13.
(1) Subject to section 27 of the Act, where a person duly authorised by a data subject seeks to exercise the rights on their behalf, the data controller or data processor shall act in the best interests of the data subject.
(2) Where the data subject is a child, a data controller or data processor shall ensure that—
(a) a person exercising the right is appropriately identified;
(b) profiling of a child that is related to direct marketing is prohibited; and
(c) the parent or guardian is informed of the inherent risks in processing and the safeguards put in place.
(3) Where a data controller or a data processor is uncertain as to the existence of a relationship between the duly authorised person and the data subject, the data controller or data processor may restrict the request of exercising a right on behalf of the data subject until evidence to the contrary is adduced.