Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
Pursuant to the Act on the General Part of the Civil Code, all persons who are under 18 years of age are considered minors and have limited active legal capacity.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
There is no direct incorporation of the UNCRC as a whole into Estonian domestic law. However, the Child Protection Act has been adopted in conformity with the UNCRC. Pursuant to the Act, ensuring the rights and well-being of children shall be done in accordance with the UNCRC’s principles.
Every child has the inherent right to life, survival, development, equal treatment without any discrimination; in all action concerning children, the best interests of the child shall be a primary consideration; every child has the right to independent opinion in all matters affecting the child and the right to express his or her views.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children was established on 19 March 2011 and is carried out by the Chancellor of Justice.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The Ombudsman for Children fulfils the functions of protecting and promoting the rights of the child. Its competence extends only to investigations of complaints taken against public bodies such as kindergartens, schools, hospitals, ministries and other state institutions etc.
It accepts complaints from children or in cases where the child wishes to draw the attention to an issue in the Estonian child protection system. However, the Ombudsman for Children does not have competence as regards the investigation of such complaints against private entities.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different settings/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 8(1) of the GDPR provides that the age of digital consent may be anywhere between 13 and 16 years of age, depending on what age the EU Member State in question has adopted. In Estonia, the Personal Data Protection Act states that if the child is under the age of 13 years, processing of personal data is permitted only in the case and to the extent for which consent has been given by the parent. Additionally, Article 8(1) of the GDPR applies.
According to the General Instructions of the Personal Data Processor issued by the Estonian Data Protection Inspectorate, if a child uses an online prevention or counselling service for minors (e.g. a childcare service), the prior consent of the parent is not required.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. While Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. No such methods are expressly approved by law, regulation or legally binding regulator-issued guidelines in Estonia.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children and the Estonian Data Protection Inspectorate has noted that the child must understand that the message is directed to him. A child shall not lose the right to transparency in a situation where the parent has given consent to the processing of data.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
In Estonia, only people over the age of 18 years (persons of full age) have full active legal capacity and thus have the right to exercise their rights without the involvement of their parents.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
No.
In Estonia, only people over the age of 18 years (persons of full age) have full active legal capacity and thus have the right to file complaints without the involvement of their parents.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard but the Estonian Data Protection Inspectorate (DPI) has made some comments regarding the processing of children’s personal data.
a) processing specific types of children’s personal data;
N/A
b) carrying out specific processing activities involving children’s personal data; and/ or
Generally, a parent’s consent is required when publishing a child’s personal data in media. In the context of publishing camera recordings in media, the DPI has noted in its Guide for Using Cameras that, regardless of the parent's consent, the publisher of a child’s personal data should also assess whether the publication of the child's data is in line with the child's interests.
The Basic Schools and Upper Secondary Schools Act provides that schools may use image transmitting and recording surveillance equipment in the territory of the school for the purpose of preventing and responding to situations that threaten the security of students and school employees and protecting school assets and property. The DPI has noted in this regard that fights between students themselves do not qualify as a threat to the security of the students and thus using cameras for such purpose is prohibited (DPI’s Guide for Using Cameras).
c) using children’s personal data for specific purposes.
N/A
Additionally, see more information on the EU-level requirements here
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
In 2022, the Estonian Data Protection Inspectorate (DPI) made a decision regarding the publishing of photos of children on a social media platform. Namely, a high school had posted photos of their student on its page without the parent’s consent. Additionally, the school had uploaded the photos to a cloud-based file storage system and posted the link to it on the school’s webpage. The DPI ordered the school to blur the child’s face or delete the photos from both the social media platform (11 photos) and the cloud-based file storage system (2 photos). Additionally, the DPI warned the school of the DPI’s right to address a superior agency, person or body of the high school for the purpose of organising an official supervision or initiating disciplinary proceedings against an official, or appeal to the administrative court.
Are there specific rules concerning electronic direct marketing to children?
No.
Generally, direct marketing is regulated by the Electronic Communications Act. However, the Act does not mention specific rules related to the direct marketing to children, nor does it stipulate a minimum age for direct marketing to children. The Media Services Act provides that the media service provider and the video-sharing platform operator must not process personal data of children collected using technical solutions for the protection of children for commercial purposes, such as direct marketing, profile analysis or behavioural advertising.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
There are no national rules on contextual advertising to children. See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To date, there have not been any decisions issued by the Estonian Data Protection Inspectorate and which would specifically involve the processing of children’s personal data regarding direct marketing.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Pursuant to the Act on the General Part of the Civil Code, persons who are over 18 years of age have contractual capacity to enter into an agreement, otherwise the agreement is void. However, there are exceptions to this rule.
Do consumer protection rules apply to children?
Yes.
The Consumer Protection Act (CPA) regulates the offering and sale, or marketing in any other manner, of goods or services to consumers by traders, as well as providing for the procedure for alternative dispute resolution between consumers and traders. Additionally, the Law of Obligations Act regulates the general principles of consumer and contract law.
The CPA provides consumers with a right to obtain information on the safety of goods and services offered as well as on aspects concerning protection of health, property and economic interests. Additionally, it prohibits the use of unfair and misleading commercial practices. Generally, the practice is deemed to be misleading if it contains false information or if presentation of factually correct information deceives or is likely to deceive the average consumer and as a result of it, the average consumer makes a transactional decision that the consumer would not have made otherwise.
Therefore, if advertisements are targeted toward children, or the provider is aware that children make up a substantial part of their user base, in order to comply with the Act’s provisions, the advertisements must be tailored by taking into account the inexperience of minors.
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
According to the Consumer Protection Act, a consumer practice is deemed to be aggressive and it is prohibited to use an advertisement which includes a direct exhortation to children to buy, or persuade their parents or other adults to buy, advertised goods or services.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
In Estonia, the following goods and services are restricted to certain ages:
- gambling
- alcohol, cigarettes, vaping; and
- pornography.
To the extent such goods and services are accessed online by children, such restrictions will generally also apply.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
There are no specific national requirements relating to online/ digital safety for children. See more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
There are no specific national rules related to age verification. It is important that the online/digital service provider is able to prove the correct verification/assurance of a person’s age. Additionally, see more information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
Estonia has transposed the Audiovisual Media Services Directive to the Media Services Act (MSA). The MSA provides that if the video sharing platform operator is aware of a programme, user-generated video or commercial communication that may impair the physical, mental or moral development of minors, the operator immediately must add a warning and symbol to the programme, video or commercial. Alternatively, the operator may opt for a solution that ensures that the program, video or commercial communication is received by means of personal identification codes or other appropriate technical solutions only in a manner that would not normally be accessible to a minor.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
There are no existing or upcoming requirements relevant to children’s use of digital services at national level. See more information on the upcoming EU-level requirements here.
Contributors
Kaupo Lepasepp
Sorainen
Mihkel Miidla
Sorainen
Oliver Kuusk
Sorainen
Stella Victoria Ojala
Sorainen
