Abstract

The rights outlined in Chapter III of the GDPR enable individuals to exercise control over the purposes and use of personal data by controllers. Children are in a unique position under the regulation and are classified as vulnerable data subjects. As children’s cognitive abilities develop, their role in managing their data changes. However, the GDPR does not provide for any mechanism to determine the limits of the autonomy of children as data subjects. The article aims to explore the limits of children’s autonomy as data subjects under the GDPR and the need for introducing such mechanisms in the European data protection model which would guarantee children’s right to express their opinion when exercising their rights as data subjects.