!
22
Data Protection
No.
2019
service, is conditional on consent to the processing of
personal data that is not necessary for the performance of
that contract.
33. (1) Every data controller or data processor shall
not process personal data relating to a child unless—
Processing of
personal data
relating to a child.
(a) consent is given by the child’s parent or guardian;
and
(b) the processing is in such a manner that protects
and advances the rights and best interests of the
child.
(2) A data controller or data processor shall
incorporate appropriate mechanisms for age verification
and consent in order to process personal data of a child.
(3) Mechanisms contemplated under sub-section (2)
shall be determined on the basis of—
(a) available technology;
(b) volume of personal data processed;
(c) proportion of such personal data likely to be that
of a child;
(d) possibility of harm to a child arising out of
processing of personal data; and
(e) such other factors as may be specified by the Data
Commissioner.
(4) A data controller or data processor that exclusively
provides counselling or child protection services to a child
may not be required to obtain parental consent as set out
under sub-section (1).
34. (1) A data controller or data processor shall, at the
request of a data subject, restrict the processing of personal
data where—
(a) accuracy of the personal data is contested by the
data subject, for a period enabling the data
controller to verify the accuracy of the data;
(b) personal data is no longer required for the purpose
of the processing, unless the data controller or data
processor requires the personal data for the
establishment, exercise or defence of a legal claim;
Restrictions on
processing.