30/06/2026
The Catalan Data Protection Authority (APDCAT) has produced new information material aimed at summer camps and leisure organisations, to guide them when it comes to appropriately processing the personal data of children and families, coinciding with the summer season and the end of the school year.
The video reminds us that leisure education can include the collection and processing of personal data of children and families, and that children must be especially protected to avoid scares in the future. First of all, the camp must have a legal basis that allows the processing of the data, which could be the consent of the people. In this sense, up to the age of 14, it is the parents or legal guardians who should sign it on behalf of the child.
In addition, the camp must inform the child or parents or guardians of what it will do with the data, for how long it will be kept and the purpose pursued. This is known as the data protection information clause, which can be configured in several layers of links to be able to delve deeper into the information.
The aim is for people to be aware of what is done with their data and how they can exercise their rights (access this information, oppose the processing, request the deletion of data, etc.).
The video also highlights the need to be careful when sharing photographs or videos that clearly identify people, especially children who have special protection. It should be remembered that the image and voice are personal data. In this sense, it recommends pixelating faces, or using similar techniques, with the aim of avoiding their clear identification.
It should be borne in mind that everything shared on the internet or social networks is out of control, and can be reused by third parties, with irreparable consequences for the honor, privacy and integrity of the identifiable person. It can be exploited by cybercriminals, child pornography and cyberbullying.
Therefore, in addition to limiting the publication of this type of material with minors, the APDCAT recommends using restricted channels, avoiding live publication, and not sharing the location.
In addition, it recalls that entities must be proactive in safeguarding the information they collect and process. In this sense, it is necessary that they use technologies and systems appropriate to the risk, taking into account the type of data they process, the volume and the category, to protect themselves against possible cyberattacks or information leaks.
Last update: 02.07.2026