Children’s Data Policy
Our approach to processing the personal data of junior athletes and other children.
Version 1.0 · 5 May 2026 · Adopted 19 May 2026
1. Why this policy exists
Tenpin Ireland is the National Governing Body for tenpin bowling on the Island of Ireland and runs a junior programme involving athletes under the age of 18. Children’s personal data is given specific protection under the GDPR, the Data Protection Act 2018, and the Data Protection Commission’s guidance ‘Fundamentals for a Child-Oriented Approach to Data Processing’.
This policy sets out how we apply that protection in practice. It sits alongside our main Privacy Policy and our safeguarding policies. Where this policy is more protective than the general Privacy Policy in respect of children, this policy takes precedence.
2. Definitions
- Child / minor / junior: for the purposes of this policy and Section 29 of the Data Protection Act 2018, a person under the age of 18.
- Age of digital consent: 16 years, as set under Section 31 of the Data Protection Act 2018.
- Parent: a person with parental responsibility for the child, including legal guardians.
- Identifiable data: personal data from which an individual child can be identified, directly or indirectly, including name + club + age combinations and photographs.
3. The 14 Fundamentals
Tenpin Ireland’s approach to children’s data is built on the Data Protection Commission’s 14 Fundamentals for a Child-Oriented Approach to Data Processing. We adopt them in summary as follows.
| Fundamental | How we apply it |
|---|---|
| 1. Floor of protection | We treat the protection of children’s personal data as a floor below which we will not go, regardless of any consent given by the child or their parent. |
| 2. Best interests of the child | Where children’s personal data is involved, the best interests of the child are a primary consideration. |
| 3. Know your audience | We know which of our services and activities are directed at, or accessed by, children and design those services accordingly. |
| 4. Information in clear language | Privacy information directed at children is written in plain, age-appropriate language. |
| 5. Let children exercise their rights | Children are data subjects in their own right and can exercise their rights under the GDPR. We make this practical for them. |
| 6. Consent rules | Where we rely on consent, we follow the rules on the age of digital consent (16 in Ireland) and obtain parental consent where required. |
| 7. No marketing or profiling of children | We do not process children’s personal data for direct marketing, profiling, or micro-targeting (Section 30 DPA 2018). |
| 8. Data minimisation matters more for children | We collect the minimum personal data needed and we apply data protection by design and by default. |
| 9. Parents of children up to 18 | We facilitate parents and guardians in supporting children’s rights up to age 18, in line with the DPC’s Fundamentals. |
| 10. Specific responsibilities for the controller | These responsibilities apply to Tenpin Ireland as the data controller, regardless of the role of any third parties. |
| 11. Mechanism for parental consent | We have a clear mechanism for obtaining parental consent where required, set out in this policy. |
| 12. Use of digital tools | Where digital tools are used in coaching, performance analysis, or competition, we assess the implications for children’s data before they are deployed. |
| 13. Protect children from risks | We design our processing so that, taken together, it does not create undue risks to children. |
| 14. Embed protection in everyday operations | Children’s data protection is part of how we run the sport, not a stand-alone exercise. |
4. Legal bases for processing children’s data
We rely on the following legal bases under Article 6 GDPR when processing children’s personal data:
- Contract (Article 6(1)(b)) — to administer the membership and competition entries that the child (or their parent on their behalf) has entered into.
- Legal obligation (Article 6(1)(c)) — to meet our obligations under the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012–2016, Children First, and other applicable legislation.
- Legitimate interests (Article 6(1)(f)) — used narrowly, only where the legitimate interest is not overridden by the interests, rights and freedoms of the child. Following DPC guidance, we apply this test conservatively for children.
- Consent (Article 6(1)(a)) — with parental consent where the child is under 16 and the processing is based on consent.
Where we process special category data about a child (for example health data to support a reasonable accommodation), we also identify a specific basis under Article 9 GDPR — normally explicit consent.
5. Who consents — child or parent
| Activity | Who consents / authorises |
|---|---|
| Adult (18+) member registration | Member |
| Adult competition entries and results | Member |
| Junior (under-18) member registration | Parent or guardian |
| Junior competition entry | Parent or guardian (the child is informed in age-appropriate language) |
| Photographs and video at events of identifiable juniors | Parent or guardian (specific consent, separate from membership) |
| Inclusion of identifiable junior data in published results | See Section 7 of this policy |
| Marketing communications to juniors | Not permitted under Section 30 DPA 2018 |
Where parental consent is required, we obtain it from a person with parental responsibility for the child, using a clear and specific consent form (see our Parental Consent Form).
We make reasonable efforts to verify that the person giving consent is in fact a person with parental responsibility for the child. The level of verification is proportionate to the risks of the processing.
6. Privacy information for children
Children whose personal data we process are entitled to be told what we do with that data, in clear and plain language. Our Privacy Policy in Plain English — a short, child-friendly summary of this policy and our main Privacy Policy — is published on our website and included in our junior membership pack. Both link to the full Privacy Policy and Children’s Data Policy for parents.
7. Publication of junior competition results
The previous Privacy Policy retained competition results indefinitely. For junior bowlers, indefinite online publication of identifiable results is not consistent with the principles of storage limitation and data minimisation, particularly given the international transfers involved and the long lifetime of online content.
We therefore apply the following rules to identifiable junior results:
- Identifiable junior results published on our website are made available for the current and previous season only.
- Earlier identifiable junior results are removed from public publication on the website.
- Tenpin Ireland may retain a record of junior competition results internally for the purposes of the historical record of the sport, with personal identifiers reduced (for example to first name and last initial) or anonymised.
- On reaching the end of the season in which a junior turns 18, all remaining identifiable junior content is reviewed and either reduced to a non-identifiable form or, where retention is justified for an adult bowler’s ongoing record, transferred to that adult record on the basis applicable to adults.
- A junior bowler or their parent may at any time ask us to remove identifiable junior content. We will do so unless retention is required by law.
8. Photographs, video and live streaming
We treat photographs and video of identifiable juniors as a higher-risk processing activity. Where Tenpin Ireland or its agents take or commission photography or video at events:
- We obtain specific parental consent in advance, separate from general membership consent.
- Junior bowlers are told, in age-appropriate language, what is being recorded and why.
- We do not publish identifying information (full name + club + age) alongside images of juniors.
- Parents and juniors can withdraw consent at any time. We act on those requests promptly.
- Live streaming of events involving juniors is reviewed in advance and parents are informed.
9. Retention of children’s data
| Category | Retention |
|---|---|
| Junior membership and contact data | While the member is registered and for 1 year after their last active season as a junior; thereafter held only if the member transitions to senior membership |
| Junior competition entries | Deleted 1 year after the event |
| Junior competition results in identifiable form (online) | Removed from public publication on the website by the end of the season in which the bowler turned 18, or earlier on request |
| Junior competition results retained for the historical record | May be retained internally with personal identifiers reduced to first name and last initial, or anonymised, after the periods above |
| Photographs and video of identifiable juniors | Removed from public channels on request, and in any event by the end of the season in which the bowler turned 18, unless fresh consent is given as an adult |
| Safeguarding and child protection records | Retained as required by law and by Sport Ireland safeguarding guidance; access is strictly controlled |
| Vetting data relating to those working with children | 5 years after the vetting application or as governed by legislation |
10. Sharing children’s data internationally
Where Tenpin Ireland shares junior data with international federations (for example to enter Irish juniors in international events organised by the International Bowling Federation or the European Bowling Federation), we share the minimum necessary, identify an appropriate transfer mechanism under Chapter V GDPR, and inform parents through this policy and through specific event entry information.
11. Children exercising their rights
Children are data subjects in their own right under the GDPR and may exercise their rights at any age, provided they have the capacity to do so. In practice, for younger juniors we expect rights to be exercised by a parent on their behalf; for older juniors who can understand the nature and consequences of their request, we will engage with the child directly while keeping the parent appropriately informed where this is in the child’s best interests.
12. Marketing, profiling and micro-targeting
Tenpin Ireland does not process children’s personal data for the purposes of direct marketing, profiling or micro-targeting. This is consistent with Section 30 of the Data Protection Act 2018, which makes such processing a criminal offence in Ireland.
Operational communications about events, training, and team selection are not marketing for these purposes; they are necessary for the administration of the sport and rely on contract or legitimate interests.
13. Use of digital and performance-monitoring tools
Where Tenpin Ireland or any of its officers or coaches propose to use digital tools (apps, wearables, video analysis platforms) to collect or analyse data about junior bowlers, the proposal is referred to the DPO before deployment. The DPO will consider whether a Data Protection Impact Assessment under Article 35 GDPR is required, in line with DPC guidance for the sports sector.
14. Data breaches involving children’s data
Breaches involving children’s data are likely to be regarded as higher-risk because of the vulnerability of the data subjects. They are managed under the Data Breach Response Procedure with the additional consideration that:
- The 72-hour clock for DPC notification under Article 33 is treated as firm.
- Direct notification to affected parents under Article 34 is the default position.
- The Children’s Officer / Designated Liaison Person is involved alongside the DPO.
15. Roles and responsibilities
- The Board is the data controller and is accountable for compliance with this policy.
- The Data Protection Officer monitors compliance, advises the Board, and is the contact point for parents and juniors on data protection matters.
- The Children’s Officer / Designated Liaison Person works with the DPO on matters where data protection and safeguarding overlap.
- Coaches, officials, team managers, and volunteers apply this policy in their day-to-day handling of junior data.
16. Review
This policy is reviewed at least annually by the DPO and the Board, and whenever there is a material change to law, DPC guidance, or Tenpin Ireland’s processing of children’s data.
17. Adoption
This Children’s Data Policy was adopted by the Executive Board of Tenpin Ireland on 19 May 2026.