arrow_back All policies

Children’s Data Policy

Our approach to processing the personal data of junior athletes and other children.

Version 1.0 · 5 May 2026 · Adopted 19 May 2026

1. Why this policy exists

Tenpin Ireland is the National Governing Body for tenpin bowling on the Island of Ireland and runs a junior programme involving athletes under the age of 18. Children’s personal data is given specific protection under the GDPR, the Data Protection Act 2018, and the Data Protection Commission’s guidance ‘Fundamentals for a Child-Oriented Approach to Data Processing’.

This policy sets out how we apply that protection in practice. It sits alongside our main Privacy Policy and our safeguarding policies. Where this policy is more protective than the general Privacy Policy in respect of children, this policy takes precedence.

2. Definitions

  • Child / minor / junior: for the purposes of this policy and Section 29 of the Data Protection Act 2018, a person under the age of 18.
  • Age of digital consent: 16 years, as set under Section 31 of the Data Protection Act 2018.
  • Parent: a person with parental responsibility for the child, including legal guardians.
  • Identifiable data: personal data from which an individual child can be identified, directly or indirectly, including name + club + age combinations and photographs.

3. The 14 Fundamentals

Tenpin Ireland’s approach to children’s data is built on the Data Protection Commission’s 14 Fundamentals for a Child-Oriented Approach to Data Processing. We adopt them in summary as follows.

FundamentalHow we apply it
1. Floor of protectionWe treat the protection of children’s personal data as a floor below which we will not go, regardless of any consent given by the child or their parent.
2. Best interests of the childWhere children’s personal data is involved, the best interests of the child are a primary consideration.
3. Know your audienceWe know which of our services and activities are directed at, or accessed by, children and design those services accordingly.
4. Information in clear languagePrivacy information directed at children is written in plain, age-appropriate language.
5. Let children exercise their rightsChildren are data subjects in their own right and can exercise their rights under the GDPR. We make this practical for them.
6. Consent rulesWhere we rely on consent, we follow the rules on the age of digital consent (16 in Ireland) and obtain parental consent where required.
7. No marketing or profiling of childrenWe do not process children’s personal data for direct marketing, profiling, or micro-targeting (Section 30 DPA 2018).
8. Data minimisation matters more for childrenWe collect the minimum personal data needed and we apply data protection by design and by default.
9. Parents of children up to 18We facilitate parents and guardians in supporting children’s rights up to age 18, in line with the DPC’s Fundamentals.
10. Specific responsibilities for the controllerThese responsibilities apply to Tenpin Ireland as the data controller, regardless of the role of any third parties.
11. Mechanism for parental consentWe have a clear mechanism for obtaining parental consent where required, set out in this policy.
12. Use of digital toolsWhere digital tools are used in coaching, performance analysis, or competition, we assess the implications for children’s data before they are deployed.
13. Protect children from risksWe design our processing so that, taken together, it does not create undue risks to children.
14. Embed protection in everyday operationsChildren’s data protection is part of how we run the sport, not a stand-alone exercise.

4. Legal bases for processing children’s data

We rely on the following legal bases under Article 6 GDPR when processing children’s personal data:

  • Contract (Article 6(1)(b)) — to administer the membership and competition entries that the child (or their parent on their behalf) has entered into.
  • Legal obligation (Article 6(1)(c)) — to meet our obligations under the National Vetting Bureau (Children and Vulnerable Persons) Acts 2012–2016, Children First, and other applicable legislation.
  • Legitimate interests (Article 6(1)(f)) — used narrowly, only where the legitimate interest is not overridden by the interests, rights and freedoms of the child. Following DPC guidance, we apply this test conservatively for children.
  • Consent (Article 6(1)(a)) — with parental consent where the child is under 16 and the processing is based on consent.

Where we process special category data about a child (for example health data to support a reasonable accommodation), we also identify a specific basis under Article 9 GDPR — normally explicit consent.

5. Who consents — child or parent

ActivityWho consents / authorises
Adult (18+) member registrationMember
Adult competition entries and resultsMember
Junior (under-18) member registrationParent or guardian
Junior competition entryParent or guardian (the child is informed in age-appropriate language)
Photographs and video at events of identifiable juniorsParent or guardian (specific consent, separate from membership)
Inclusion of identifiable junior data in published resultsSee Section 7 of this policy
Marketing communications to juniorsNot permitted under Section 30 DPA 2018

Where parental consent is required, we obtain it from a person with parental responsibility for the child, using a clear and specific consent form (see our Parental Consent Form).

We make reasonable efforts to verify that the person giving consent is in fact a person with parental responsibility for the child. The level of verification is proportionate to the risks of the processing.

6. Privacy information for children

Children whose personal data we process are entitled to be told what we do with that data, in clear and plain language. Our Privacy Policy in Plain English — a short, child-friendly summary of this policy and our main Privacy Policy — is published on our website and included in our junior membership pack. Both link to the full Privacy Policy and Children’s Data Policy for parents.

7. Publication of junior competition results

The previous Privacy Policy retained competition results indefinitely. For junior bowlers, indefinite online publication of identifiable results is not consistent with the principles of storage limitation and data minimisation, particularly given the international transfers involved and the long lifetime of online content.

We therefore apply the following rules to identifiable junior results:

  1. Identifiable junior results published on our website are made available for the current and previous season only.
  2. Earlier identifiable junior results are removed from public publication on the website.
  3. Tenpin Ireland may retain a record of junior competition results internally for the purposes of the historical record of the sport, with personal identifiers reduced (for example to first name and last initial) or anonymised.
  4. On reaching the end of the season in which a junior turns 18, all remaining identifiable junior content is reviewed and either reduced to a non-identifiable form or, where retention is justified for an adult bowler’s ongoing record, transferred to that adult record on the basis applicable to adults.
  5. A junior bowler or their parent may at any time ask us to remove identifiable junior content. We will do so unless retention is required by law.

8. Photographs, video and live streaming

We treat photographs and video of identifiable juniors as a higher-risk processing activity. Where Tenpin Ireland or its agents take or commission photography or video at events:

  • We obtain specific parental consent in advance, separate from general membership consent.
  • Junior bowlers are told, in age-appropriate language, what is being recorded and why.
  • We do not publish identifying information (full name + club + age) alongside images of juniors.
  • Parents and juniors can withdraw consent at any time. We act on those requests promptly.
  • Live streaming of events involving juniors is reviewed in advance and parents are informed.

9. Retention of children’s data

CategoryRetention
Junior membership and contact dataWhile the member is registered and for 1 year after their last active season as a junior; thereafter held only if the member transitions to senior membership
Junior competition entriesDeleted 1 year after the event
Junior competition results in identifiable form (online)Removed from public publication on the website by the end of the season in which the bowler turned 18, or earlier on request
Junior competition results retained for the historical recordMay be retained internally with personal identifiers reduced to first name and last initial, or anonymised, after the periods above
Photographs and video of identifiable juniorsRemoved from public channels on request, and in any event by the end of the season in which the bowler turned 18, unless fresh consent is given as an adult
Safeguarding and child protection recordsRetained as required by law and by Sport Ireland safeguarding guidance; access is strictly controlled
Vetting data relating to those working with children5 years after the vetting application or as governed by legislation

10. Sharing children’s data internationally

Where Tenpin Ireland shares junior data with international federations (for example to enter Irish juniors in international events organised by the International Bowling Federation or the European Bowling Federation), we share the minimum necessary, identify an appropriate transfer mechanism under Chapter V GDPR, and inform parents through this policy and through specific event entry information.

11. Children exercising their rights

Children are data subjects in their own right under the GDPR and may exercise their rights at any age, provided they have the capacity to do so. In practice, for younger juniors we expect rights to be exercised by a parent on their behalf; for older juniors who can understand the nature and consequences of their request, we will engage with the child directly while keeping the parent appropriately informed where this is in the child’s best interests.

12. Marketing, profiling and micro-targeting

Tenpin Ireland does not process children’s personal data for the purposes of direct marketing, profiling or micro-targeting. This is consistent with Section 30 of the Data Protection Act 2018, which makes such processing a criminal offence in Ireland.

Operational communications about events, training, and team selection are not marketing for these purposes; they are necessary for the administration of the sport and rely on contract or legitimate interests.

13. Use of digital and performance-monitoring tools

Where Tenpin Ireland or any of its officers or coaches propose to use digital tools (apps, wearables, video analysis platforms) to collect or analyse data about junior bowlers, the proposal is referred to the DPO before deployment. The DPO will consider whether a Data Protection Impact Assessment under Article 35 GDPR is required, in line with DPC guidance for the sports sector.

14. Data breaches involving children’s data

Breaches involving children’s data are likely to be regarded as higher-risk because of the vulnerability of the data subjects. They are managed under the Data Breach Response Procedure with the additional consideration that:

  • The 72-hour clock for DPC notification under Article 33 is treated as firm.
  • Direct notification to affected parents under Article 34 is the default position.
  • The Children’s Officer / Designated Liaison Person is involved alongside the DPO.

15. Roles and responsibilities

  • The Board is the data controller and is accountable for compliance with this policy.
  • The Data Protection Officer monitors compliance, advises the Board, and is the contact point for parents and juniors on data protection matters.
  • The Children’s Officer / Designated Liaison Person works with the DPO on matters where data protection and safeguarding overlap.
  • Coaches, officials, team managers, and volunteers apply this policy in their day-to-day handling of junior data.

16. Review

This policy is reviewed at least annually by the DPO and the Board, and whenever there is a material change to law, DPC guidance, or Tenpin Ireland’s processing of children’s data.

17. Adoption

This Children’s Data Policy was adopted by the Executive Board of Tenpin Ireland on 19 May 2026.