Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Danish Guardianship Act states that persons under the age of 18 are minors, meaning persons 18 years of age or above are adults. Furthermore, the Danish Act on Parental Responsibility states that children/young persons below the age of 18 are under their parents’ authority.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
The UNCRC has not been incorporated into Danish law. Some of the UNCRC’s principles, however, have been incorporated into Danish law, such as through the Danish Children’s Act in which it is stated that the Act‘s purpose and intent is keeping the best interests of the child in mind when practicing the Act. This interest is accordingly expressed in the UNCRC’s Article 3.
Furthermore, the Danish Act on Parental Responsibility provides that the Act, which regulates the holder of parental authority‘s (parent, guardian) responsibilities of the child, must be interpreted and practiced with the child’s best interests in mind. This Act, too, reiterates the same interest as expressed in the UNCRC’s Article 3.
In summary, although the UNCRC has not been incorporated into Danish law, the UNCRC’s interests are present in Danish law.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Danish Ombudsman is responsible for overseeing the public administration and whether it applies public law and principles correctly. Moreover, the Danish Ombudsman Act, section 7(1) explicitly states that the Danish Ombudsman is responsible for overseeing children’s rights pursuant to applicable Danish law (and other relevant law where applicable). The competence of the Ombudsman’s work concerning children’s rights pursuant to Danish law extends to public authorities and private entities when private entities take care of tasks directly in relation to children. Pursuant to the Danish Ombudsman Act, the Ombudsman can initiate cases ex officio (i.e. by the Ombudsman itself) or on the basis of a complaint.
Anyone can lodge a complaint to the Danish Ombudsman as explicitly stated in section 13(1) of the Danish Ombudsman Act, and it is therefore not a requirement that the person lodging a complaint has a connection to the situation to which the complaint is related to. When lodging a complaint it is, however, a requirement that the situation to which the complaint relates has been subject to a final decision from the relevant appeal authority (f the situation is one which can be appealed to an appeal authority) and the situation can be appealed no further.
Complaints must be submitted within one year after the incident to which the complaint relates has occurred.
The Danish Ombudsman is also responsible for upholding Denmark’s compliance with the obligations set forth in the UNCRC; although the UNCRC has not been incorporated into Danish law, Denmark is still obligated to comply with its provisions.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The Danish Ombudsman does not (by law) explicitly retain responsibility for upholding children’s rights in the digital world. However, the Danish Ombudsman is tasked with overseeing Denmark’s compliance with the UNCRC. Cases that infringe upon children’s rights in the digital world fall within the competence of the Danish Ombudsman – provided the digital infringement is a case that falls within the Danish Ombudsman’s scope, such as the infringement of the child’s rights. For example, if an orphanage routinely conducts unwarranted checks on an orphan’s phone for messages, notifications etc., this will fall within the Ombudsman’s purview.
The GDPR may also apply in such situations, meaning that there might be an overlap between the Ombudsman’s scope and the Danish Data Protection Agency’s (DP Agency) scope; the DP Agency supervises whether applicable data protection law (i.e. the GDPR and the Danish Data Protection Act) in Denmark is exercised correctly by entities subject thereto, and the Ombudsman is responsible for supervising children’s rights.
The two are not necessarily the same. For example, schools in Denmark are required to have a strategy for anti-bullying. If a school provides an online platform where the enlisted children can communicate, the DP Agency is the body with competence to assess whether the platform is compliant with applicable data protection law, while the Ombudsman would – either ex officio or on the basis of a complaint – assess whether the school’s anti-bullying policy and anti-bullying effort are sufficient.
Note, however, that the Ombudsman is somewhat reluctant to act if the assessment of a case requires certain and specific expertise, such as the specific limitations/applications of an online platform.
Certain infringements are also criminal. Criminal law, and therefore the police, will in certain cases also be involved.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different settings/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
In Denmark, the Danish Data Protection Act (DP Act) supplements the GDPR. The DP Act had previously stated the age of digital consent in Denmark was 13 years of age. However, the DP Act was amended primo 2024 and the child must now be 15 years of age in order to legally consent to the processing. In practice, for other processing activities than those carried out by information society services, the consent of the holder of parental authority must be collected, taking into account the risks and categories of personal data collected, until the child is 18 years of age. This would be the case if special categories of personal data are collected.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. While Article 8(2) of the GDPR states that the data controller must make “reasonable efforts” to verify cases, where the parent/guardian has consented to the processing of the child’s personal data, the Danish Data Protection Agency (i.e. the Danish Data Protection Authority) does not provide explicit guidelines for the practical execution of such efforts; instead its guidelines on Article 8(2) only repeat the its text.
A part of the controller’s obligations pursuant to Article 8(2) GDPR is also, taking into consideration available technology, to ensure that sufficient safeguards are in place to validate the consent, including cases where the parent must consent to the processing. Therefore, the controller must implement technical measures to e.g. verify that it is actually the holder of parental responsibility who has consented to the processing.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. Article 12(1) of the GDPR explicitly states that the information which the child receives pursuant to Articles 13 and 14 of the GDPR must be delivered in clear and plain language so the child can understand the risks, consequences and safeguards in relation to the processing of their personal data.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR.
However, the Danish Data Protection Agency has, in its guidelines concerning the rights of the data subject, stated that parents/ guardians can exercise the right of access on behalf of their child, but children aged 15 and above can exercise this right themselves. Oftentimes, however, both the parent and the child can have lawful access to the personal data.
The guidelines do also state that giving children the right of access must be dependent on an assessment of the child’s maturity, and thus it cannot be excluded that some children will not be able to exercise their access rights without the involvement of the parents. This applies for children of all ages until the age of 18 as a rule and, while children aged 15 and up can typically exercise this right without any issues, this assessment might differ on a case-to-case basis (depending on the specific child).
Taking these guidelines as a whole into consideration, children can, as a rule, exercise their rights without the involvement of their parents/ guardians. However, in most cases, this will not exempt the parent(s)/ guardian(s) from exercising their right of access to the children’s data, unless the child’s interest in not granting the parent(s)/ guardian(s) access overrules the parent(s)’/ guardian(s)’ right of access.
Parents/ guardians can, however, be exempt from also exercising their right of access concerning their children. For example, if the parent(s)/ guardian(s) exercises their right of access in a register of legally induced abortions in which their child is listed, access would normally not be granted, unless the abortion was conducted with consent from the parent(s)/ guardian(s).
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Children can on their own make complaints to the Danish Data Protection Agency (DP Agency).
The DP Agency administrates a site for children which launched in April 2021 and which informs them of their rights pursuant to the GDPR (and the Danish Data Protection Act); including how to make complaints. The site can be found here (in Danish). The DP Agency has also launched other initiatives, such as a quiz called Datadysten (“The Data Challenge”) targeted at middle school grade children and up, which teaches them about the basic concepts of the GDPR and their rights in a learning-friendly format.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard. However, guidelines and best practice do arise from decisions by the Danish Data Protection Agency (DP Agency), although these cases – in general – merely express and emphasise the general concept of children enjoying special protection under the GDPR. The DP Agency, as such, tends to employ a stricter approach concerning cases relating to children.
a) Processing specific types of children’s personal data
Disregarding processing related to criminal activities, there are no national-specific laws in this regard; see more information on the GDPR-level requirements here..
b) Carrying out specific processing activities involving children’s personal data
Some data processing activities necessitate the completion of a data protection impact assessment (“DPIA”)) pursuant to Article 35 of the GDPR. This is the case, if the data processing activities due to i.e. new technologies, the processing activity’s nature, scope, context and purposes likely results in high risks to the rights and freedoms of the children. The DP Agency has made multiple decisions at a municipality (later municipalities) concerning such activities, described in the response to (c) below.
Other than data processing activities that are in themselves illegal, no other particular requirements/prohibitions apply as such – see more information on the GDPR-level requirements here.
c) Using children’s personal data for specific purposes
The DP Agency has stated in decisions targeted at a municipality (and later municipalities) that new technologies, including software, is an area of high risk for child data subjects, especially when used in a teaching environment. Recently, the “Chromebook Case” concerned a municipality’s use of Chromebooks and the included teaching applications, such as G suite, and the transmission of children’s data to Google who would then process the children’s data for directed marketing and sales purposes.
The DP Agency found that the municipality, a public authority, could not transmit children’s data to processors in circumstances where those processors would process the children’s data for their own purposes (i.e. marketing, product development etc.).
The DP Agency further found that data processing activities enabling such purposes required a DPIA. In general, such activities and any other processing activities that are similar in nature will therefore require completion of a DPIA prior to engaging in the processing activity.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Throughout its multiple findings in a case involving the use of a multinational technology company's products in schools, the DP Agency issued orders on risk analyses, DPIAs and prohibitions of certain processing activities, including using certain applications for teaching purposes (as these would enable a search engine to process the children’s data for their own purposes). Although this case is mostly relevant to Danish public authorities’ compliance with the GDPR, it emphasises general considerations to keep in mind when processing children’s data in particular.
Are there specific rules concerning electronic direct marketing to children?
Yes.
The Danish Marketing Practices Act (Marketing Practices Act) is neutral concerning whether the practices described in the law pertain to analogue or digital direct marketing. The rules concerning marketing practices therefore apply to electronic direct marketing.
In general, Section 3(2) of the Marketing Practices Act prescribes that where marketing practices targeted at children or where children are especially vulnerable/susceptible to the marketing practice in question, the marketing practice must be designed with respect for children’s natural susceptibility, lack of experience and judgement. This also applies for electronic direct marketing.
Furthermore, it is directly stated in Section 11(1) of the Marketing Practices Act that marketing practices directed at children must not directly or indirectly urge violence or other reckless behaviour or in any other way utilise violence, fear or superstition as a means of promoting/commercialising the product/service.
Section 11(2) further states that marketing practices directed at children must not contain mention, pictures or references to drugs, including alcohol, or other products not suited for children.
These rules also apply for electronic direct marketing.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard. However, the Danish Data Protection Agency has in a decision stated that the use of spy pixels is a separate processing activity (separate from i.e. sending newsletters). Spy pixels, as a rule, require the data subject’s consent pursuant to Article 6(1)(a) of the GDPR. If a controller wishes to use spy pixels in the relation to children, then the rules for collecting the child’s consent in accordance with GDPR applies. See more information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
No such rules apply in the Danish Marketing Practices Act. See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No official enforcement from the relevant authorities has taken place. However, the Danish Consumer Ombudsman, responsible for overseeing the relevant actors’ compliance with marketing laws, has in a number of cases spoken on the subject. While the Danish Consumer Ombudsman’s statements are not legally binding, organisations subject to the Consumer Ombudsman’s scope tend in practice to follow its statements.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
In Denmark, 18 is the age in which a person comes of age to enter into legally binding economic contracts. This applies regardless of whether the service is free or paid. However, children under 18 may be able to enter into such agreements with parental consent.
It must be noted that children under the age of 18 can enter into legally binding contracts under certain circumstances, including:
- When the child is of at least 15 years of age and the child uses economic resources that they themselves have earned.
- When the child (regardless of age) uses economic resources that they have received in gifts or inheritance.
Do consumer protection rules apply to children?
Yes.
Consumer protection rules apply to children when they purchase goods as consumers. With reference to age at which children can legally enter into contracts, consumer protection rules also apply where children spend money that they have been gifted. It must be noted that Danish law concerning consumer protection pursuant to the Danish Purchasing Act is weighted towards the faulty nature of the product purchases rather than the capacity in which the consumer acts (i.e. whether they are an adult or a child) when assessing the faults of a particular product. However, the nature of the product will also influence whether a product is faulty. If, for example, a toy cannot be used by a child within the expected use cases of the toy, the product is as a rule faulty. In such a way, children have an influence on consumer protection.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No, but the Danish Competition and Consumer Authority called “Social Star” has launched an initiative targeted at children, which teaches them how to navigate online marketing and commercialisation practices.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
For gambling services, the consumer must be 18 years pursuant to the Danish Gambling Act concerning online gambling sites.
No rules apply concerning online pornography; only physical pornography, i.e. magazines, where it is illegal to sell pornography to anyone under the age of 16.
For online sale of tobacco products, the consumer must be 18 years.
For online sale of alcohol products with an alcohol percentage above 1.2% the consumer must be 16 years.
For online sale of alcohol products with an alcohol percentage above 16.5%, the consumer must be 18 years.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
No specific requirements apply in Danish law. However, as mentioned throughout the Danish responses, a lot of applicable law has an indirect effect in terms of online and digital safety for children.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
When visiting a website through which alcohol is sold, the online retailer must verify that the customer is indeed of age to purchase the product (see the response to this question for applicable ages). The consumer must perform an active decision to confirm their age; simply reading standard terms stating “only persons of at least 18 years of age may purchase this product” is insufficient. The consumer has to take an active decision of confirming their age, such as ticking off a box stating “I am at least 18 years old” or other opt-in means for the consumer to confirm their age, as this reflects the consumer has actively made a decision confirming their age.
As mentioned in the responses to the data protection section, depending on the digital service provided, the consent of the parent may be required, depending on the maturity of the child and other circumstances, such as the personal data being processed, i.e. special categories of personal data. For information society service providers, the consent rules apply where consent is relied upon as the legal basis for processing (until the age of 15).
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
No regulatory enforcement action has been conducted as of yet. Some authorities, including the Danish Agency for Digitalisation, have made guidelines for parents to educate their children in online safety. The Danish Agency for Digitalisation’s guide can be found here, and it includes general guidance concerning online games, social media etc.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
Danish legislation currently provides very limited and sporadic regulation of AI beyond the ongoing implementation of the AI Act into Danish law. At this stage, no national-specific requirements apply in relation to children; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
No.
There are no national requirements in this regard. See more information on the upcoming EU-level requirements here.
Contributors
Markus Omø Kristensen
Denmark
