Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
According to Act V of 2013 on the Civil Code the general age of adulthood is 18 years. However, upon conclusion of marriage, a minor shall obtain adult status, if the person has attained the age of 16, and the Hungarian Guardianship Authority gave permission for the marriage to be concluded.
Under 18 years of age:
- those minors who are between 14 and 18 years of age have limited capacity to act. In principle, their legal statements are valid only if consent is provided by the parents. However, they may, without the necessity of consent provided by their parents, (i) make a declaration of personal nature, which they are entitled to make by law (e.g. take actions to defend their personal rights such as their right to protect their personal data), (ii) conclude contracts of small importance relating to the ordinary necessities of everyday life (e.g. grocery shopping) or which are for their sole benefit (e.g. accept customary gifts although parents may, with the permission of the Guardianship Authority, refuse such benefits), (iii) decide on how to use the income generated from their own work, and they may make a commitment up to such amount of income; (iv) make a gift at usual value.
- those minors who are under 14 years of age are legally incapacitated, their legal statements are null and void and their parents act on behalf of them. This is except for concluding contracts common in everyday life and does not require special consideration, i.e. such contracts are not void because of legal incapacity of minors under 14 years of age.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
Hungary signed the UNCRC in 1990 and promulgated it by Act LXIV of 1991. In addition to the UNCRC, Hungary also ratified the first two Optional Protocols (Optional Protocols on the sale of children, child prostitution and child pornography and on the involvement of children in armed conflict).
Is there an ombudsperson/ commissioner for children in your jurisdiction?
No.
In Hungary, there is no separate commissioner/ombudsperson for children. However, Act CXI of 2011 on the Commissioner for Fundamental Rights emphasises that the Commissioner shall pay special attention to the protection of children’s rights.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
N/A.
N/A.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
Parental consent only applies in this regard where (i) consent or (ii) performance of a contract which cannot be concluded without the consent of the parent are the legal bases relied upon for processing under Article 6(1) (a) or (b) of the GDPR.
In case of digital consent under Article 8 GDPR, parental consent applies only where consent is the legal basis for the personal data processing. (See more information on the GDPR-level requirements here.)
According to the case law of the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) (Decision No NAIH/2016/1770/V), if the parental responsibilities are exercised jointly by the parents, the consent may be given by any parent, and may be withdrawn by the other parent even if this parent is different form whom the original consent was obtained. If the parental responsibilities are exercised solely by one parent based on the binding decision of the court or the Guardianship Authorities, the content of such decision shall prevail.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different settings/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
In case of digital consent (consent given in relation to information society services), Article 8(1) of the GDPR provides that the age may be anywhere between 13 and 16 years of age, depending on what age the EU Member State in question has adopted. In Hungary, this is 16 years of age.
In cases other than digital consent, the general legal capacity rules of Act V of 2013 on the Civil Code applies, according to which under 18 years of age:
- those minors who are between 14 and 18 years of age have limited capacity to act. In principle, their legal statements are valid only if consent is provided by the parents. However, they may, without the necessity of consent provided by their parents, (i) make a declaration of personal nature, which they are entitled to make by law (e.g. take actions to defend their personal rights such as their right to protect their personal data), (ii) conclude contracts of small importance relating to the ordinary necessities of everyday life (e.g. grocery shopping) or which are for their sole benefit (e.g. accept customary gifts although parents may, with the permission of the Hungarian Guardianship Authority, refuse such benefits), (iii) decide on how to use the income generated from their own work, and they may make a commitment up to such amount of income; (iv) make a gift at usual value.
- those minors who are under 14 years of age are legally incapacitated, their legal statements are null and void and their parents act on behalf of them. This is except for concluding contracts common in everyday life and does not require special consideration, i.e. such contracts are not void because of legal incapacity of minors under 14 years of age.
Consequently, if giving consent is connected to contracts of small importance relating to ordinary necessities of everyday life, we see it as possible for children to be able to legally consent to it, however we are not aware of any court/authority caselaw in this area. We are aware that some digital providers rely on the limited capacity of minors between 14 – 16 years of age to gather consent.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; the GDPR applies in this context. Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent; however, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. See more information on the GDPR-level requirements here.
However, the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) decided in a case (NAIH/2020/593) concerning children’s access rights that the data controller must investigate whether the parent has the legal authority to act on behalf of the child. We see this case as applicable by analogy for the verification of parental consent.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; the GDPR applies in this context.
Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children. See more information on the GDPR-level requirements here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
Pursuant to Act V of 2013 on the Civil Code, children with limited legal capacity may act independently to protect their personality rights, while in the case of children without legal capacity to act (i.e. under 14 years old), only their parent may act. Personality rights also include data protection so exercising rights in relation to their personal data may be done directly by children between the age of 14 and 18. The Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) narrows this interpretation only in the course of data processing falling under the scope of Article 8(1) GDPR (NAIH-68/2021).
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Pursuant to Act V of 2013 on the Civil Code (“Civil Code”), children with limited legal capacity may make legal statements of a personal nature to which they are entitled by law. The Civil Code entitles children with limited legal capacity to act in the protection of their personality rights (including data protection rights), therefore children with limited legal capacity can make complaints on their own behalf directly to the national data protection regulator. The Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) narrows this interpretation only in the course of data processing falling under the scope of Article 8(1) GDPR (see case no. NAIH-68/2021).
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
a. processing specific types of children’s personal data;
The Hungarian National Authority for Data Protection and Freedom of Information’s (“NAIH”) mandatory DPIA list requires data controllers to conduct a data protection impact assessment when the processing of biometric data for the purpose of uniquely identifying children.
b. carrying out specific processing activities involving children’s personal data; and/or
Recital 71 GDPR states that measures relating to “solely automated decision-making, including profiling, with legal or similarly significant effects… should not concern a child.” With this in mind, organisations should not profile children unless they can clearly demonstrate how and why it is done for protecting their welfare.
The NAIH’s mandatory DPIA list requires data controllers to conduct a data protection impact assessment when processing personal data of children for profiling, automated decision making, marketing purposes or providing them information society related services directly.
c. using children’s personal data for specific purposes:
The NAIH’s mandatory DPIA list requires data controllers to conduct a data protection impact assessment when processing large amounts of data related to children for purposes different from the original purpose.
Additionally, see more information on the EU-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
We are not aware of any major cross-border data processing decisions or enforcement actions by the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) concerning the processing of children’s personal data.
We are aware of the following significant domestic cases where the NAIH has taken enforcement actions concerning the processing of children’s personal data:
- The NAIH has examined several times whether online dating service providers ensure that children do not use their services without parental consent. The highest fine imposed on a data controller for failing to meet this requirement amounted to HUF 3 million (approx. EUR 7,900). (NAIH-801-8/2013/H., NAIH-799-8/2013/H., NAIH-798-40/2013/H., NAIH-803-4/2013/H., NAIH/2015/187/17/H., NAIH-5951-16/2012/H., NAIH/2016/4234/3/H.).
- In case no. NAIH-4822-8/2021., the NAIH reprimanded the data controller (an educational institution) for failing transparency requirements concerning the processing of children’s personal data. The NAIH stated that if the educational institution (e.g., kindergarten) processes children’s personal data based on the consent of the parents given for the whole educational year, the existence of this consent does not exempt the institution from its obligation to inform the parents about each and every data processing together with outlining the possibility to revoke consent.
- In case no. NAIH-68/2021., the NAIH fined a media outlet HUF 5 million (approx. EUR 12,500) for reporting about an incident using special categories of children’s personal data. The NAIH decided that this data processing could be lawful only based on the data subject’s consent, the legitimate interest in informing the public cannot be applicable for the involvement of special categories of personal data. Also, the NAIH explained that the right to object of children can only be exercised by their parent, excluding the possibility to exercise this right by siblings.
Are there specific rules concerning electronic direct marketing to children?
No.
There are no specific rules concerning electronic direct marketing to children. Act XLVIII of 2008 on basic conditions and certain restrictions on commercial advertising requires prior data subject consent for all electronic direct marketing activities, regardless of whether it is directed to children or adults.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
Act XLVIII of 2008 on basic conditions and certain restrictions on commercial advertising (“Advertising Act”) outlines specific advertising rules directed at children, irrespective of the advertising method used (i.e. including adtech tracking, profiling and online targeted advertising as well).
The Advertising Act sets out the following prohibitions on advertising to children. Advertising is prohibited, which
- may harm the physical, mental, emotional or moral development of children and minors;
- is likely to have an adverse effect on the physical, mental, emotional or moral development of children and minors, in particular by referring to or depicting violence or sexuality, or by having a subject matter that is dominated by a violently resolved conflict;
- shows children or minors in a dangerous, violent or sexually explicit situation;
- promotes alcoholic beverages for children and minors;
- has as its subject matter alcoholic beverages and is directed to and depicts children or minors;
- calls children and minors to participate in gambling, and
- depicts sexuality for its own sake, and which promotes or displays any deviation from the self-identity of the sex of birth, any change of sex, or homosexuality.
Act XLVII of 2008 on the prohibition of unfair commercial practices towards consumers prohibits ads directed at children calling them to buy or use the advertised product or to persuade their parents or other adults to buy the advertised product for them.
Act CLXXXV of 2010 on media services and mass communication sets out that personal data of children collected or otherwise generated by media service providers in on-demand media services must not be processed for commercial purposes, such as targeted advertising.
Act CVIII of 2001 on Electronic Commerce states that personal data of minors collected or otherwise generated by video-sharing platform providers pursuant to above rules shall not be processed for commercial purposes, such as behaviourally targeted advertising.
The Digital Services Act prohibits online platforms from advertising to children using personal data-based profiling (i.e. personalised/ targeted advertising).
Additionally, see more information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
There are no national-specific rules concerning online contextual advertising to children. The ban on dark patterns under the GDPR and the Digital Services Act applies directly. See more information on the EU level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Hungarian Competition Authority (“GVH”) has delivered decisions assessing advertising practices to children – among others - in the following cases:
a. the GVH imposed fines on companies for advertising products in a way which actively called children to purchase the product or to persuade their parents to buy in several cases (VJ/6/2019., VJ/8/2019., VJ/9/2019., VJ/22/2013., VJ-123/2009., VJ-124/2009.) contrary to the blacklist prohibition of Act XLVII of 2008 on the prohibition of unfair commercial practices towards consumers (“Unfair Commercial Practices Act”).
b. In case VJ/3/2020, the GVH has fined of approximately HUF 350 million (approx. EUR 920,000) and imposed a temporary prohibition of the provision and promotion on the operator of a game for encouraging children to send premium-rate text messages via concealed advertisements while failing to disclose the costs involved. The GVH established that the operator of the service infringed the Unfair Commercial Practices Act by directly instructing children to make purchases and failed to disclose the price of the service and the most important characteristics of personal information processing in the advertisements. Furthermore, the undertaking promoted the game using influencer advertisements and web series aimed at children, without letting consumers know that the displayed content is paid promotion.
c. In case VJ/22/2013, the GVH took into account that the examined advertisements - ascertainable from the content and design of the advertisements and the nature of the advertised product - are addressed to minors, including primarily children under 14 years of age. This was confirmed by the fact that the promotional film itself featured children aged between 10 and 12 and was broadcast on several channels whose target group, as can be seen from the programme schedule, was children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Under Act V of 2013 on the Civil Code, the general age of adulthood i.e. 18 years applies also to contractual capacity to enter into an agreement to use digital services in most cases. However, the following exceptions may arise:
a. Minors between 14 and 18 may individually enter into agreements to use digital services as long as
- the digital service concerns values of small importance relating to the ordinary necessities of everyday life (e.g. grocery shopping);
- the digital service is used to spend the income generated from their own work, or making a commitment up to such amount of income, or
- the digital service is used to buy gifts at usual value.
b. Legally incapacitated minors under 14 years of age may enter into agreements to use digital services as long as its conclusion is common in everyday life and does not require special consideration e.g., using a travel application to buy bus tickets.
Do consumer protection rules apply to children?
Yes.
Under Act XLVII of 2008 on the prohibition of unfair commercial practices towards consumers (“Unfair Commercial Practices Act”) the term “consumer” means any natural person acting for purposes which are outside his trade, business or profession, consequently, consumer protection rules are applicable to children as well.
In Case 3/2020 VJ, the Hungarian Competition Authority (“GVH”) referred to the Guidelines on the implementation/application of Directive 2005/29/EC (“UCP Directive”) in relation to children as a target group, highlighting that, in addition to Article 5(3), children enjoy specific protection through the prohibition of direct exhortation to children in point 28 of Annex I of the UCP Directive. According to the GVH, the assessment should be made from the perspective of the child, taking into account the child's age, development and other factors that make children particularly vulnerable.
The Unfair Commercial Practices Act even sets out that certain characteristics - such as age, physical or mental infirmity or credulity - make consumers particularly susceptible to commercial practices, as a result, the assessment of the nature of practices from the perspective of the average member of the group with the same characteristics.
Additionally, see more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
Hungarian consumer protection rules contain specific rules concerning protection of children from various aspects.
- Under Act CLV of 1997 on consumer protection (“Consumer Protection Act”), selling or serving the following products are prohibited to persons under 18 years of age: (i) alcoholic beverages (with the exception of prescription medicinal products); (ii) sex products; (iii) tobacco products and water-pipe. These prohibitions apply to digital services offering the above as well.
- The Consumer Protection Act also sets out that – in the case of the distribution of a game software which is likely to have an adverse effect on the physical, mental, spiritual or moral development of persons under 18 years of age – the manufacturer must display the wording “Not recommended for persons under 18 years of age.” on the packaging of the game software. If the games software is distributed through the Internet, this obligation must be met before the software is downloaded with alterations appropriate to the technical characteristics of such online distribution.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Hungarian Competition Authority (“GVH”) initiated an investigation against a social media company (case VJ/24/2020) as it suspected that company – inter alia - acted in breach of professional diligence in managing and moderating the exposure of children to advertising. The GVH's procedure ended with a commitment to the GVH regarding measures to be undertaken by the social media company. The key elements of the commitment concerning children include:
a. default settings for users under 18: notification on weekly screen time; automatic daily screen time restriction (upon 60 minutes of constant use of the service, the platform requires a password in order to continue); b. mandatory organization of conferences on child protection with NGOs, and c. enhanced age-verification methods and increasing the time period during registers below the age minimum will be blocked in Hungary.
In addition, the GVH conducted a sweep-investigation into online gaming services for children on mobile phones. The proceedings concluded with the GVH’s following recommendations to service providers: a. Always indicate clearly when the game is interrupted by a commercial, and also when the commercial allows you to return to the original game. b. When making in-game purchases with "real" money, always state the exact amount to be paid and the currency used. c. Provide a privacy policy and terms and conditions guide that explains the most important information about the online game in a way that is understandable to Hungarian children.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are age-related restrictions on the age at which children can legally access specific online goods and services.
According to Act CLV of 1997 on Consumer Protection, children cannot access (i) alcoholic beverages; (i) sex products; (iii) tobacco products and water-pipe – including via online services. In addition, minors (under 18 years of age) may not participate in contest of chance with the exception of non-regular drawings.
Additionally, people under the age of 18 cannot access online gaming in Hungary under Act XXXIV of 1991 on Gambling.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Electronic Commerce Act established the Round-table Conference for the Protection of Children (Round-table) as the consultative body of the President of the National Media and Infocommunications Authority.
The Round-table encourages and supports the enforcement of other statutory provisions for the protection of children having regard to media content providers, electronic commercial service providers and electronic communications service providers. Although the recommendations of the Round-table are non-obligatory, they serve as a guideline for the activities and procedures of the Round-table and for the regulatory compliance of service providers.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
There are no explicit statutory provisions under Hungarian law regarding age verification/age assurance requirements to children’s use of digital services. See more information on the EU-level requirements here.
However, in case VJ/24/2020 concerning a social media company's compliance with consumer protection and data protection rules, the Hungarian Competition Authority stressed the requirement to implement an effective age verification system without processing unnecessary personal data of children. It came to the conclusion (based on the Hungarian National Authority for Data Protection and Freedom of Information’s informal opinion) that currently there are no specific exact requirements for the conditions and characteristics of age verification systems.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
Please see the response to this question.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety?
Yes.
In case VJ/24/2020 concerning a social media company's compliance with consumer protection and data protection rules, the Hungarian Competition Authority stressed the requirement to implement an effective age verification system without processing unnecessary personal data of children. However, it came to the conclusion (based on the Hungarian National Authority for Data Protection and Freedom of Information’s informal opinion) that currently there are no specific exact requirements for the conditions and characteristics of age verification systems.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services?
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
A new act has been recently adopted concerning a safe internet for minors - Act XLIX of 2024 on restricting access to pornographic content on the internet and amending certain laws relating to electronic commerce services and advertising activities for the protection of children. The new rules entered into force on 1 January 2025; however, some obligations only need to be fulfilled by a later date (2026). The purpose is to restrict minors' access to pornographic content on the internet, while strengthening parental control tools and regulating certain commercial and advertising activities in the digital space. This act amended Act C of 2003 on electronic communications and Act CVIII of 2001 on certain issues of electronic commerce services and information society services. Internet access providers are required to provide filtered access if requested by the subscriber (e.g, parent). Filtering restricts access to sites with pornographic content. The service must be provided free of charge for individual subscribers, and it can be modified at any time. Parallel access to filtered and unfiltered internet must be enabled within a single access point. The president of the NMHH compiles a “blacklist” of the most frequently visited websites in Hungary that display explicitly pornographic content. The method of compiling, reviewing, and publishing the list is regulated by a separate decree (not yet available). Additionally, see more information on the upcoming EU-level requirements here.
