GDPR and communication about minors: getting it right

What makes communication about minors different?

When communicating about minors, there are two layers of personal data:

• The child's own data (name, class, enrolment, performance, medical information, …)
• The data of the parent or guardian (name, email address, phone number, …)

In your email communication, you almost always work with the data of the parent or guardian as the recipient, but the reason you have that data is the child. This has implications for how you collect consent, how long you retain data, and what you are permitted to do with it.

Your choice of platform makes a difference

A GDPR-compliant approach doesn't start with your own processes alone — it also depends on the tools you use. Many well-known email marketing platforms store data on servers outside Europe, often in the United States. That creates a fundamental problem: the GDPR requires that the personal data of European citizens remains protected even outside the EU, but the legal basis for this has been uncertain and subject to change for years.

By choosing a platform with European data centres and an explicit GDPR-first approach, such as Flexmail, you avoid that uncertainty from the outset.

Whose consent do you need?

For communication directed at parents or guardians

If you send emails to parents about the organisation's activities, newsletters, or updates, you need their consent — or another lawful basis. That basis can be:

Consent (opt-in): the parent has actively indicated that they wish to receive emails. This is the most unambiguous basis and the recommended approach for newsletters and marketing communications.

Performance of a contract: for administrative and transactional communications — such as payment reminders, enrolment confirmations, or programme changes — you can rely on the agreement you have with the family. You do not need a separate opt-in for this, but limit the communication to what is strictly necessary.

When you also use the child's data

If you send emails using the child's personal data — such as name, class, performance, or attendance — stricter rules apply. Children under the age of 13 cannot give consent themselves: you always need the consent of a parent or guardian. For young people between 13 and 16, this varies by EU member state; in Belgium, the threshold is 13.

The unsubscribe pitfall: why separating mail streams is crucial

This is one of the most underestimated risks for organisations that send everything from a single list: a parent unsubscribes from the general newsletter, and subsequently stops receiving payment reminders, training updates, or other essential information about their child's membership.

Technically, it's correct: the person has unsubscribed. But it's not what they intended, and it's not what you want as an organisation either.

The solution is structural, not technical: separate your marketing communications from your transactional communications from the start. Transactional emails, such as payment reminders, enrolment confirmations, level changes, and training updates, are handled via the transactional email module in Flexmail and are independent of your subscriber list. An unsubscribe from your newsletter has no effect on them whatsoever.

Marketing emails — such as the newsletter, announcements of new courses, and promotional communications — are sent via your regular campaigns and depend on opt-in. If someone unsubscribes, that is their choice, and you respect it.


By keeping those two streams separate, you protect both the parent and yourself — and you comply with what the GDPR expects: that you use the right basis for the right type of communication.

How do you document consent?

Consent is only valid if it has been given freely, specifically, informedly, and unambiguously. That means:

• Freely: the parent can also refuse without this affecting the child's enrolment.
• Specifically: separate consent for separate purposes. Consent for a newsletter does not cover payment reminders, and vice versa.
• Informedly: the parent knows what they are consenting to, who processes the data, and for how long.
• Unambiguously: a pre-ticked checkbox does not count. The parent must actively give consent.

Keep records of your consents. In Flexmail, you track opt-ins via the sign-up form and the associated metadata. Should a question ever arise, you can demonstrate when someone signed up and for what purpose.

How long may you retain data?

There are no fixed statutory retention periods, but the rule of thumb is simple: do not retain data longer than necessary for the purpose for which it was collected.

In practice, this means:

• Data of active members or enrolled pupils: retain it for as long as the relationship is active.
• Data of former members or pupils: delete or anonymise it once the active relationship has ended, unless you have a legal obligation to retain it longer (such as accounting records).
• Data of interested parties who never enrolled: maximum one year after the last point of contact, then delete or ask for consent again.

What happens when someone unsubscribes?

When a member or pupil leaves the organisation, or when a subscriber unsubscribes:

• Delete or archive their data in Flexmail.
• Stop all marketing communications immediately.
• Transactional communications that cover ongoing obligations (e.g. an outstanding payment) may still be sent, but stop those as well once the matter is resolved.
• Inform the person about what will happen to their data after unsubscribing.

In Flexmail, unsubscribes are automatically recorded and processed. You can no longer reach unsubscribed contacts via campaigns. This is a built-in safeguard.

Transparency as a trust-building argument

This is also the most compelling case for a sound GDPR approach: organisations that handle personal data responsibly and say so openly build trust. Parents and members want to know what happens with their data — and if you explain this proactively, you're one step ahead.

A few simple ways to do this:

In your sign-up form: explain clearly what you use the data for, who has access to it, and how long you retain it. Not legal language — just plain text: "We use your email address to keep you informed about the club's activities and news. You can unsubscribe at any time."

In your emails: make sure every email contains a clear unsubscribe link and a link to your privacy policy. Flexmail automatically adds an unsubscribe link.

When things change: if you change how you process data — such as switching to a new platform, adding a new partner, or expanding your communications — actively inform your subscribers.

Practical checklist

Go through these points before your next campaign or enrolment period:

• Marketing communications and transactional communications are set up separately
• Separate opt-in for newsletters and marketing communications, distinct from administrative emails
• No pre-ticked checkboxes in your sign-up form
• Clear explanation in the form of what the data will be used for
• Consents documented and demonstrable in Flexmail
• Retention periods defined and communicated in your privacy policy
• Annual clean-up of inactive contacts planned
• Unsubscribe link present in every campaign email
• Procedure in place for unsubscribes or departing members

GDPR is not a brake — it's a foundation

Handling personal data correctly takes some effort up front. But the result is a healthy, reliable contact list — with people who genuinely want to hear what you have to say. And that is precisely the foundation of email marketing that works.

Want to know more about how to set up your communication structure in Flexmail? Read this blog: Email marketing for schools and associations: how to communicate smartly with parents, members, and students.

And for the practical steps of data import and transformation, read this blog: From member list to Flexmail: getting your data ready.