Make children customized information
By adapting the information to the recipient, we can ensure to a greater degree
that the information reaches out. When the information is to be adapted to children, it is important that
Consider the following:
• Write in plain language.
• Not too long text.
• If guardians need to give their consent, it must be done early and clearly in
the text states that the child concerned has the right to the information.
• Children have different conditions. The information needs to be available in other languages
or be able to read aloud?
Sometimes it can be difficult to know if the information is child-friendly. One tip is
to involve a reference group of children in the production of a text.

read more about
age control in section seven, page 35 .

To think of!
• Regardless of whether children or adults have given valid consent,
data processing live up to the rest of the rules in the data protection
Regulation, such as the right to information on how the data
processed and adequate security of the data.
• Guardian consent is not required for prevention or counseling
services offered directly to children. The reason for this is that children should be able to
seek advice or support without the parents' knowledge, for example from Bris.
• According to the Convention on the Rights of the Child, every child has the right to express his or her opinion in decisions
concerning them. The best interests of the child should be considered and the child asked before
someone else gives consent to disclose the child's personal information.

21

Children's and young people's rights on digital platforms

Page 22

Legal requirements for consent
Consent must be voluntary

In order for a consent to be valid, it must be given completely voluntarily. With this
means that the person who agrees has a genuinely free choice and control over his
personal data. Voluntary consent can be explained by the following points:
• Without pressure. The data subject shall not feel compelled to
think. The consent is not valid if someone has been exposed to influence in connection
with that it was left, for example if one within the framework of a
customer club is forced to agree to consent to advertising
“For a consent
under pressure to otherwise lose bonus points.
must be valid
• With the right of withdrawal. Anyone who agrees must have the right to withdraw
it must be left
consent, which must be clearly explained. It should be just as easy
to give a consent as to withdraw it, otherwise it can
completely voluntarily.
become invalid. This is especially important when it comes to young people.
If the person who has given his consent cannot or may not revoke
without suffering negative consequences, consent is not voluntary.
If a consent is revoked, the person responsible for personal data must stop
the treatment based on the consent.
• Equal relationship between the person processing and the person whose tasks
treated. For consent to be considered voluntary, the relationship must
between the person who processes the personal data and the person whose personal data
treated as "equal" within the meaning of the data protection rules. For example, can
consent is not used as a legal basis in relation to students on
a school in teaching due to the unequal relationship between
students and the school. Students must go to school and get grades there and can therefore
do not feel that they can voluntarily say no. That is also the reason why
consent as a general rule can not be used as a legal basis in public
activities. However, consent can be used outside the school's regular
activities, for example in school photography.
Consent must be given for each purpose separately

A consent does not meet the requirement for voluntariness if you combine several purposes.
If there are several different purposes for why you want to use personal information
In order for it to be considered voluntary and valid, you must have consent for each purpose
separately. If, for example, a company wants to ask for consent to be allowed to use
their customers' information to turn to them with targeted advertising, partly give
customers the opportunity to participate in a special competition, so there are different purposes. To
Forcing customers to say yes or no to "all or nothing" is not legal.
In this context, let us recall the example from the section before, if
the online store that may need to process personal data for several different purposes.
You should then consider which legal basis is appropriate for each individual
goal. Is there personal information that is deemed necessary to, for example
be able to deliver goods?
Then the processing of personal data should be included in the purchase agreement with the data subject.
Do not include anything in the agreement that requires a separate consent, but let the terms of the agreement
the cows only consist of what belongs there.
For example, you may not condition the delivery of goods on the person being forced
consent to the disclosure of personal data to another company, if not
necessary for the purchase agreement to be fulfilled.

22

Children's and young people's rights on digital platforms

Page 23

The consent must be specified

In order for the young people who agree to understand what they are saying yes to,
the purpose of the purposes should be detailed and adapted to their age. The rules
has been added to protect users from a handling where the who should
processing the data is vaguely expressed in the belief that it can be used later
personal data for other purposes. It's not legal. Formulations such as
that the personal data will be used for "future commercial purposes" is
not sufficiently specified and does not give a legal consent.
Consent must express a clear expression of will

There must be no doubt that the person who is to give his or her consent is clear
has approved the handling. A statement or clear confirmation is required from
the registered. This should be a deliberate act. The design of interfaces
must therefore involve an active choice, such as ticking a box. Already
checked boxes or other so-called opt-out solutions, ie solutions
which requires an active act on the part of the person in order to escape consent,
is not legal. The same applies to formulations where silence or inactivity is done
to an active choice, such as “if you do not choose something, we assume that you
agrees ”.
Information is required when consent is obtained

When it comes to children and young people, you have to be extra vigilant
“You have to be
that they have really reached the maturity to understand and consent to
extra vigilant
the treatment. Information aimed at children must be written
in a clear and simple way. Keep in mind that minors have different
on that children and
prerequisites. Do you not know how old the person you are communicating withyoung really have
is? Design so that the very youngest understand. A basic rule for all actors
reached maturity
who wish to fulfill the Convention on the Rights of the Child
The right of man is to assume that the child must have the ability to understand to understand and
what it agrees to. If this is not taken into account, a consent can be given
agree."
be invalid. It is the person who collects the information who has to show
that the consent is valid. For an information to be considered clear enough
it must contain the following points:
• Who requests consent, ie who you are.
• What type of personal data you intend to process.
• For what purpose you want to use the person data. Is it more than one purpose,

”

describe each one.
• That it is possible to withdraw their consent and how.
The data controller must be able to show that valid consent has been obtained

The person responsible for personal data must be able to show that he or she complies with the rules.
The person responsible for personal data has the burden of proving that a valid consent has
obtained and because the data subject has received relevant information. Because
it is necessary to document how and when the consent was obtained as well
what information the data subject received.

Children's and young people's rights on digital platforms

23

Page 24

Checklist
for obtaining consent
Think about this before:

• Check that consent is the most appropriate legal basis
for the processing of personal data.
• Ensure that the request for consent is clear and separate
from other conditions.
• Avoid making consent a prerequisite for a service.
Inform the recipient about:

• Name of the person who is responsible for personal data for the service.
• Name of the data protection officer, if any.
• Name of any third party, such as another organization
which will receive the information.
• How the child withdraws his or her consent.
• That the child can refuse to consent without being affected by negatives
consequences.
Remember when you communicate:

• Explain why you want the information and what to do with it
them.
• Do not use pre-selected consent, for example through pre-marked
boxes. Consent must be an active choice.
• Use clear and simple language that is easy to understand.
• Be specific and provide clear options for different purposes,
set separate consents for separate personal data processing
lingar. Vague or general consent is not enough.
Create order and order the routines by:

• Document proof of consent: who, when, how and which
information provided.
• Continuously review the method for obtaining consent and
update it as needed.
• Keep consent requests separate from other terms
To be ready for a consent is revoked:

• Ensure that personal data can be deleted immediately.

Read more
Guidance from the data protection authorities' co-operation bodies:
www.datainspektionen.se/globalassets/dokument/riktlinjer-omconsent.pdf

24

Children's and young people's rights on digital platforms

Page 25

3. Risk assessment
Requirement to analyze risks prior to treatment of
personal data
You must always make a risk assessment before starting treatment
personal data. This applies regardless of whether you, for example, intend to launch a new one
app, a web service or your own channel. Throughout the ongoing
In the processing of personal data, you are also obliged to assess risks
"You have to
and otherwise protect and take care of the information properly.

always make one
risk assessment
before you start
a treatment of
personal data. "

The risk assessment determines which measures are required

The reason why a risk assessment must be made is that it provides answers
on what measures you need to take to protect personal data in
your specific business. You must implement appropriate technical and
organizational measures to ensure - and also be able to show that the processing is performed in accordance with the data protection rules. The measures that
must be regularly reviewed and updated as necessary. Technical measures
are, for example, measures for encryption or authentication. Organizational measures
may be about detailed procedures for the persons working with the
for example, that no more people than necessary take part in the tasks.
But how do you know what are the appropriate measures in the individual case? The
requires that you take into account the type of personal data processing involved
about, the nature of the personal data, the context and possible risks of the data
in the individual case. You need to think about how likely it is that an event
occurs which involves a risk to the personal data and the seriousness of the
if the event occurs.
An example of a risk can be if there is a lack of sufficient security, so
that "wrong" people have access to personal or sensitive information. It can
dealing with personal data that may lead to the risk of discrimination,
theft of property, fraud, financial loss or damage to reputation. The higher
probability of risk, the higher the security required.
In addition to the risk to the individual's personal integrity, you should in your risk assessment
take into account the risk of human rights under the European Convention
endangered, such as freedom of speech, freedom of thought, free movement, prohibition of

Children's and young people's rights on digital platforms

25

Page 26

discrimination, right to liberty and religion. Also the special rights that
children and young people have according to the Convention on the Rights of the Child shall be covered by your risk analysis, among
other that children should be protected from all forms of violence and discrimination and that
the principle of the best interests of the child and the right of children to be heard are taken into account.

Impact assessment
If the risk assessment shows that your planned personal data processing is
as well as leading to a high risk of violating the rights and freedoms of individuals
According to the GDPR, a special so-called impact assessment is required.
According to the data protection rules, an impact assessment is always required in the following three
case:
• In the systematic and comprehensive assessment of natural persons' personalities
aspects based on automatic processing, including profiling.
• When processing sensitive personal data on a large scale.
• In the case of systematic monitoring of a public place on a large scale.

read more about
profiling in section twelve, page 42 .

What this means in practice is clearer in the Data Inspectorate's list
over when an impact assessment is to be made. The list is made with help
of guidelines and criteria from the European Data Protection Board (EDPB).
According to the list, an impact assessment must be made in the following, among other things
case:
• A company uses customers' location information, such as
obtained via a mobile app, for the purpose of targeting marketing to the customer or
plan their marketing strategies.
• A company collects information from social media to profile physical
people and then target marketing to
certain selected groups. Keep in mind that according to the Marketing Act
prohibited from targeting marketing to children under 12 years of age.
• An internet search engine collects information about individuals who use
the service for creating customer profiles and targeting marketing.
If the impact assessment shows that the risks cannot be limited sufficiently
and that there is a continued high risk, prior consultation with the Data Inspectorate
before starting treatment. Such consultation requires that you document yourself

European Data Protection Board,
European Data Protection Board, EDPB
An independent European body that contributes to data protection rules throughout
The EU / EEA is applied uniformly. Also promotes cooperation between data protection
and provides general guidance for clarifying concepts and interpreting them
rights and obligations arising from the rules of the Data Protection Regulation.

26

Children's and young people's rights on digital platforms

Page 27

impact assessment and account for the risks that remain and
why they could not be remedied.
The Data Inspectorate has the opportunity to ban a treatment that
contravenes the Data Protection Regulation. As personal data manager
As a general rule, you should only have a personal data assistant
contact with a country's regulator, the so-called 'responsible'
supervisory authority ”. To know which supervisory authority is
responsible, you must find out where your main or only part of
the business exists.

Risk assessment according to GDPR:

Consequenceassessment

New

Probably

treatment

High risk remains

high risk

despite measures

Initial

Pre-

risk analysis

consultation

read more about
how a child impact assessment can be done in section two, page 16 .

Children's and young people's rights on digital platforms

27

Page 28

Sensitive personal data
Some personal data are by nature particularly sensitive and therefore have a stronger
protection. They are called sensitive personal data.
Sensitive personal data is information about:
•

ethnic background

•

political opinions

•

religious or philosophical belief

•

membership in a trade union

•

health

•

a person's sexual life or sexual orientation

•

genetic data

•

biometric data used to uniquely identify a person.

As a general rule, the processing of sensitive personal data is prohibited. But it
there are exceptions; for example, non-profit organizations with political, philosophical,
for religious or trade union purposes, process sensitive personal data about its members.
It is also legal to process sensitive data about the data subjects explicitly
has given his consent.

To think of!
There are many other types of personal information that are special
worthy of protection and which in practice may require the same safety measures
as sensitive personal data. It can be, for example:
•

Financial information.

•

Information that someone has committed a crime.

•

Valuable data, such as data from development
conversations, information about results from personality tests or
personality profiles.

•

Information concerning someone's private sphere.

•

Information about social conditions.

Personal data incident
Involves a security incident that could pose risks to human freedoms
and rights, such as discrimination, identity theft, fraud, harmful
dissemination, financial loss, or breach of confidentiality or professional secrecy. One
personal data incident has occurred, for example, if data on one or more
injured people have been destroyed or fallen into the wrong hands. All organizations
must report certain types of personal data incidents to the Data Inspectorate
within 72 hours of the discovery of the infringement.

28

Children's and young people's rights on digital platforms

Page 29

4. Deletion requirements
and information
How can the rights of children and young people be secured?
personal data processing?
Adapt information according to age

Everyone, children as well as adults, has the right to receive information about what is going to happen
with their personal data. Informing children often requires extra
reflection. Children can be assumed to be less aware of the consequences and risks.
To carefully explain the current risks that apply in a particular situation and the measures
taken by the activity will help children (and their guardians)
neither) to understand the consequences of sharing their information and insight into how they
can protect their personal data and their privacy.
You must provide short and clear information that is adapted to the child's age.
If possible, you should use in addition to written information
simpler diagrams, illustrations, graphics or moving material that can get the kids
interested in the information. If the business's target group covers a wide range
age range, one solution may be to create different versions for different ages. If
you choose to have only one version, you must make sure that it is available to everyone and
can be understood by the youngest target groups and those with intellectual or neuropsychiatric
kiatic disability.
In cases where the guardian's consent is required for the processing of personal data,
it is primarily those who have the right to information. Despite this, do not lose
the child their rights. In practice, this means that you give both guardians
and children clear and easily accessible information. As I said, this can be achieved
by developing different versions of information for different audiences, or
by producing only a child-friendly version.

Children's and young people's rights on digital platforms

29

Page 30

Requirements for information
The information shall be free of charge, in an easily accessible form (which may be
tronic) and with a clear and simple language. In the Data Protection Regulation
states in detail what information is to be provided, among other things it must contain
contact details of the controller, the legal basis for
the treatment and the purpose of the treatment.
Information must be provided both when the personal data is collected and when it
registered request it. Information must also be given to those concerned, if any
for example, a data breach or the like (a so-called personal data
incident) with the personal data controller and there is a risk of personal data
leaked which could lead to, for example, identity theft or fraud.

Tip!
Children as a reference group
When child-adapted information is to be produced, it can be difficult to know how
the information is experienced by children. A way to ensure that the information is experienced
is correct to have children in a reference group who can read through and leave
views on the substrate.
How to reach children?
• Get in touch with a school class, children and youth organization and so on.
• Use a pop-up box on the website with a request for participation.
• Send out a request in newsletters or similar.
Get inspiration for what child-friendly information can look like:
www.youmo.se/

Register extract
The registered person has the right to contact you to find out what personal information
you deal with the individual and in what way. You must then give the person a so-called
register extract.
The register extract shall contain information on the data processed
read, where the data comes from, the purpose of the processing and to whom
recipients or categories of recipients to whom the information was disclosed. Registerutthe draw must normally be given no later than one month after the request has been received.
There may be circumstances that cause all information in the
the extract should not be disclosed, for example due to provisions in another
legislation (such as confidentiality) or that the disclosure of the information entails
disadvantages for others. The person responsible for personal data should be able to explain clearly
with which support it may deny access to personal data.

30

Children's and young people's rights on digital platforms

Page 31

Right to erasure ("right to be forgotten")
Both children and adults have a certain right to have their personal data deleted. Also in
the cases where the original collection and treatment has been lawful can
the data need to be deleted at the request of the person concerned.
When someone asks to have their information deleted, you must comply with it in
including the following cases:
• If the information is no longer needed for the purposes for which it was collected.
• If the treatment is based on consent and the person concerned withdraws
consent.
• If the processing takes place for direct marketing and the person concerned does not want to
ha reklam.
• If the personal data has been processed illegally.
• If deletion is required to fulfill a legal obligation.
• If the personal data refers to minors and collected in connection with
that the child creates a profile in a social network.

Tip!
Counteract threats and hatred
In need of materials to counter threats and hatred? On behalf of the government operates
The Swedish Media Council's No Hate Speech Movement, a campaign which, among other things
carried out with the aim of raising awareness of racism and similar forms of hostility
on the internet among children and young people.

Information materials, educational tools
and reports in the field:
statensmedierad.se/nohate.1295.html

Children's and young people's rights on digital platforms

31

Page 32

To think of!
Guardians do not need to be involved in deleting information about it
as far as the data is concerned is old enough to make the decision. Deletion must be done
if the child desires this and has reached an appropriate age to determine
over their information, even if it was the guardian who originally gave
consent.
• If the child is old enough to give their own consent, you should not accept one
request for deletion from a guardian without taking into account the child's
wishes.
• It should normally be as easy for a child to delete their data as it is to
leave them. Make it easy for children to understand what applies and show how they
can exercise the right to be forgotten.
• The right to be forgotten does not always apply. There are some compelling reasons that
means that the data controller may in certain cases retain personal data
the poisons, despite the individual's objections. For example, it could be about that
personal data may be processed on the Internet due to freedom of expression
reason. A search engine that receives a request for a search result to be deleted should
for example, make a balance between, on the one hand, the person's right to protection
of their privacy and, on the other hand, the right of Internet users to information.
Circumstances that suggest that a search hit should be deleted are, for example, about
the person is a minor or was a minor when the data was published.
That a search hit leads to outbursts and unpleasant comments does not mean
necessarily that it should be removed if at the same time it is clear that it
is a matter of someone's personal opinions. The context in general also plays a role
role. For example, information published on a discussion forum does not have
the same credibility in the eyes of the public as information published in
an established newspaper.

read more about
at what age children can decide on their personal data in section two,
page 20.

More information
Guidance from the data protection authorities' co-operation bodies
www.datainspektionen.se/globalassets/dokument/riktlinjer-om-oppenhetand-information-to-registered.pdf
What information should be given in different situations?
www.datainspektionen.se/lagar--regler/dataskyddsforordningen/deregistered-rights / # information

32

Children's and young people's rights on digital platforms

Page 33

5. Online tools
How can the tools become clear to children and young people?
By online tools we mean in this context mechanisms to help
Individuals to exercise their rights easily when online.
Children and young people have their own rights that are considered particularly worthy of protection. Everyone who
processes personal data are therefore obliged to facilitate especially for children
and young people who want to exercise their rights. One way to do this is to offer
online tool for downloading, deleting, restricting or correcting personal data.
The tools can also be used to download personal data or for
to allow users to file complaints.

To think of!
• Make it clear to children and young people that online tools are available. It can be done
by clear icons and by highlighting the tools in the user
interface. As always when you turn to children and young people should
information is provided in an efficient and concise manner.
• A rule of thumb is that the information should be understood by an average
member of the intended target group. It is especially important to have one
clear language in the information where the child's maturity and age have
taken into account.
• Also keep in mind that children of the younger ages and children of different types
of disabilities may need and are entitled to information in one
format specially adapted for them.
• Not everyone appreciates online tools and automated processes. You
also need to handle requests that come in in other ways, such as
via e-mail and letter.

Children's and young people's rights on digital platforms

33

Page 34

6. Save and protect
personal data
Tip!

Minimum of data
Since all data collection on children and young people can be said to be
sensitive to some extent, it is of extra importance to respect the basic principle of
to collect as little information as possible about the group. The principle called for
data minimization means that you should never process more personal data
than is necessary and that the personal data processed must be clear
connected to the purpose, that is, to belong to the matter. Before each new treatment
of personal data, you must therefore decide which personal data you need.
as a minimum for the treatment to be carried out.

Protect children from
to share data on one
inappropriate way
Set privacy
settings for apps
with "do not share" as
standard.
Create an extra popup box that warns of

Design for protection

the consequences of one
choice the child is about to
do.

Collecting only what is absolutely necessary requires adapting it
Design crucial
service or the system used to collect personal data. This
decision in several steps, with
is called privacy by default. For a web platform can
delay, to give
reflection time.
it is, for example, about designing the interface so that the default settings
means that no more information than necessary is collected, distributed or
Include a clear,
child-friendly explanation of
is shown. You must already take into account when designing IT systems and routines
the increased functional
data minimization and other privacy protection aspects. This is called built-in
and its risks
privacy by design and means that you must integrate data protection in
when the child activates
time and incorporate it into your working methods. You must therefore design treatment,
"Split mode".
products and systems with the knowledge that children are considered particularly worthy of protection
and that they should be able to feel secure when using online services and that
their right to privacy and privacy is respected.

To think of!
It is easier to integrate a child-friendly design into a system or product
from the beginning than to try to add the latter. Here, a consequence
assessment can be used as an aid to more easily arrive at how
the system needs to be designed. Also for such personal data processing
s that entails a lower risk, a consistent assessment is a good help to
detect and then assess and mitigate data protection risks for the child.

read more about
impact assessment in section three, page 26 .

34

Page 35

Children's and young people's rights on digital platforms

7. Age control
When is it appropriate to check age?
Depending on the context, it may in some cases be legal to carry out age checks
trolls.
The age of a child can, for example, affect whether he can consent to a perzone data processing. Age can also be important for risk assessment.
Therefore, in some cases it may be appropriate or necessary for you to check
the age of a child. This is only legal when there is a clear need. Beyond
data protection rules, there are obligations in other regulations in relation to
children where age control could be relevant. For example, suppliers
of video sharing platforms obliged to take appropriate action so that content
which is harmful to children (for example, depictions of violence of the faithful of reality
character or with pornographic images) is not provided in such a way that
there is a significant risk that children may experience it.
There are no exact rules on how age checks should be done, but they should
preceded by a risk assessment and does not lead to unreasonable treatment of
tasks. More in-depth age checks can in themselves be sensitive to privacy. Let
say that a risk assessment is made and the risk is judged to be low. Then it can
for example, just ask new users to enter their year of birth or fill in one
forms in which they certify that they are not children under a certain age. In-depth conTrolls can then be carried out if doubts arise.

read more about
risk assessment in
section three, page 25 .

The principle of finality
The principle of finality means that personal data at a later time should not
treated in a manner incompatible with the original purposes. Principles
is intended to prevent collected personal data from being used in a way that is not
was stated at the time of collection.

More information:
Basic principles of the GDPR
www.datainspektionen.se/lagar--regler/dataskyddsforordningen/grundlagnandeprinciples /

To think of!
• Decide if age control is really necessary.
• Collect as little personal information as possible.
• Do not use personal data collected for age control of others
purposes, the so-called finality principle.
• In addition to legal rules, there is self-regulation in some industries such as
sets age limits that may be relevant to age control. An example
is PEGI, which is a European standard for age recommendation
labeling of computer games.

Children's and young people's rights on digital platforms

35

Page 36

8. Share further
personal data
Is it allowed?
Sharing personal information may be permitted as well as unauthorized. What ever
applies in a specific case depends on the purpose for which the data were collected
beginning.
Based on what is considered to be the child's best interests, a balance is needed
if the sharing of the child's personal data is appropriate. Consideration needs to be given
the child's right to participation and information, as well as the child's right not to
exposed to encroachment on their privacy. According to data protection rules, that is the purpose
which determines whether you can share children's and young people's personal data. You have to
therefore be clear to you why you collected the information from the beginning.
Is the purpose of sharing information such an original purpose, as
you have informed the individuals about, found a legal basis for and from the beginning
investigated whether it otherwise meets the requirements of the GDPR? Then it is likely that
is allowed.
Is the purpose of sharing information a new purpose? Then the division can
be impermissible.

Is the redistribution of the data an original
purpose?
First of all, you must therefore be clear about why you should process personal data.
the toxins already when you start collecting them. The purposes set the framework
for what you may and may not do, for example what tasks you may process and
how long you can save them. It is the purpose that determines whether you can share further
personal data of children and young people.
According to the data protection regulation's principle of purpose limitation, it is only
allowed to collect personal data for specific, specifically specified and justified
purpose. The data subjects are, as we reasoned about in previous sections, right
to obtain information about the processing of personal data. Among other things, they must get
know which recipients are to receive the personal data.
Is the redistribution of tasks one of your original purposes?
it allowed if you, when the treatment began, had a legal basis and gave
information to the data subjects.

Is the new purpose compatible with the original
purpose?
If the redistribution is a new purpose, you should ask yourself the following question: Can it
new purpose, to share information, is said to be compatible with the original
all the goals? If yes, you can rely on the same legal basis as you
had when you collected the personal data. To find out about the new
purpose is consistent with previous purpose the following questions are helpful:

36

Children's and young people's rights on digital platforms

Page 37

What type of personal data should you process when redistributing? Is
sensitive data?
What personal data processing can the registrants reasonably expect?
What connections are there between the purposes of the original
personal data processing and the new one? How close is the new endthe case of the former about whom the data subjects received information?
In what context have you collected the person's information? What a relationship
have they registered for your business?
What consequences can the processing of personal data have for the data subjects?
What protection measures do you have, such as access control, encryption and
pseudonymization?

read more about
how a child impact assessment can be done - see section two, page 16 .

What do we do if the new purpose is not compatible with them
original purposes?
If the redistribution of personal data is not compatible with the original
purposes, it is a matter of a completely new processing of personal data.
You must then start over and find a legal basis for personal data
poison treatment and reconcile so that it complies with other rules of the GDPR.

To think of!
• What has been described above are the conditions for legally giving up
person data to another business. The business that receives
personal data also need support for their processing in the GDPR.
• You must always provide information that the information is to be shared with
the minor or his guardian (depending on whether the child can
is said to be old enough to decide for himself whether the processing of personal data
Gene).
• It can be more difficult for children to fully anticipate the consequences of
even personal data is shared further. That is why it is extra important to protect
children's personal data and personal privacy.
• Higher demands are placed on simple and easy-to-understand information when
is aimed at minors.

Children's and young people's rights on digital platforms

37

Page 38

9. Use personal data
for marketing purposes
Is it legal?
Under certain conditions, it is legal to use personal data in
for accounting purposes. There is no absolute ban on this, but you must be sure
that you live up to current rules in the area. If you want to use children
and young people's personal data for marketing, you must always start from what
which is judged to be in the best interests of the child.
To use minors' personal data for marketing purposes
may, for example, be about sending advertising via e-mail (direct advertising) or that
target custom ads to children and young people on platforms they visit.
Internet marketing comes in many different forms, such as
banners, commercials on video sharing platforms or in games or other such
children often use. There is also marketing embedded in social
media.
Before you use children's and young people's personal data for marketing purposes
should you according to GDPR:

• Make an impact assessment.
• Find a legal basis.
The legal basis that often becomes relevant in the processing of personal data for
Marketing is a balance of interests.
Children are less aware of risks but at the same time deserve a special one
protection under the rules. Therefore, it is important to consider in a balance of interests
and protect children from risks that they may not be able to assess themselves and
consequences that they themselves are not aware of. This is especially true for
the use of children's personal data for marketing purposes, to create
user profiles and in services aimed directly at children.

read more about
interest balancing in
section one, page 15 .

More information
the Consumer Agency.
see / for-make /
marketing /
the Marketing Act

To think of!
• Children have the same right as adults to object at any time to
treklam. If you accept such an objection, you must stop
mailings. That this right exists, you must inform in the first place
sent to the minors or before you start processing personal data
erna. There must be established routines to stop that type
of mailings.
• In addition to the data protection rules and the Convention on the Rights of the Child, there are other rules
to keep track of for those who want to target marketing to children and young people.
The Swedish Consumer Agency has developed a useful guide on what
applies according to the Marketing Act for advertising aimed at children and young people.
It is also not prohibited by these rules to target marketing
internet for children, but there are some rules to follow:
• It is forbidden under the Marketing Act to direct direct advertising to
children under 16 years.
• A child must understand what is advertising and what is not. Because
Advertising may not be designed as games, games or the like. Advertising is not allowed
nor is it baked into games on the internet so that children do not understand what is
advertising in the game.

38

Children's and young people's rights on digital platforms

Page 39

10. Geo-location data
May data be used that tells where children and young people are
is located?
What is in the best interests of the child may vary depending on the individual situation, but which
As a general rule, data telling where children and young people are should not be used.
Geolocation data (location data) is data on, for example, a mobile
the geographical position of the phone or tablet at a given time. Location data can
make it possible to draw in-depth conclusions about the privacy of the persons
the information can be linked to, such as their habits, where they live, places they visit,
movement patterns, activities and social relationships.
Location data is seen as very privacy sensitive. In general, the risks increase
invasion of privacy with the amount of data and the degree of precision, because
it enables a more detailed mapping of the person. Even individual tasks
for example, the exact place where a child is currently located may be
sensitive within the meaning of data protection rules. If a task, for example, is about
regular visits to a clinic, it is possible to draw conclusions about health, information
which is to be regarded as sensitive and requires special legal support.
In addition to the data protection perspective, it means the ability to track a child
place a risk that the data will be misused for the purpose of endangering children's physical
security. A lasting division of space can also mean that children's feeling of
own space is restricted, which jeopardizes the rights of children and young people. The court
to privacy means that children may not be controlled or exposed to arbitrariness
or illegal interference in their private and family life.

To think of!
• In the case of children and young people, the basic setting should be location data
not treated, unless there are compelling reasons to do so and the child
best has been considered. As for all personal data processing requires
use of location data support in all rules of the Data Protection Regulation.
• Make an impact assessment, consider the legal basis, ensure adequate
security of the data and provide information to the data subjects.
• Make children and young people aware of when site data is collected, for example
by displaying clear symbols. Technology itself can make it difficult
minor users to understand when person data is collected and which
consequences it may have.
• Do not store data longer than necessary and use as much as possible
methods for deidentifying personal data.
• In addition to the data protection rules, the Electronic Communications Act
specific rules on location data from apps and mobile
web. This is the supervisory authority of the Swedish Post and Telecom Agency (PTS).

More information
Mail and telephoneboard
pts.se/

Children's and young people's rights on digital platforms

39

Page 40

11. Parental control
By means of parental control tools is meant various digital solutions that provide
parents or guardians the ability to restrict or control what children
and young people can do on the internet. These may be restrictions on access
to the Internet but also which services or apps can be used, which web
places that can be visited or amount limits for purchases in apps. It can
also be tools for monitoring what children and young people do on the internet or where
they are.

Guardians must take into account the child's wishes
According to the Convention on the Rights of the Child, children's right to privacy must be respected. Tools for
parental control may therefore only be used if the child has the opportunity to understand that
it is monitored and how.
Children should not be controlled or subjected to arbitrary or illegal interventions
in their private and family life. As a guardian, you have the main responsibility
for the child's upbringing and development based on what is considered to be the child's
top. Parents here have a difficult balancing act to follow, as it should be
aware of. According to both the Parental Code and the Convention on the Rights of the Child, the parents are
obliged to protect their children. They also have a great deal of control over it
the child. Guardians must, in step with the child's increasing age and development
increasingly take into account the child's views and wishes. The older the child is,
the more consideration must be given to the child's will and co-determination. This should
guardians who use tools for so-called parental control take into account
to. Parents must therefore talk to their children, tell what different tools
is there to take in the child's opinion before using a tool. Here must
also the parent, among other things, take into account the child's right to privacy, to do
a balance of which tools to use, how and when. It is important to
guardians make a nuanced assessment before using a tool, and
talk to the child about the tool, including why it should be used.

Advantages and disadvantages of parental control
The tools are important because they can be used to support adults when needed
to protect and promote the best interests of the child. But such monitoring can also
have a negative impact on the rights and rights of children and young people. It can limit
their opportunity for privacy, play, freedom of association and access to information
and freedom of expression, which in turn can affect the development of their own
identity.
The tools can also risk lulling guardians into false security. What
For example, for content filters, it is very difficult, perhaps even impossible.
to develop technology that filters just the right amount. In practice, the filters take
remove either too little or too much, which creates different types of problems.
A filter that removes too little content can cause the guardian to drop
their vigilance and believe that the filter solution has made the internet a safe zone for
the child. In fact, not everything is filtered out and the child may be exposed
for unwanted content.

40

Children's and young people's rights on digital platforms

Page 41

A filter that removes too much content is also problematic. Let's say
that the user thinks they have installed a filter that, for example, stops porn
graphics, where the tool effectively prevents access to serious sexual information
sites. Overblocking has been shown to hit those hardest
to find information offline, such as young LGBTQ people.
Children and young people can also round the filters by connecting with friends
or in other contexts where the guardians' rules do not apply.
Information about the challenges with content filters can advantageously be provided
users. The recommended method is to talk to the children, who
otherwise risk being left alone with their experiences.

Inform the child
If you offer parental control tools, you should provide age-appropriate
information to the child about this. These can be symbols or icons, for example
which shows the child when such tracking takes place.
Information to parents about the child's rights is also valuable in this context
to privacy. In other respects, as with all use of services and tools
in which personal data are processed, to comply with the rules of the GDPR on a legal basis,
security, risk assessment, information and more.

read more about
liability of parties in accordance with the data protection rules in Chapter One, page 7.

To think of!
• Everyone is responsible for their own handling of personal data, both
holder of a tool for parental control, guardians or others
user.
• If you provide content filters, you can advantageously inform yours
users about the risks of using such a tool.

Children's and young people's rights on digital platforms

41

Page 42

12. Profiling
May the personal data of children and young people be used for
categorization of individuals?
Both children and adults have the right not to make decisions based solely on
automated decision-making where profiling has been part of the process. This
applies if the decision can have a strong impact on the individual.
With regard to other profiling that is not about automated decision-making
nothing is specifically stated in the GDPR. When you want to use profiling regarding
children, you must still observe all the rules, just as in all personal data
poison treatment. The assessment of what legal basis is relevant for one
profiling depends, as always, on the purposes. If the profiling is necessary
for a service, one can possibly rely on the agreement on the service as legal
basic. Profiling with the sole purpose of protecting children would rely on it
legal basis balance of interests, based on what can be assumed to be the child
top. Consent is often required for profiling, as profiling is considered a lot
sensitive to privacy and in most situations is difficult to defend in a relationship
to both the Convention on the Rights of the Child and the data protection rules.

What is meant by profiling?
Does any form of automatic processing of personal data then involve a quantity
information is compiled and analyzed for the purpose of assessing certain personal
characteristics, in particular to analyze or predict, among other things, the person's
health, personal preferences, interests, reliability, behavior, whereabouts or
transfers.

About cookies
Many websites create small files with information about their visitors
and stores them in visitors' browsers. These are called cookies (English:
"Cookies") and are often needed for profiling. As a general rule, consent is required for
to use cookies. This is regulated in the Electronic Communications Act
(LEK), over which the Swedish Post and Telecom Agency (PTS) is the supervisory authority.

More information
Mail and telephoneboard
pts.se/

42

Children's and young people's rights on digital platforms

Page 43

13. Nudging
Is it allowed to influence children's and young people's choices with help
of design?
Digital "nudging" is usually used to describe how a website can control
users' choices through how the experience is designed. By giving users
a push (English: ‘nudge’) in a certain direction, it is possible to almost
marked control their behavior. Depending on the purpose for which the design technique is used
is it allowed to influence children's and young people's choices with the help of design. It can
be a matter of impermissible nudging if the child in practice has not, or only has
limited opportunities, to be able to make well-balanced choices relatively easily.
In a choice situation with the options yes and no to certain personal data processing
nudging can be practiced, for example, by displaying the yes option as a major
green button and the no option with a small, indistinct text. Another example
is to simplify a particular choice by offering a click for one choice but one
complicated process with many clicks for the second.

When nudging, stick to the rules
The GDPR does not prohibit nudging, but it generally goes against the principle of
accuracy and transparency of data protection rules. Children and young people have the right to
adapted information based on age and maturity in order to be able to
read more about
rat decision. It is important to counteract processes that are misleading to children.
consent and at
To use nudging in a process that aims to obtain consent
what age children
certain treatment may, for example, mean that the consent is considered invalid. Through
can agree to
to use nudging, we risk jeopardizing the requirements for consent to be
section two, page 20.
informed and done through an unequivocal expression of will.
Nudging can also be problematic when using preset age
option. This can lead to children and young people giving incorrect information about their age.
It is therefore not recommended.

To think of!
It is often not the design technology itself that is the problem, but how it is used.
Nudging can be used, for example, in ways that are completely in line with the
protected principles and the rights of children and young people, to guide users to
the alternative that provides the strongest privacy protection.

The principle of correctness and transparency
According to the GDPR, this means, among other things, that the processing of personal data must be
understandable and comprehensible to the data subjects and not to be done in secret or manipulative
way. The information about the treatment should be easy to find and formulated in one
way that is simple and understandable.

Children's and young people's rights on digital platforms

43

Page 44

14. Connected toys
What applies to devices that collect data?
Even before an item is purchased and installed, it should be easy to understand that
the object is connected to the internet and the way in which it collects
tasks. When it comes to toys, it is extra important that the information is simple
and clear. Play and toys are an area that is traditionally not associated
with the collection of personal data. On the contrary, the game often involves exploration
and experimentation where the child can try different ideas, roles and whims in one
safe environment. It therefore becomes extra important that information about data collection in
these contexts are presented in a way that is easy for the child to understand.

Examples of connected toys and devices
(internet of things)
By connected toys and devices is meant physical products such as
is supported by features provided through a digital connection.
• It can, for example, be about stuffed animals that the child can talk to, there
what the child says is recorded. The information in the form of audio clips is transferred to
servers, analyzed mechanically and generate instructions for custom
replies sent back and played. The child can perceive it as one
conversation with their pet and thus attracted to share potentially
privacy sensitive data.
Another example is activity or health bracelets that are continuous
records potentially privacy-sensitive information about the child's physical
activity and transfer the data to servers where it is compiled, stored and
is used to appear as activity reports in an app.
Another example is so-called voice assistants installed in users'
Home. These speakers pick up voice commands and can communicate
information from the internet to the user, such as reading news and
weather, book services or order products. The speakers can collect one
amount of information that users did not intend to share. If highbecome part of everyday media can the awareness of the ongoing
information gathering decrease.

Well-thought-out information for users
It is crucial that providers of these connected products and services
ensures that children, young people and guardians receive the information they have
right to. It is important to think about how connected devices work
and at what times it is most appropriate to communicate certain information to
the child or guardian.

44

Children's and young people's rights on digital platforms

Page 45

Information at the time of purchase
Clear information that the product processes personal data must be provided
users at the time of purchase and before the product is installed. This can be done
both on the packaging of the physical product and in the instructions for use,
with an icon indicating that the product is connected and handles the user
their personal data. Potential buyers should be able to take advantage of the privacy policy,
terms of use and other relevant and customized information online without
first need to buy and install the product.

Information during installation
During the installation process of the connected toy or product is given
a good opportunity to inform about how the service works, how personal information
used and the consequences thereof, especially if the installation is done with help
of a screen-based interface. This is especially important if the child continues
use of the product is not screen-based, as it may limit
the possibilities of continuously transmitting information to the child.

Who is responsible for what?
Different actors can contribute different parts in the provision of a connected
subject. Therefore, as previously mentioned, it is important to sort out the question of who
who is the personal data controller or personal data assistant and for which parts of
the personal data processing for which each party is responsible.
What obligations you have varies depending on what roles you have. If you
as an actor hires another company (a personal data assistant) to assist
As a person responsible for personal data, you have an overall responsibility for the service. In this case
applies, among other things, to ensure that the assistant also follows the rules. The product must
have appropriate safety measures in place to reduce risks such as unauthorized use
access to the data or that the product is hacked to track where the child is
is located.

read more about
personal data controller and personal data assistant on page 8.

More information
www.barnombudsmannen.se/barnombudsmannen/barnkonventionen/
www.barnombudsmannen.se/globalassets/dokument-for-nedladdning/
publications / en-skrift-om-barnkonventionen-uppdat.pdf

Children's and young people's rights on digital platforms

Page 46

To keep in mind when designing connected things!
• Make the default settings privacy friendly.
• Avoid passive collection of personal data and make it clear when
ten collects personal data. For example, a light may come on when the device
records audio and video or otherwise collects personal information.
• It should be easy to switch off the collection mode on the device, for example
show directly on the device with a "connect" button or via
features online. It should be possible to use the toy or device without
connection to the extent practicable.
• A connected device may be required
used simultaneously by users in different
ages. This is especially true of smart speakers
and voice assistants intended for placement in
home, which may come to treat
personal data on the majority of household
limbs and visitors. Connected toys
can be used by many, by borrowing
out or used by several children playing
together. Services and products should
therefore adapted for the use of all these
target groups. As for smart speakers can
it may be appropriate to enable the creation
of different user profiles, which can be customized
based on the age of the users.

45

Tip!
Make a reference group
Feel free to make a reference group of children when designing a toy. Then you can get
find out if the target group of children really understand when information is obtained and when they
do not.

46

Children's and young people's rights on digital platforms

Page 47

More information
and guidance
The Children's Ombudsman
www.barnombudsmannen.se/barnombudsmannen/barnkonventionen/konventionstexten/
www.barnombudsmannen.se/globalassets/dokument-for-nedladdning/publikationer/
general-comments / ak-20-svenska-formaterad.pdf
www.barnombudsmannen.se/globalassets/dokument-for-nedladdning/ak14_2019.pdf

Breeze
www.bris.se/for-vuxna-om-barn/vanliga-amnen/unga-och-internet/barnets-vardag-pa-natet/

Council of Europe
rm.coe.int/guidelines-to-respect-protect-and-fulfil-the-rights-of-the-child-inth / 16808d881a
www.coe.int/en/web/children/-/for-children-by-children-learn-about-your-rights-inthedigital-environment-

Friends
www.dropbox.com/sh/w9pd82tqelkb4o2/AACIWnFZTp5-UXa3FYitEb0ha?dl=0&preview=
Friends_natrapport_2017.pdf

Save the Children
www.raddabarnen.se/rad-och-kunskap/foralder/skydda-ditt-barn-fran-att-raka-illa-ut-panatet /

Surf calmly
surfalugnt.se/

The EU Code of Conduct
ec.europa.eu/info/policies/justice-and-fundamental-rights/combatting-discrimination/
racism-and-xenophobia / eu-code-conduct-countering-illegal-hate-speech-online_en

Children's and young people's rights on digital platforms

Page 48

This is a guide from

47

