SaaS Agreements – GDPR – Age of Consent

The General Data Protection Regulation (“GDPR”) and the new Data Protection Act 2018 (“DPA”) now apply in the UK. SaaS suppliers and SaaS customers must comply with the terms of both the GDPR and the DPA. SaaS suppliers and SaaS customers should be aware that the GDPR does not fully harmonise data protection law throughout the EU, as each EU country may introduce their own requirements in certain instances (“derogations”). SaaS suppliers and SaaS customers who operate in, or collect or process personal data from persons located in different EU countries need to be aware of  the different rules in each EU country.

One example of a derogation is the age of consent which will be discussed in detail below.

Age of Consent

Under the GDPR the default age for obtaining parental consent to the processing of personal data of children using online services is 16. Each EU country can derogate from this general rule and lower the age of consent to 13.


To date, only a few EU countries have enacted their own local data protection law setting out such a derogation to the age of consent. For example, in the UK the DPA states that the age of consent for children is 13. In Germany the new data protection law (“BDSG”) does not derogate from the GDPR age of consent which remains at the default age of 16.

Many EU countries have not yet passed their own local data protection law setting out derogations, so the positon on the age of consent in such countries is currently the default of 16, but this may change when each country passes its own local data protection law.

Current Local Variations

Currently the following EU countries have either lowered the age of consent in their local data protection law or have indicated that they will do so:

  • 13 years of age – UK, Belgium, Czech Republic, Denmark, Estonia, Portugal, Spain, Sweden
  • 14 years of age – Bulgaria
  • 13 or 15 years of age – Finland
  • 15 years of age – France, Slovenia

Parental Consent

Where SaaS suppliers or SaaS customers are collecting or processing the personal data of children, they will need to regularly check the rules for each country in which they are collecting or processing the personal data of children. Technical and legal measures will need to be implemented and updated to ensure that the local rules on parental consent are complied with in each applicable EU country. This will apply not only to EU SaaS suppliers and SaaS customers, but any entity located outside of the EU which collects or processes the personal data of children located within the EU.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 15 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: