A single parent cannot submit an access request to a controller on behalve of a child where it shares custody with another parent

The Belgian DPA held that a father alone could not submit an access request to a controller on behalf of a child, where the mother shares parental authority.


We already knew that when parents are divorced and share custody an access request (or another request under the GDPR) must be made, or approved, by both parents. In this case it seems that — although I am going off on the machine translation of the decisions (my French is a bit rusty :sweat_smile:) — the parents are still together (albeit in the process of filing for divorce).

This essentially puts the obligation on the controller where an request is on behalf of a child to make sure - regardless of the existence of another guardian or parent - to check of a) there’s another individual holding parental responsibility or not; and b) check whether that individual authorizes it as well.

This will of course be a significant burden for controllers, which aren’t always aware of the legal situation concerning responsibility / guardianship of a child.

Thoughts?

As a belgian DPA, I may share some insight on that matter. As you said, parents are in the process of a divorce, and in that regard, the DPA stated that because the access request concerned merged data about both parents and their child, access to these data will give a benefit to one of the parent and will infring on the rights of the second and in particular the right to confidentiality of its data.

The processor was aware of that situation, so he was in his right to deny the data request (but is guilty of a lot of others GDPR principles and articles). Fun fact in Belgium, if the processor wasn’t aware of the divorce and child custody, and that the parents didn’t precise that element, the processor could have accepted the data request.

1 Like

Thank for replying! That makes sense. I didn’t gather that there were conflicting interests.

GDPR requires that you identify the data subject before giving access, by extension of that you would have to verify that someone else (a parent) acting on behalf of the data subject (the child) is authorized to do so. Which arguably includes verifying, or at least asking if there’s another parent and if so, ask that parent’s permission as well?

By the way, I think you mean ‘controller’ instead of ; processor’ because processors aren’t supposed to respond to access requests, merely pass them on to the data controller.

Yes, I meant controller sorry. I was lost in my translating. x)

Well, in Belgium, and more specifically in the education system, it’s commonly considered that each parent have a full parental autorithy on his own, and the controller can’t ask about a court decision regarding child custody. If there is a conflicting matter, it’s the responsability of the parental autority to ensure that the controller is aware of that information and to proceed accordingly to the decision of the court.

FAQ | Privacy Policy |  ToS