Digital Protection of Children: Sharenting and the Right to Erasure

In the age of social media, parents regularly share content about their children – photographs, videos, personal stories – often without considering the legal consequences. The legal assessment of “sharenting” (share + parenting) has evolved significantly in recent years. Below, we present the applicable Hungarian and EU legal framework, from personality rights through data protection rules to the handling of educational data.

Applicable Legislation

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) – in particular Articles 6, 8, 17, and 22
• Act V of 2013 – Civil Code (Ptk.) – personality rights (Sections 2:42–2:54), parental custody (Sections 4:152–4:182), child’s property (Section 4:159)
• Act CXII of 2011 – on the right to informational self-determination and freedom of information (Infotv.)
• Act XXXI of 1997 – on the protection of children and guardianship administration (Gyvt.)
• Act CXC of 2011 – on national public education (Nkt.)
• UN Convention on the Rights of the Child (promulgated by Act LXIV of 1991) – Article 16: the child’s right to privacy

The Child as an Independent Legal Subject

A child is not the parent’s property – this is a fundamental principle of the Civil Code and the Child Protection Act. From birth, a child is an independent legal subject whose personality rights under Section 2:42 of the Civil Code apply fully in the digital space as well. These include in particular:

• Right to human dignity (Section 2:42(2) Ptk.)
• Right to one’s image and voice recording (Section 2:48 Ptk.)
• Right to private life (Section 2:43(b) Ptk.)
• Right to the protection of personal data (Section 2:43(e) Ptk., GDPR Article 8)

A parent, as legal representative, is obligated to act in the child’s interest (Section 4:152(2) Ptk., Section 2 Gyvt.), not in the interest of their own social media presence.

Sharenting – When Does It Become a Legal Violation?

Criteria for Violation

“Sharenting” – content published about a child by a parent on social media – is not automatically unlawful, but becomes a legal violation when:

1. The content violates the child’s human dignity (Section 2:42(2) Ptk.) – e.g., humiliating, intimate, or images presenting the child in a negative context
2. Publication occurs without the child’s consent, where the child’s capacity for judgment would allow it (Section 2:14(2) Ptk. – minors with limited legal capacity decide on their own personality rights)
3. The content could later adversely affect the child’s development, social reputation, or opportunities

The Significance of the Age-14 Threshold

Under Section 2:14(2) of the Civil Code, minors with limited legal capacity (ages 14–18) decide on their own personality rights. This means:

• For publications affecting the personality rights of a child over 14, the child’s own consent is required – the parent cannot give consent “on behalf of” the child
• For children under 14, the parent acts as legal representative but must decide in the child’s interest, not their own

Asserting Claims

Where sharenting constitutes a legal violation, the child – with the assistance of the guardianship authority (Section 17 Gyvt.) or through the appointment of an ad hoc guardian (Section 2:51(3) Ptk.) if necessary – may assert the following claims:

• Establishing the violation (Section 2:51(1)(a) Ptk.)
• Cessation and injunction (Section 2:51(1)(b) Ptk.)
• Satisfaction – public or private (Section 2:51(1)(c) Ptk.)
• Elimination of the injurious situation – content removal (Section 2:51(1)(d) Ptk.)
• Non-pecuniary damages (sérelemdíj) (Section 2:52 Ptk.) – determined by the court considering the severity, repetitive nature, and culpability of the violation

Awarded damages constitute the child’s separate property (Section 4:159(1) Ptk.), which the parent must manage in the child’s interest.

Data Protection – GDPR Rules Concerning Children

The Question of Consent (GDPR Article 8)

GDPR Article 8 establishes special rules for children’s consent regarding information society services:

• General rule: a child may give valid consent from age 16 (Hungary did not lower this threshold under the Infotv.)
• For children under 16, consent must be given or approved by the parent or other legal representative

Important: GDPR Article 8 applies exclusively to information society services (e.g., social media accounts, applications). Content published by a parent on their own account is to be assessed under personality rights law (Ptk.), not directly under the GDPR consent rules.

The Right to Erasure (GDPR Article 17)

GDPR Article 17(1)(f) expressly states that the data subject is entitled to erasure of personal data where the data were collected as a child in connection with information society services.

This provision:

• Does not constitute an absolute right to erasure of all school or other data – it applies exclusively to information society services (Article 8)
• Does not automatically extend to data processed within school administration – retention periods for such data are governed by the Nkt. and its implementing regulations
• However, it provides an effective legal basis for erasing content published on social media – after reaching majority, the former child may request deletion of data processed based on parental consent

The Role of the NAIH

The National Authority for Data Protection and Freedom of Information (NAIH) – as the supervisory authority under the GDPR – also handles cases concerning children’s data protection. Complaints may be filed with the NAIH when:

• An online service provider unlawfully processes children’s data
• An educational institution has breached its data protection obligations
• A data controller has failed to comply with an erasure request

Digital Data Processing in Education

School Administration Systems

School administration systems (e.g., KRÉTA) process numerous personal data of children: academic results, absences, conduct and diligence evaluations. The Nkt. and the GDPR apply jointly to the processing of these data.

Limits on Automated Decision-Making and Profiling

GDPR Article 22 restricts decision-making based solely on automated processing – including profiling. For children, this applies with heightened force (GDPR Recital 71):

• Automated profiling from school data – e.g., analysis of behavioural patterns, “risk categorisation” – is permissible only with the parent’s explicit, informed consent
• The child (from age 14 in their own right, below that age through the parent) has the right to object to automated profiling (GDPR Article 21)
• The data controller must conduct a data protection impact assessment (GDPR Article 35) before planning large-scale, systematic profiling of children’s data

Retention and Deletion of School Data

Retention periods for data processed within school administration are determined by the Nkt. and its implementing regulations – the GDPR right to erasure is not the primary legal basis. This means:

• The educational institution is required to retain registry data for the period specified by law
• After completion of studies, data not processed under a legal obligation must be deleted (GDPR Article 5(1)(e) – storage limitation)
• Behavioural or developmental notes – where they do not form part of documentation required to be retained – must be deleted upon completion of studies

Practical Advice for Parents

1. Think before posting – a photo that seems cute today may be embarrassing for the child in 10 years
2. Obtain consent from children over 14 – under Section 2:14(2) Ptk., the child decides on their own personality rights
3. Avoid identifiable content – due to facial recognition technologies, an image uploaded today may remain identifiable for decades
4. Configure social media privacy settings – but remember: restricted sharing does not exempt from personality rights liability
5. Inquire about school data processing – request the institution’s privacy notice and data processing policy

Practical Advice for Young Adults Who Have Reached Majority

1. Request content removal – directly from the parent or via the platform under GDPR Article 17
2. File a complaint with the NAIH – if the data controller (platform) fails to comply with the erasure request
3. Personality rights lawsuit – if the content remains accessible and violates your dignity (Sections 2:51–2:52 Ptk.)
4. Review school data – request deletion of data not required to be retained after completion of studies

The digital protection of children lies at the intersection of personality rights, data protection, and parental responsibility. The applicable legislation – the Civil Code’s personality rights provisions, the GDPR’s special rules concerning children, and the Child Protection Act’s framework – jointly provide the protective instruments. However, enforcement presupposes that parents and young adults know their rights – and exercise them when necessary.