Skip to content
Request access
← Back to blog
· Przemek · UK GDPRData ProtectionChildren

UK GDPR + riding lessons for minors: the consent rules in plain English

What you actually need to record, who must consent, and how long you keep what. UK-specific GDPR for yards offering children's lessons.

UK GDPR (the post-Brexit version of EU GDPR) and the Data Protection Act 2018 apply to every yard that records personal data — which is every yard. With minors, the rules are stricter. Here’s the practical version.

In the UK, the digital age of consent is 13 (lower than the EU’s 16, applying to “information society services”). For everything else (registration, contracts), under 18 = parental consent required for legal acts.

For riding lessons:

  • Under 13: parental consent for any data processing
  • 13-17: child can consent to digital services, but contracts and bookings need parental signature
  • 18+: child consents themselves

What you need from parents (under 18)

At registration

  • Parental consent for collecting child data (name, DOB, contact, medical, photos)
  • Emergency contact (separate from parents)
  • Medical conditions / allergies / medications
  • Photo permission (separate yes/no for: yard website, social media, marketing)
  • Acknowledgement of risk (riding is inherently risky)

Ongoing

  • Update on medical changes
  • Re-consent annually (best practice, not strictly required)
  • Right to withdraw consent at any time
  • Information needed to fulfil the lesson contract (name, level, attendance)
  • Health & safety records (incident logs)
  • Legitimate interest items (e.g., recording who rode which horse on which day)

Storage rules

  • Active customer data: as long as the contract is alive
  • Financial records: 6 years (HMRC requirement)
  • Incident records: 6 years minimum (insurance)
  • Photos / videos: until consent withdrawn or commercial purpose ends
  • Marketing data: until unsubscribe

Common mistakes

Not really. Consent must be specific, informed, freely given, and recorded. WhatsApp messages can be evidence, but a signed digital form is much safer.

Photos used “internally only” then drift to Instagram

If parents consented to “yard records only”, you can’t repost without re-consenting.

Keeping everything forever

Excessive retention is a GDPR breach. After 6 years, archive what’s needed for tax, delete the rest.

Sharing with farriers / vets without explicit consent

If you forward a child’s photo + name to a vet for “look at this lameness” — fine for clinical purposes, but not OK for general WhatsApp sharing among horse-y friends.

What good systems do

  • Digital consent forms with timestamps and IP logging
  • Granular permissions (yard / social / marketing separately)
  • Auto-deletion of data after retention periods
  • Subject access request (SAR) reports in 1 click
  • Audit log of who accessed what

How Hovera handles this

UK GDPR-by-design:

  • Hosting in the UK (Aldermaston) and EU (Frankfurt)
  • Granular consent for minors with parental signature
  • Automatic data retention scheduling
  • SAR export in PDF
  • Right-to-erasure executable in 2 clicks
  • Audit log of all data access

Request a UK GDPR review — we’ll check your current setup against best practice.