Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Romanian Civil Code provides that a person reaches majority at the age of 18, while all those under the age of 18 are considered minors and have limited legal capacity.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
Romania ratified the UNCRC by Law no. 18/1990. Romania later enacted Law no. 272/2004 on the protection and promotion of children's rights. In 2001, Romania ratified two optional protocols on child exploitation and child involvement in armed conflict.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children has a role established under the coordination of the Romanian Ombudsman, according to Law no. 35/1997.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
The Ombudsman for Children is responsible for the promotion of the rights and welfare of children and promoting awareness of the children’s rights as established by Law no. 272/2004.
By way of example, the Ombudsman for Children: (i) resolves individual complaints made by children or their representatives regarding the activity of public institutions activating in the field of health, education, special child protection, enforcement of preventive measures provided for in the Romanian Criminal Code, as well as any institutions whose activity is related to the protection and promotion of children's rights; (ii) resolves any complaints regarding the violation of one or more children's rights; (iii) promotes children's rights; (iv) puts forward proposals for measures to encourage children's participation in decisions that affect them etc.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different setting/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 8(1) of the GDPR provides that the age of digital consent may be anywhere between 13 and 16 years of age, depending on what age the EU Member State in question has adopted. In Romania, this is 16 years of age.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
While Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. No specific method has been endorsed by the Romanian Data Protection Authority.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; however see more information on the GDPR-level requirements here.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There are no national-specific laws which specify the age at which children have the legal right to exercise their data subject rights under the GDPR.
However, considering that the GDPR does not impose prohibitions in this sense, we would interpret this as meaning that in Romania even children may exercise their rights in this regard.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
There are no national-specific laws on complaints.
However, considering that the Romanian Data Protection Authority procedural rules on complaints do not make a distinction considering age, it may be assumed that even children may make such complaints.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no national-specific laws in this regard; however see more information on the GDPR-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
1.The Romanian Data Protection Authority (DPA) imposed a €5,000 fine in November 2020 on a company providing services for children’s events. The fine was applied for insufficient technical and organizational means which led to a data breach which caused the unlawful access to personal data of approx. 1,091 natural persons, including minors.
The data breach consisted of the fact that a website contained a file on transactions (including, amongst others, the e-mail addresses, phone numbers, names of clients (adults and minors), age of minors, delivery addresses) which could be unlawfully accessed.
The fine was challenged in court. The first court (Vaslui Tribunal) replaced the fine with a warning, while the second court (Iasi Court of Appeals) admitted the appeal of DPA and confirmed the initially applied fine (January 2023). The Iasi Court of Appeals decision is final.
2. In May 2022, the DPA imposed a €5,000 on a company specialised in receivable management who disclosed health data of the complainant and her minor child to certain medical institutions with whom such company did not have any relations. The company was not able to justify an adequate legal ground and an adequate sensitive data safeguard.
In this case, the first instance (Bucharest Tribunal) partially admitted the claim and replaced the fine with the warning. However, the Bucharest Court of Appeals admitted the appeal of DPA and confirmed the initially applied fine (April 2023). The Bucharest Court of Appeals decision is final.
3. In November 2021, the DPA imposed a €1,000 fine on a large retail operator which organised a painting contest for children. Due to an error, the online platform containing the paintings made by the children also made available the personal data from the participation forms (including, amongst others, the name, the home address, the e-mail address, the age) thus affecting 114 natural persons (half of them being minors). The fine appears to not have been contested in court.
It is worth noting that not all the sanctions applied by the DPA are publicly available.
Are there specific rules concerning electronic direct marketing to children?
No.
Where unsolicited direct marketing to any person is carried out through the sending of electronic communications, the Romanian ePrivacy Law will apply to such communications. This law transposes the ePrivacy Directive into Romanian law. This Law is not specifically directed at communications made to children, but regardless of whether the communication is sent to an adult or a child, the general rule is that the consent of the individual recipient is required although there are certain strictly applied exemptions which can be relied upon in limited circumstances.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
From a privacy perspective, there are no national-specific laws in this regard; see more information on the EU-level requirements here.
Separately under the Digital Services Act, organisations that fall under the definition of providers of online platforms are prohibited from advertising to children
General aspects
Romanian law provides for several types of obligations regarding the protection of minors in the responsibility of different service providers.
For example, certain rules of general character/principles are laid down by Law no. 148/2000 on advertising, under which it is prohibited to advertise (there is no distinction made, so either online, or offline) alcoholic beverages, electronic cigarettes (including vape devices), smokeless tobacco substitutes, tobacco-heating devices, and nicotine pouches if the ads are directed at minors, depict minors using these products, or appear in publications primarily for minors. For products and services aimed at minors, advertising is also banned if it: a) harms them physically, morally, intellectually, or psychologically; b) exploits their inexperience or credulity; c) undermines the parent-child or teacher-child relationship; d) shows minors in dangerous situations.
Note: a draft law amending Law No. 148/2000 proposes restricting gambling advertisements to the hours between 23:00 (11PM) and 06:00 (6AM) to enhance the protection of minors. This initiative follows the National Audiovisual Council's (NAC) longstanding efforts to address this issue.
In terms of privacy, there are no national-specific laws in this regard specifically referring to children. The Romanian ePrivacy Law and the GDPR will apply in this context.
Are there specific rules concerning online contextual advertising to children?
Yes.
There are no specific rules concerning online contextual advertising to children provided by national legislation. See more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
Enforcement cases are not necessarily public unless they end up in court. Further, court decisions are sometimes censored, making it more difficult to identify relevant situations.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
The age of civil capacity to enter into any contract in Romania is 18. However:
- There are also certain exceptions established under the Romanian Civil Code, where, in certain situations and under specific conditions, minors, having reached 16 years old, are considered to have full legal capacity (even though they have not yet reached the age of 18) if: (i) a 16 year old minor gets married, in accordance with the conditions of the law; or (ii) a court recognises the full capacity of a minor under the age of 16 to exercise their rights.
- The Civil Code provides that minors between 14 and 18 years old have a limited capacity – they may enter into legal acts: (i) personally and alone, without any prior consent (see below); or (ii) personally, but with prior consent and/or authorisation (on a case-by-case basis, depending on each individual legal act, it will either be sufficient only to have the consent of the parent, or there will be a need for both the consent of the parent and particular authorisation(s)).
The legal acts that persons between 14 and 18 years of age can conclude personally and alone are, by way of example: (1) acts of preservation (which are necessary and urgent, their purpose being generally to remove the danger of loss of an asset/right);
(2) acts of disposition (in Romanian “acte de dispoziție”) of small value, of a current nature and which are executed at the time of their conclusion (i.e., it is a not an act with sequential/continuous execution and does not include time limits or conditions; for example, a sale/purchase at a low price – a generally valid example considered is the purchase of a ticket for public transport or buying food in the supermarket); (3) acts of administration (those acts by which an asset is put to economic value, other than by selling it) that are not prejudicial; (4) acceptance of donations/gifts (only if the donations/gifts are not subject to any obligations imposed on the minor accepting the donation); (5) making “ordinary gifts” (in Romanian “daruri obișnuite”), i.e., those which are are to some extent appropriate to this material condition (i.e. of small value) etc.
As for other acts/categories of acts, they may be subject either to parental consent or, in cases provided for by law, to parental consent and other authorisation(s).
- Generally, minors under 14 years old may enter into legal acts (i) personally and alone: applicable for an even narrower category of legal acts (in general the Civil Code refers to acts of preservation and acts of disposition, similar to the above categories under point (1) and (2)); (ii) the rest of the acts are concluded on their behalf by their legal representatives (e.g., parents).
- As a general note, it should be considered that the legislator has established these rules based on the presumption that those under 14 years of age lack discernment. The above represent only some general guidelines outlining the regime of civil capacity to enter into/conclude legal acts; they may differ from case to case, therefore, in order to be able to give an exact indication of the minimum age for entering into a particular act, a case-by-case analysis will have to be carried out, taking into account all the particularities applicable to the case in question.
Do consumer protection rules apply to children?
Yes.
The Romanian consumer protection legislation is also applicable to minors, with some provisions more suited to their situation. These are set out in:
- Law No. 193/2000 (unfair terms in consumer contracts),
- Law No. 363/2007 (unfair commercial practices), and
- GEO No. 34/2014 (consumer rights in the online environment).
See more information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
General aspects
Romanian law provides for several types of obligations regarding the protection of minors in the responsibility of different service providers.
For example, certain rules of general character/principles are laid down by Law no. 148/2000 on advertising, under which it is prohibited to advertise (there is no distinction made, so either online, or offline) alcoholic beverages, electronic cigarettes (including vape devices), smokeless tobacco substitutes, tobacco-heating devices, and nicotine pouches if the ads are directed at minors, depict minors using these products, or appear in publications primarily for minors.
For products and services aimed at minors, advertising is also banned if it: a) harms them physically, morally, intellectually, or psychologically; b) exploits their inexperience or credulity; c) undermines the parent-child or teacher-child relationship; d) shows minors in dangerous situations.
Potential particular rules
Depending on each individual service and on the exact circumstances, particular/additional rules may become applicable. For example, Law no. 504/2002, which stipulates the obligation of video-sharing platform providers to take appropriate measures to protect minors from programs, user-generated videos and audiovisual commercial communications that may affect their physical, mental or moral development.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
N/A.
Please note that enforcement cases are not necessarily public unless they end up in court. Further, court decisions are sometimes censored, making it more difficult to identify relevant situations. In any case, strictly from a consumer protection perspective, no notable public cases in the context of the question have been identified.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are national-specific laws in Romania which implement age-related restrictions on the ages at which children can legally access specific goods and services. The following is a non-exhaustive list of goods and services to which such restrictions apply:
- gambling;
- alcohol, cigarettes, vaping; and
- pornography.
To the extent such goods and services are accessed online by children, such restrictions will generally also apply.
Note that there have been some debates about a draft law that would require - for the creation of social media accounts by minors under 16 - the prior consent of their parents; no public legislative proposal has been registered yet in this regard.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Digital Services Act (DSA) brings in requirements for content moderation for all ‘intermediary service providers’ within its scope. According to the DSA and Law no. 50/2024, providers of online platforms accessible to minors shall put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service, failure to comply with these obligations representing a contravention.
The “e-Commerce Directive” provides the baseline regime applicable to all categories of platforms and all types of content. Under Law No 365/2002 (partially implementing the e-Commerce Directive), service providers (including online platforms) are obliged to immediately inform the competent public authorities about apparently illegal activities carried out by recipients of their services or apparently illegal information provided by them.
Also, under this law, service providers (including platforms) are obliged to interrupt, temporarily or permanently, the transmission in a communication network or the storage of information provided by a recipient of the service in question, in particular by removing the information or blocking access to it, access to a communication network or the provision of any other information society service, if these measures have been ordered by the competent public authority (this public authority may act ex officio or following a complaint or referral by an interested person).
In particular cases and only for certain subjects that fall under its provisions, the legislation on audiovisual services is also applicable. For example, Law no. 504/2002 (Audiovisual Law) requires the removal of particular harmful content from certain services: by way of example, providers of video-sharing platforms are obliged to take appropriate measures to protect: minors from programmes, user-generated video material and audiovisual commercial communications that may harm their physical, mental or moral development, in particular from programmes containing pornography or unjustified violence; the general public from programmes, user-generated video material and audiovisual commercial communications containing incitement to violence or hatred against a group of persons or a member of a group based on grounds such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or other opinion, membership of a national minority, property, birth, disability, age or sexual orientation, or contagious or non-contagious chronic disease etc. There are several obligations in this regard for service providers/platforms falling under the Audiovisual Law.
Additionally, see more information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
There are no national-specific requirements in this regard; see more information on EU-level developments here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
The online safety regulations do not specify particular requirements. However, any measures must take into account the regulation of rights and obligations in the parent-child relationship:
- under Romanian law, parents exercise parental authority until the child reaches the age of 18. The Romanian Civil Code grants parents the right and duty to raise their child, ensuring their physical, mental, and intellectual well-being according to their own convictions, as well as the child's abilities and needs. Parents must also provide guidance for the proper exercise of the child’s rights. For example, the Civil Code allows parents, for good reasons, to restrict correspondence and personal contacts for children under 14. After 14, children have a right to personal correspondence, though parents may still limit it if deemed necessary for the child’s development.
- Article 28(2) of Law No. 272/2004 limits parental involvement, providing for “the child's freedom to search for, receive and disseminate information of any nature, including online, aimed at promoting his/her social, spiritual and moral well-being, physical and mental health, in any form and by any means of his/her choice”.
Additionally, see more information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
Please note, however, that enforcement cases are not necessarily public unless they end up in court. Further, court decisions are sometimes censored, making it more difficult to identify relevant situations.
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
There are no national-specific requirements in this regard; see more information on EU-level developments here.
Contributors
Iurie Cojocaru
NNDKP
Gabriela Cacerea
NNDKP
Laurentiu Neacsu
NNDKP
Anda Zamfir
NNDKP
