Implementing Regulation of PDPL Article 13outlines how personal data rights and consent apply when the data subject is someone who fully or partially lacks legal capacity (such as a minor or someone under legal guardianship). In such cases, the legal guardian can act on behalf of the data subject but must do so in the data subject’s best interest. The Controller must verify the guardian’s legal authority and ensure the data subject’s rights are protected and transferred to them when they gain legal capacity.
Considering applicable legal requirements, the legal guardian of the Data Subject that fully or partially lacks legal capacity shall act in the best interests of the Data Subject and for this purpose, they have the following options:
Implementing Regulation of PDPL Article 13 (1) (a)
Rights on Behalf:
Exercise the rights granted to the Data Subject under the Law and this Regulation.
Implementing Regulation of PDPL Article 13 (1) (b)
Consent on Behalf:
Consent to the Processing of the Data Subject’s Personal Data in accordance with the provisions of the Law and this Regulation.
Implementing Regulation of PDPL Article 13 (2)
Verify Legal Guardianship:
In addition to what is stipulated in paragraph (1) of Article 11 of this Regulations, in case of Processing Personal Data of a Data Subject that fully or partially lacks legal capacity, obtaining the consent of the legal guardian is conditional upon taking appropriate measures to verify validity of guardianship over the Data Subject.
When obtaining the consent from the legal guardian of a Data Subject that fully or partially lacks legal capacity, the Controller shall comply with the following provisions:
Implementing Regulation of PDPL Article 13 (3) (a)
No Harm Obligation:
It shall not cause any harm to the interests of the Data Subject.
Implementing Regulation of PDPL Article 13 (3) (b)
Rights Upon Capacity
It shall enable the Data Subject to exercise their rights as provided in the Law and this Regulation when they reach legal capacity.
Explanation of Implementing Regulation of PDPL Article 13
Guardian may exercise rights:
Implementing Regulation of PDPL Article 13 (1) (a) says, legal guardians can act on behalf of the data subject regarding their data protection rights.
Guardian may provide consent:
Implementing Regulation of PDPL Article 13 (1) (b) says, they can also consent to personal data processing, following legal conditions.
Valid guardianship must be confirmed:
Implementing Regulation of PDPL Article 13 (2) says, controllers must verify that the individual is indeed a legal guardian before accepting consent.
Guardian’s actions must not harm the data subject:
Implementing Regulation of PDPL Article 13 (3) (a) says, any consent or decision by the guardian must not negatively affect the data subject.
Rights must pass to data subject at legal maturity:
Implementing Regulation of PDPL Article 13 (3) (b) says, when the data subject gains legal capacity, they must be allowed to exercise their own rights.
