Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The age of majority is set out in Article 388 of the old Civil Code. In principle, a person who is less than 18 years old is considered incapable by law (Art. 5.41 new Civil Code) and they must be represented by a parent.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
Some children’s rights included in the UNCRC have been directly implemented into the Belgian Constitution through Article 22bis, which guarantees respect for a child's physical, psychological or sexual integrity, the right to express their views on any matter that concerns them, and prioritization of their best interests in decisions affecting them.
In addition, according to caselaw, some - but not all - provisions of the UNCRC have direct effect in Belgian law and can be directly invoked by individuals before a Belgian judge.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
Given the federal nature of the Belgian state, there are several ombudspersons/commissioners for children in Belgium:
- For the French-speaking community: the The Délégué général aux droits de l’enfant (General Delegate for Children's Rights) established by the decree of 20 June 2002; and
- For the Flemish community: The Kinderrechtencommissariaat (Children's Rights Commissioner) established by the decree of 15 July 1997.
- For the German-speaking community: while there is no ombudsperson dedicated to children’s issues, the Ombudsfrau der Deutschsprachigen Gemeinschaft may also be incidentally competent for children’s issues, insofar as they relate to public authorities or facilities performing public services in the German-speaking community (e.g. schools).
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The ombudspersons in the French-speaking and Flemish communities have a general responsibility to supervise and protect children's rights, but there is no explicit textual mandate assigning them competence over children's rights in the digital world against private entities. However, in practice, they address these issues by issuing publications on children's rights in digital spaces and processing complaints.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; the GDPR applies in this context. The requirement to collect parental consent under the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data (i.e. if another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data).
In principle, each parent has the right to exercise parental authority independently (Article 373 of the old Civil Code). This means that, unless a legal exception applies, the consent of only one parent suffices to obtain parental consent to process a child’s personal data, where such consent is required.
In any case, when relying on consent as the legal basis, the controller also needs to collect the child’s consent if they have “capacity for discernement” (i.e. intellectual maturity to decide on matters pertaining to them, which is assessed on a case-by-case basis but often considered acquired between 13 and 16 years old, see Decision 62/2022 of the Belgian DPA).
By derogation, even when relying on consent as a legal basis, parental consent is not required in relation to information society services processing activities where the child is at least 13 years old (see question 5).
Entirely separate to the requirement to collect parental consent under Article 8(1) GDPR is that a digital service provider (controller) may decide to seek parental permissions for a child to access different settings/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
See more information on the GDPR-level requirements here.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Pursuant to Article 7 of the Data Protection Act of 30 July 2018 (which implements Article 8(1) of the GDPR), the age of digital consent in relation to information society services in Belgium is 13 years of age.
For any other processing of a minor’s personal data, minors cannot consent to the processing of personal data on their own, though their own consent may also be required if they are deemed to have “capacity for discernment” (i.e. intellectual maturity to decide on matters pertaining to them, which is assessed on a case-by-case basis but often considered acquired between 13 and 16 years old).
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent; however, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. The age verification should not result in excessive additional data processing. No specific method has been endorsed by the Belgian Data Protection Authority (the “BDPA”).
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; the GDPR applies in this context.
Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children. This information must be concise, transparent, intelligible and easily accessible. The vocabulary, tone and style of the language used should be tailored for the age group of the audience.
The Belgian Data Protection Authority has previously sanctioned entities for failing to comply with the requirement to provide understandable and appropriately adapted information to children (Decision 31/2020).
See more information on the GDPR-level requirements here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR.
Although no clear guidance is available on the topic, it is assumed that children’s right to exercise their data subject rights mirrors their ability to consent to the processing of their personal data (see further information here and here). As a result, children of at least 13 years old would only be able to exercise their data subject rights independently in relation to processing activities under article 8(1) GDPR related to information society services.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Unclear, likely not.
In principle, judicial proceedings can only be initiated by parents of minors (unless the minor is emancipated). While the proceedings before the Belgian Data Protection Authority are not judicial in nature, it is generally accepted that several provisions of the Judicial Code apply to its procedure, including those related to the interest to act.
In absence of contradicting caselaw on this topic, it is likely that children could not make complaints on their own behalf directly to the Belgian DPA – though it is possible that, after attempting to complain, the Belgian DPA would respond requiring the children to demonstrate parental involvement in the complaint.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
Belgian and EU laws set specific rules for processing children's data:
a) processing specific types of children’s personal data;
The processing of children’s image (e.g. through photos or videos) may be subject to specific requirements under Article XI.174 of the Code of Economic Law. This provision establishes that, under certain exceptions (e.g. as a celebrity or where the image merely depicts a crowd), any image of a person cannot be reproduced or communicated to the public without the consent of the person depicted. As a result, to ensure respect for this right, specific consent must be obtained for:
- Taking the photo or video; and
- Each specific purpose for which the image will be used or published (e.g., consent for publication on a website).
In the case of a minor, parental or guardian consent is required. If the minor has “capacity for discernment”, they must also provide their consent in addition to the parent’s consent.
b) carrying out specific processing activities involving children’s personal data; and/ or
There are no national-specific requirements with this matter. However, as a general rule, greater caution is required with the highest standard of protection in all aspects of data processing activities (data transfers etc.).
For example, the processing of children’s data heightens the likelihood of needing to conduct a Data Protection Impact Assessment (DPIA), because processing of children’s data is deemed a risk criterion under the WP29 Guidelines on DPIAs.
This is without prejudice to activities related to children which are illegal by nature, such as the processing of Child Sexual Abuse Material (CSAM).
c) using children’s personal data for specific purposes.
There are no national-specific requirements with this subject.
However, Article 28.2 of the Digital Services Act (DSA) provides that, when an online platform provider is aware with reasonable certainty that a minor is using its platform, it must not display targeted advertisements based on profiling.
See more information on the GDPR-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
To date there have been the following decisions which have been issued by the Belgian DPA which specifically involve the processing of children’s personal data:
- Decision 33/2025: Following a complaint regarding errors in a child's follow-up plan and its processing via a digital school platform, the Belgian DPA conducted an investigation. The investigation revealed potential GDPR violations, including non-compliance with the data processing register, inadequate security measures potentially violating Article 5(1)(f), failure to account for the vulnerability of the data subjects, and a lack of an adequate incident register. The case was settled through an agreement between the parties under the supervision of the DPA.
- Decisions 31/2020 and 36/2021: In the context of a school well-being survey, satisfaction questionnaires were sent to minors without obtaining parental consent. In one case, a 12-year-old minor participated without their parents' consent, and no transparent information was provided to the child about the processing of their data. The DPA sanctioned this violation with a compliance order and an administrative fine of €2,000.
- Decision 62/2022: The DPA ruled against an organization for multiple data protection violations involving a minor. The case involved sending a group email where all recipients were visible and involved the processing and publishing images of a minor without parental consent. The complainant alleged that her son's photos were processed for external publication without her consent. Although the DPA found insufficient evidence to establish a child’s right to image violation in this specific case, the DPA also explicitly stated that if sufficient evidence had been provided, parental authorization would have been required and a violation would have been confirmed.
- Decision 110/2023: following a publication by a school of series of disciplinary reports and student surveys, the DPA identified multiple violations of the GDPR. The defendant was issued a compliance order, requiring them to meet their transparency obligations under the GDPR and ensure compliance with the responsibilities of the Data Protection Officer (DPO).
- Decision 165/2023: in the context of a school allocation system for minor students, where parents were required to input children's personal data, including sensitive data into a registration system. The DPA identified multiple violations of the GDPR. The defendant was issued a reprimand, particularly for failing to meet their Data Protection Impact Assessment (DPIA) obligations.
- Decision 169/2023: the DPA ordered a church diocese to comply with a request from a baptized individual to have their record removed from the parish baptism register. The plaintiff was baptized as a child but filed his compliant for the refusal of its right to erasure as an adult. This decision is under appeal and the Belgian Appeals Court (Cour des marchés) referred a preliminary question to the CJEU, specifically asking whether an individual baptized as a minor, who wishes to distance themselves from the Church upon reaching adulthood, has the right to request the erasure of their data from the baptism register.
- Decision 86/2024: a mother filed a complaint against a school for failing to respect her right of access to her child’s personal data. The DPA issued a reprimand to the school for violating its transparency obligations and ordered the defendant to comply with the access request submitted by the complainant.
- Decision 171/2024: in the context of a security incident involving a data breach that exposed minors' personal data, including sensitive data, the complainant referred the matter to the DPA, alleging violations of the GDPR due to non-compliance with data security and incident notification obligations. The DPA, however, did not issue any sanctions, stating that the defendant could not be considered a data controller and therefore could not be held accountable for the GDPR violations.
The Belgian DPA has also opened an investigation into DeepSeek, which is ongoing. This arose on foot of the Belgian consumer association, Test-Achats, lodging a complaint with Belgian DPA against DeepSeek, for multiple privacy infringement, particularly concerning children’s data protection. The complaint focuses, in particular, on the absence of age verification, unclear profiling practices, and a lack of transparency on how minors’ data is handled.
In addition, the topic of protection of minors has been identified as a priority in the Belgian DPA’s 2025 management plan.
Are there specific rules concerning electronic direct marketing to children?
Yes.
The following general rules apply to direct marketing in Belgium: depending on the mode of communication (e.g. email, phone call or per post), senders of direct marketing communications may rely either on consent of the recipient (where an opt-in requirement applies) or on their legitimate interest (where an opt-out or soft opt-in requirement is available) as legal basis under privacy laws.
As a principle, if a company’s products or services are exclusively for adults (e.g., management seminars or alcoholic beverages), they cannot market such products to minors – nor process any minors' personal data for this purpose.
On the contrary, when products or services are aimed partially or entirely at minors, the Belgian Data Protection Authority (BDPA) confirms that both legal bases are available where the communication is sent to children (see BDPA’s Recommendation 01/2020 on direct marketing and also non-binding information on the BDPA’s website). However, the applicable criteria must be assessed differently:
- Legitimate interest: given the vulnerable target audience, the legitimate interest assessment is more likely to conclude that the data subject’s interests supersede the entity’s interest to conduct direct marketing activities.
- Consent: rules applicable to minors’ consent apply mutatis mutanda. If the minor’s consent is required, it must meet all GDPR requirements, i.e. “informed, specific, unambiguous, and freely given”. Amongst others, this entails that information obligations should be executed in a concise and transparent manner, using understandable wording for children and emphasizing that the child has the right to withdraw his consent at any time.
At a sectoral level, the Royal Decree of 12 December 2018 sets out obligations for paying services provided directly or indirectly via premium-rate numbers. The decree mandates that any advertisement for such services must include a warning stating that prior authorization from a person with parental authority is required for minors.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws or requirements in this regard. See EU law requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
There is no guidance available on contextual advertising specifically. However, in addition to products and services which cannot be advertised to any audience in Belgium (e.g. tobacco products), certain sector-specific restrictions apply to regarding advertising to children:
- Gambling and online betting: advertising for gambling and online betting cannot target vulnerable groups, including minors (Royal Decree of 27 February 2023);
- Alcohol advertising: target minors by addressing them directly or depicting minors consuming alcoholic beverages, including online. In addition, it is prohibited to advertise alcohol on social media platforms whose audience is at least 30% minors or which do not allow for age filtering. (See self-regulatory 2024 Convention on advertising and marketing of alcoholic beverages).
- Additional guidelines exist in self-regulatory codes, such as those for food advertising (New advertising Code for foodstuff) and cosmetics advertising.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Jury d’Éthique Publicitaire (JEP), Belgium’s self-regulatory advertising body, oversees the fairness and appropriateness of advertising messages directed at the public. Several decisions have been issued concerning the protection of minors in advertising: • A compliance order was issued for broadcasting a gambling advertisement on a video-sharing platform that targeted minors. • The JEP issued a compliance order for displaying a minor holding a beer in a logo used in an alcohol advertisement; • A compliance order was issued for running an alcohol advertisement on a social media platform that specifically targeted minors. In addition, several organisations oversee advertisements disseminated via traditional audiovisual media (the Conseil supérieur de l’audiovisuel for the French-speaking media, the Vlaamse Regulator voor de Media for the Flemish community and the Medienrat for the German-speaking community).
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
In principle, a person who is less than 18 years old is considered incapable by law (Art. 5.41 new Civil Code and Art. 388 old Civil Code). They must be represented by a parenHowever, Belgian courts have held that if the minor has capacity for discernment, acts entered into by the minor are deemed valid if they “relate to the usual day-to-day expenses inherent in contemporary society” and the act does not cause abnormal prejudice (“lésion”) to the minor (see e.g. Civ. Antwerpen, 9 June 2011, RW, 2013, 35, 1384).
It could be argued that the child’s agreement to use a digital service relates to the usual day-to-day expenses inherent in contemporary society and may be valid if the child has the capacity for discernment (i.e. intellectual maturity to decide on matters pertaining to them, which is assessed on a case-by-case basis but often considered acquired between 13 and 16 years old).
Do consumer protection rules apply to children?
Yes.
The Belgian Code of Economic Law (CEL) includes several provisions aimed at protecting consumers when entering into contracts (see Articles VI.37 et seq.). For instance, Article VI.45 states that consumers entering into distance contracts must receive clear and comprehensible information.
Although minors are not in principle capable of entering into contracts, they do so practically – which is admissible under Belgian law. As a result, protective measures under the CEL extend to minor consumers in Belgium – and some prohibited commercial practices specifically relate to minors.
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
The Belgian Code of Economic Law contains several relevant provisions for children:
- Misleading advertising is prohibited, which must be considered in the context of the ‘average consumer’ within the target group (incl. such persons “vulnerable due to their age”). If advertisements are targeted toward minors, they should be tailored bearing in mind the vulnerability of minors, including further distinguishing between categories of minors if necessary (Article VI.93 Code of Economic Law). Under certain circumstances, non-compliance with advertising codes of conduct may be considered a misleading – and thus prohibited – commercial practice;
- Directly inciting children to buy an advertised product or to convince their parents to buy the product is considered an unfair practice and thus prohibited, which may lead to a refund of the price paid by the consumer (Articles VI.103 and VI.38 Code of Economic Law);
The Belgian Civil Code also includes specific provisions for the protection of minors as consumers, especially, Article 5.43 of the new Civil Code sanctions « lésion » (special prejudice) in contracts involving minors. Under certain exceptions, Lésion refers to a situation where a contract is disproportionately unfavorable to a co-contractor, allowing them to seek its annulment under certain conditions.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To the best of our knowledge, there has not yet been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There is no general age-related restriction on access to online/digital services, granted parental consent is obtained where applicable.
However, certain websites are restricted to children, particularly those offering prohibited activities such as pornography, tobacco, alcohol-related services and gambling.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
There are no formal or statutory meanings ascribed to the terms “digital safety” and “online safety” in Belgium, and there are no specific national regulations on children's online/digital safety.
Nevertheless, the GDPR applies, requiring that data security measures be proportionate to the risk, particularly given children's vulnerability.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
In its Recommendation 1/2020 on direct marketing, the Belgian Data Protection Authority considers that companies in direct marketing activities targeting minors should carry out appropriate age verification checks to ensure that consent is validly granted. However, this requirement is not widely applied in practice.
See more information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes
To the best of our knowledge, there has not been requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services.
Nevertheless, we note that parental controls may be an aspect of the measures by which a digital services provider complies with its data protection by design and default obligations and implements the higher level of protection which applies under the GDPR with regard to the processing of children’s personal data. See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
In Belgium, the Belgian Institute for Postal and Telecommunications Services (the “BIPT”) was designated as the Digital Services Coordinator under the Digital Services Act (DSA) by the law of 21 April 2024 (effective only as of 9 January 2025). It is the competent authority for all federal matters, including the enforcement of the DSA's provisions related to children.
As of now, no public enforcement actions have been reported.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
See EU-level response here. To the best of our knowledge, there are no other existing or upcoming requirements relevant to children and AI in Belgium.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To the best of our knowledge, there has not been any other regulatory enforcement activity to date relevant to children’s use of digital services.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
The regional Wallonia-Brussels government has approved a draft decree banning the use of mobile phones and connected devices for recreational purposes in schools, effective from the 2025-2026 school year. This applies to pupils in all pre-schools, primary, and secondary schools. Exemptions will be made for students with disabilities or health conditions requiring communication devices. This initiative is also planned by the regional Flander government.
Additionally, see more information on the upcoming EU-level requirements here.
Contributors
Maximilien Schilton
Paralegal, Belgium
