Exemption from Article 15 of the GDPR: child abuse data
- This paragraph applies where a request for child abuse data is made in exercise of a power conferred by an enactment or rule of law and—
- the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject, or
- the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
- Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third-country transfers) do not apply to child abuse data to the extent that the application of that provision would not be in the best interests of the data subject.
- “Child abuse data” is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse.
- For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
- This paragraph does not apply in relation to Scotland.