Answer
Your company/organisation can only process a child’s personal data on grounds of consent with the explicit consent of their parent or guardian up to a certain age. The age threshold for obtaining parental consent varies between 13 and 16 years, depending on the age established in each EU Member State. Check with your National Data Protection Authority.
A reasonable effort must be made, taking into consideration available technology, to verify that the consent given is truly in line with the law. That means that your company/organisation must implement age-verification measures (for example control questions, actions on the website).
The consent from the parent or guardian must be obtained if your organisation works on online social networking sites that provide free games to children or family insurance, for example.
If your organisation targets children, you must ensure that any information and communication addressed to a child is easily accessible and in clear and plain language that a child can easily understand.
Preventive or counselling services offered directly to a child don’t require parental authorisation since they are aimed at protecting the children’s best interests.