Special categories & people

Children’s personal information: section 34 and its gateways

Processing a child’s information is prohibited unless a section 35 gateway applies — school admin is fine; selling learner lists is not.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 34 prohibits processing the personal information of a child — a person under 18 not legally competent to act without assistance — unless a section 35 gateway applies: prior consent of a competent person (typically a parent), processing necessary to establish, exercise or defend a right or obligation in law, international public law, historical/statistical/research purposes, or information deliberately made public by the child with a competent person’s consent. Ordinary school administration fits the gateways; marketing-type uses genuinely need parental consent.

On this page

The prohibition — and the section 35 gateways

Children get the same inverted structure as special personal information: section 34 prohibits processing a child’s personal information, subject to section 35(1)’s gateways:

The gateways — what the Act allows

...prior consent of a competent person; processing “necessary for the establishment, exercise or defence of a right or obligation in law”; compliance with an obligation of international public law; historical, statistical or research purposes; or information “deliberately been made public by the child with the consent of a competent person”.

Protection of Personal Information Act 4 of 2013, s 35(1) (summary of gateways)Read it on Dept of JusticePDF

The structure matters for the same reason it matters everywhere in POPIA: consent is a gateway, not the gateway. A school does not run on parental consent forms — it runs on the statutory framework of schooling. The consent forms belong where the gateways run out.

Who is a competent person?

A “child” is a person under 18 who is not legally competent to act without assistance, and a “competent person” is anyone legally competent to consent on the child’s behalf — typically a parent or guardian (s 1). Practical consequences: the 16-year-old’s own signature does not open the consent gateway; divorced parents’ consent disputes are family-law questions the school should not adjudicate by email; and platforms aimed at minors need consent architecture built around the parent, not the user.

Schools: what needs consent — and what never did

School scenarios under POPIA sections 34 and 35
ScenarioPositionWhy
Enrolment records, attendance registers, academic reportsLawful without parental consentSchools act under legal obligations and the establishment/exercise of rights — the statutory schooling framework is the gateway.
Emergency contact and medical-needs informationLawfulProtecting the child’s vital interests and exercising the school’s duty of care.
Class photo in the school prospectus or on social mediaNeeds a competent person’s consentMarketing/publication serves no legal right or obligation — this is the genuine consent territory.
Selling or giving the learner database to a tutoring companyNot lawfulNo gateway covers it; commercial exploitation of children’s data is what section 34 exists to stop.

The pattern generalises beyond schools: administration within the legal framework the child is enrolled in runs on the gateways; publication, promotion and commercial exploitation of children’s information is where the competent person’s consent is genuinely required — and where the Regulator’s sympathy, in any complaint, will sit entirely with the child.

Frequently asked questions

Who counts as a child under POPIA?

A natural person under 18 who is not legally competent, without the assistance of a competent person, to take any action or decision on a matter concerning themselves (s 1).

Who is a "competent person"?

Any person legally competent to consent to action or decisions concerning the child — typically a parent or legal guardian.

Do sports clubs and youth groups need parental consent for member records?

Membership administration the parent signed the child up for rests on the rights-and-obligations gateway and the parent’s enrolment consent. Photos for promotion, marketing lists and public results with names go beyond it — that is consent territory.

Can teenagers consent for themselves online?

Under POPIA the line is legal competence, not a fixed digital-consent age like the GDPR’s 13–16 bands. Under-18s generally need a competent person’s consent where consent is the gateway relied on.

Does children’s information affect using offshore platforms?

Yes — transferring children’s information to a country without adequate protection triggers prior authorisation from the Regulator (s 57(1)(d)). Schools and ed-tech providers should check before adopting offshore systems.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Special categories & people

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub