NAIH (Hungary) - NAIH-3195-11/2022: Difference between revisions
(First few edits. So far mostly tried to clarify facts a bit and make the legal conclusions at the beginning of each legal argument of the DPA apparent.) |
m (→Holding: Removed duplication of the word "data" from the underlined sentence confirming that TV2 was the controller.) |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 25: | Line 25: | ||
|Date_Published=01.02.2023 | |Date_Published=01.02.2023 | ||
|Year=2023 | |Year=2023 | ||
|Fine= | |Fine=10,000,000 | ||
|Currency=HUF | |Currency=HUF | ||
Line 71: | Line 71: | ||
}} | }} | ||
The Hungarian DPA fined a media provider 10,000,000 HUF (approx. €25,650) for failing to properly inform data subjects about processing on its websites and for using | The Hungarian DPA fined a media provider 10,000,000 HUF (approx. €25,650) for, among other things, failing to properly inform data subjects about the processing on its websites and for confusingly using the term "legitimate interest" without referring to its meaning under the GDPR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The TV2 Media Group Ltd. is one of Hungary's largest content providers | The TV2 Media Group Ltd., the controller, is one of Hungary's largest content providers. It operates several TV channels and online streaming services and has two websites tv2play.hu and tenyek.hu. "Tenyek.hu" contains predominantly news content, while "tv2play.hu" focuses on various audiovisual media content. In 2021, they had between 1.6 million and 2.4 million monthly visitors and a net revenue of 49,000,000,000 HUF (approx. €127,000,000). | ||
Based on a "public interest notification" the Hungarian DPA started an ''ex officio'' investigation into the data processing of the websites. There was a concern that the controller did not provide data subjects with adequate information about the processing and that the consent management platform (CMP) on the websites did not collect the consent of data subjects in a transparent and clear manner. | |||
The investigation revealed a number of potential data protection deficits. | |||
The CMP of the controller offered data subject's with the possibility to give consent to cookies by clicking an "OK, continue" button. However, the only alternative was a "more options" button which redirected to a second level of the CMP with more information and more detailed consent options. On this second level of the CMP, users were provided with two tabs for different categories of processing. On one tab, the user was able to give "consent" to different processing purposes. The other tab was titled "legitimate interest" and allowed the data subjects to object to data processing. Confusingly, the processes listed in both tabs was almost completely identical. They included purposes such as "selection of basic ads", "Measuring ad performance", and "creating a personalized advertising profile". The processing purposes ""storing and/or accessing information stored on the device"" was only listed under the consent tab. | |||
The | |||
Regarding the meaning of "legitimate interest" the controller explained that, the way in which it is used on the website, the term would not relate to the legal basis under the GDPR but was meant as a "category". Consequently, the controller also had made no interest assessment. | |||
Lastly, it was unclear to the DPA how consent could be withdrawn, once it had been given. | |||
=== Holding === | |||
The DPA decided that the controller's conduct was in breach of the GDPR. | |||
<u>First, the DPA concluded that the content provider is the controller, which is ultimately responsible for the processing of the personal data.</u> | |||
The content provider used the websites to distribute its media content for its business interests. No other party had the right to decide whether the content provider should distribute its media content through the websites or whether it should cease to do so, and whether and through which service provider advertising should be displayed. The content provider operated the websites at its own discretion and in its commercial interest. | |||
For all the processing examined in relation to the websites, the content provider determined the purposes and means of the processing and enabled third parties to place content on the websites. The DPA therefore held that the content provider was the controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]]. | |||
<u>Second, the DPA held that the controller violated the principle of fairness and transparency pursuant to [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 12 GDPR#1|Article 12(1),]] and [[Article 13 GDPR]] by not appropriately informing the data subjects about the legal basis of the processing.</u> | |||
The DPA pointed out that [[Article 12 GDPR#1|Article 12(1) GDPR]] required controllers to take appropriate measures to provide data subjects with all the information referred to in [[Article 13 GDPR|Article 13 to]] [[Article 14 GDPR|14 GDPR]], in [[Article 15 GDPR]] to [[Article 22 GDPR]], and in [[Article 34 GDPR]]. The information has to be provided in a concise, transparent, intelligible manner and an easily accessible form, in clear and plain language. Moreover, [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] requires, among other things, that the controller informs its data subjects about the correct legal basis for their processing. | |||
However, in the present case, the controller indicated "consent" as a legal basis for browsing-related processing, irrespective of the fact that without certain technical cookies the websites cannot function. The purpose “To store and/or access information stored on the device” was only based on consent instead of legitimate interest. However, the DPA argued that without these cookies the websites would not be able to work. Consequently, the legal basis for consent is not appropriate, as a successful website visit of a data subject means that information on the data subject's terminal were written and read regardless of consent, and could not be opted out or withdrawn. | |||
In | In addition, the term “legitimate interest” used by the controller is equivalent to the term used in the GDPR under [[Article 6 GDPR#1f|Article 6(1)(f)]]. Therefore, since the controller explained that its "legitimate interest" would not refer to the "GDPR legitimate interest", it was either used incorrectly by the controller – and misleading – or used correctly, but without any information and without any consideration of the interests involved. Either way, the DPA considered it unfair and opaque contrary to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] to indicate substantially the same purposes on both the consent and the legitimate interest tabs. It gives data subjects the impression that the same processing is possible even if consent is not given. Moreover, the information on the second level of the CMP was provided in an exceptionally long text on data management and was only available in an unreasonably small area of the screen, readable only a few lines at a time. The long text cannot be described as concise or clear. | ||
As a result of the above, the DPA concluded that the controller violated the principle of fair and transparent processing pursuant to [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|Article 13 GDPR]]. | |||
<u>Third, the DPA held that the controller processed personal data without a legal basis as it neither fulfilled the conditions for Article 6(1)(a) GDPR "consent" nor Article 6(1)(f) "legitimate interest".</u> | |||
The DPA decided that consent could not be used as a legal basis. It noted that it was not as easy to withdraw consent as it was to give it. The CMP did not provide an easily accessible possibility, neither for personal data directly processed by the controller nor for personal data transferred to third parties. There was no information provided on how to easily withdraw consent. Moreover, in addition, due to the opaqueness of the processing and the lack of clear information, as described above, consent, as a general rule, could not be considered to be a valid legal basis as it could not have been informed. | |||
Next, the controller could also not rely on legitimate interest for its processing. During the investigation, it became clear that the controller had not clearly indicated which processes were to be based on legitimate interest and which not. However, the DPA asserted that it is not the task and responsibility of the data subject, nor of the DPA, rather than that of the controller, to identify, describe and justify the specific purposes and legal grounds for the processing. Controllers are required to clearly justify, consider and provide safeguards for the purposes and legal basis on which they intend to process which personal data. These safeguards should ensure, among other things, that the data subject is aware of the processing and can object to it before the processing takes place. | |||
For the above reasons, | For the above reasons, the DPA concluded that the controller infringed [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
In sum, the DPA found the controller to be in violation of the GDPR, specifically [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR]]. It fined the controller 10,000,000 HUF (approx. €25,650). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the DPA had not previously found a data protection breach against the controller. Aggravating circumstances were that millions of data subjects were affected and that the processing was done for profiling purposes with commercial intent. | |||
== Comment == | == Comment == |
Latest revision as of 08:48, 23 February 2023
NAIH - NAIH-3195-11/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 21.02.2022 |
Decided: | 30.01.2023 |
Published: | 01.02.2023 |
Fine: | 10,000,000 HUF |
Parties: | TV2 Média Csoport Zrt. TV2 Média Csoport Zrt. |
National Case Number/Name: | NAIH-3195-11/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Abel Kaszian |
The Hungarian DPA fined a media provider 10,000,000 HUF (approx. €25,650) for, among other things, failing to properly inform data subjects about the processing on its websites and for confusingly using the term "legitimate interest" without referring to its meaning under the GDPR.
English Summary
Facts
The TV2 Media Group Ltd., the controller, is one of Hungary's largest content providers. It operates several TV channels and online streaming services and has two websites tv2play.hu and tenyek.hu. "Tenyek.hu" contains predominantly news content, while "tv2play.hu" focuses on various audiovisual media content. In 2021, they had between 1.6 million and 2.4 million monthly visitors and a net revenue of 49,000,000,000 HUF (approx. €127,000,000).
Based on a "public interest notification" the Hungarian DPA started an ex officio investigation into the data processing of the websites. There was a concern that the controller did not provide data subjects with adequate information about the processing and that the consent management platform (CMP) on the websites did not collect the consent of data subjects in a transparent and clear manner.
The investigation revealed a number of potential data protection deficits.
The CMP of the controller offered data subject's with the possibility to give consent to cookies by clicking an "OK, continue" button. However, the only alternative was a "more options" button which redirected to a second level of the CMP with more information and more detailed consent options. On this second level of the CMP, users were provided with two tabs for different categories of processing. On one tab, the user was able to give "consent" to different processing purposes. The other tab was titled "legitimate interest" and allowed the data subjects to object to data processing. Confusingly, the processes listed in both tabs was almost completely identical. They included purposes such as "selection of basic ads", "Measuring ad performance", and "creating a personalized advertising profile". The processing purposes ""storing and/or accessing information stored on the device"" was only listed under the consent tab.
Regarding the meaning of "legitimate interest" the controller explained that, the way in which it is used on the website, the term would not relate to the legal basis under the GDPR but was meant as a "category". Consequently, the controller also had made no interest assessment.
Lastly, it was unclear to the DPA how consent could be withdrawn, once it had been given.
Holding
The DPA decided that the controller's conduct was in breach of the GDPR.
First, the DPA concluded that the content provider is the controller, which is ultimately responsible for the processing of the personal data.
The content provider used the websites to distribute its media content for its business interests. No other party had the right to decide whether the content provider should distribute its media content through the websites or whether it should cease to do so, and whether and through which service provider advertising should be displayed. The content provider operated the websites at its own discretion and in its commercial interest.
For all the processing examined in relation to the websites, the content provider determined the purposes and means of the processing and enabled third parties to place content on the websites. The DPA therefore held that the content provider was the controller pursuant to Article 4(7) GDPR.
Second, the DPA held that the controller violated the principle of fairness and transparency pursuant to Article 5(1)(a), Article 12(1), and Article 13 GDPR by not appropriately informing the data subjects about the legal basis of the processing.
The DPA pointed out that Article 12(1) GDPR required controllers to take appropriate measures to provide data subjects with all the information referred to in Article 13 to 14 GDPR, in Article 15 GDPR to Article 22 GDPR, and in Article 34 GDPR. The information has to be provided in a concise, transparent, intelligible manner and an easily accessible form, in clear and plain language. Moreover, Article 13(1)(c) GDPR requires, among other things, that the controller informs its data subjects about the correct legal basis for their processing.
However, in the present case, the controller indicated "consent" as a legal basis for browsing-related processing, irrespective of the fact that without certain technical cookies the websites cannot function. The purpose “To store and/or access information stored on the device” was only based on consent instead of legitimate interest. However, the DPA argued that without these cookies the websites would not be able to work. Consequently, the legal basis for consent is not appropriate, as a successful website visit of a data subject means that information on the data subject's terminal were written and read regardless of consent, and could not be opted out or withdrawn.
In addition, the term “legitimate interest” used by the controller is equivalent to the term used in the GDPR under Article 6(1)(f). Therefore, since the controller explained that its "legitimate interest" would not refer to the "GDPR legitimate interest", it was either used incorrectly by the controller – and misleading – or used correctly, but without any information and without any consideration of the interests involved. Either way, the DPA considered it unfair and opaque contrary to Article 5(1)(a) GDPR to indicate substantially the same purposes on both the consent and the legitimate interest tabs. It gives data subjects the impression that the same processing is possible even if consent is not given. Moreover, the information on the second level of the CMP was provided in an exceptionally long text on data management and was only available in an unreasonably small area of the screen, readable only a few lines at a time. The long text cannot be described as concise or clear.
As a result of the above, the DPA concluded that the controller violated the principle of fair and transparent processing pursuant to Article 5(1)(a), Article 12(1) GDPR and Article 13 GDPR.
Third, the DPA held that the controller processed personal data without a legal basis as it neither fulfilled the conditions for Article 6(1)(a) GDPR "consent" nor Article 6(1)(f) "legitimate interest".
The DPA decided that consent could not be used as a legal basis. It noted that it was not as easy to withdraw consent as it was to give it. The CMP did not provide an easily accessible possibility, neither for personal data directly processed by the controller nor for personal data transferred to third parties. There was no information provided on how to easily withdraw consent. Moreover, in addition, due to the opaqueness of the processing and the lack of clear information, as described above, consent, as a general rule, could not be considered to be a valid legal basis as it could not have been informed.
Next, the controller could also not rely on legitimate interest for its processing. During the investigation, it became clear that the controller had not clearly indicated which processes were to be based on legitimate interest and which not. However, the DPA asserted that it is not the task and responsibility of the data subject, nor of the DPA, rather than that of the controller, to identify, describe and justify the specific purposes and legal grounds for the processing. Controllers are required to clearly justify, consider and provide safeguards for the purposes and legal basis on which they intend to process which personal data. These safeguards should ensure, among other things, that the data subject is aware of the processing and can object to it before the processing takes place.
For the above reasons, the DPA concluded that the controller infringed Article 6(1) GDPR.
In sum, the DPA found the controller to be in violation of the GDPR, specifically Article 5(1)(a) GDPR, Article 12(1) GDPR and Article 13 GDPR. It fined the controller 10,000,000 HUF (approx. €25,650). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the DPA had not previously found a data protection breach against the controller. Aggravating circumstances were that millions of data subjects were affected and that the processing was done for profiling purposes with commercial intent.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
File number: NAIH-3195-11/2022 Subject: decision DECISION On February 21, 2022, the Authority launched an official data protection procedure against TV2 by Média Csoport Zrt. (headquarters: 1145 Budapest, Róna u. 174.; (hereinafter: Customer) operated "tenyek.hu" and "tv2play.hu" websites (hereinafter: Websites) in relation to its data management, to check whether it is related to the Websites whether data management is suitable for natural persons, the management of personal data regarding its protection and the free flow of such data, as well as 95/46/EC Directive 2016/679/EU on repealing the directive (hereinafter: general of the provisions of the Data Protection Regulation), as well as the exercise of the rights of stakeholders in this regard whether it is handled properly. The Authority is the following in the above official data protection procedure makes decisions: I. The Authority determines that the Client did not provide adequate information to the persons concerned in relation to the management of personal data managed through the Websites, and a consent management framework is not transparent and clear on the Websites collected the consent of those concerned, thus the personal data managed on the Websites violated Article 5 (1) of the General Data Protection Regulation in the period under review the principle of fair and transparent data management according to point a), Article 5 (1). point b) of the purpose-related principle, Article 6 (1), Article 12 (1) and Article 13. II. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation ex officio instructs the Customer to modify the Websites as such practice related to the management of personal data to comply with the general of the data protection regulation, i.e. clearly separate the necessary for the operation of the site and it is not necessary to manage data, the consent should be uniform on the Websites managed through no more parallel systems with invisible connections to each other, and consent can be given on the basis of appropriate concise and clear information For handling personal data not required for technical operation on websites, that is and personal data based on consent that does not comply with this must be deleted. CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: Infotv.) to challenge the decision based on Section 61 (6). until the expiration of the open deadline for filing an action, or in the case of an administrative lawsuit, the court until a final decision, the data affected by the disputed data management cannot be deleted or not can be destroyed. III. The Authority ex officio the Customer due to the above data protection violations HUF 10,000,000, i.e. ten million forints data protection fine obliged to pay. The II. the fulfillment of the obligation prescribed by the Customer towards this decision must be in writing within 30 days after the expiration of the legal remedy deadline - the supporting 2 together with the presentation of evidence - to prove it to the Authority. Data management exclusively in addition to defining the appropriate scope of data, for real and specific purposes, a valid legal basis, and it is possible to continue with the proof of the maximum guarantee of the rights of the stakeholders, otherwise in this case, the Customer has to delete personal data that does not have a valid legal basis and you must prove the termination of your further treatment to the Authority within the above deadline. The III. fine according to point 30 days from the date of this decision becoming final within the forint settlement account of the Authority for the collection of centralized revenues (10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-3195/2022 FINE.” number must be referred to. If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default is obliged to pay a penalty. The rate of penalty is the legal interest, which is is the same as the central bank base rate valid on the first day of the relevant calendar semester. Non-payment of the fine and late fee, or the above II. obligation according to point in case of non-compliance, the Authority orders the implementation of the decision. There is no place for administrative appeal against the decision, but only from the announcement public director1i with a letter of claim addressed to the Metropolitan Court within 30 days can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the must be indicated in the application. For those who do not receive full personal tax exemption the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record the fee. THE Legal representation is mandatory in proceedings before the Metropolitan Court. Infotv. Pursuant to § 61, subsection (2), point a), the Authority publishes this decision a Authority website. JUSTIFICATION I. Procedure and clarification of the facts I.1. History matters 1.1. The Authority's history investigation procedure No. NAIH-2905/2021 (hereinafter: History Case) based on a public interest report, verified that by the Customer does the cookie-related data management of operated websites comply with the general provisions of the data protection regulation. 1.2. The Authority sent the documents created in the History Case to Infotv. Based on § 71, paragraph (2). can be used in this procedure. 1.3. The Customer's answers detailed below were not credibly verified in the History Case the legal compliance of the website's cookie-related data management practices a necessity, in the matter of the legal basis and information to the stakeholders, so the Authority February 2022 On the 21st, the current data protection authority procedure was initiated ex officio by the Customer Regarding the data management of websites. The subject of the official data protection procedure is only that general data protection regulation becoming applicable (May 25, 2018) and the present 1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form is can be filled out using a general form filling program (ÁNYK program). 3 the period between the initiation of official data protection proceedings (February 21, 2022), however a when determining legal consequences, the Authority takes into account the duration of the procedure changes. 1.4. In the History Case, the Client received the Authority's inquiry on August 9, 2021, In his reply letter sent under NAIH-2905-6/2021, the following, from the point of view of the decision made relevant statements: (i) It is not controlled by any website operated by the Customer other than the "tenyek.hu" website transfer users to the "tv2play.hu" website. (ii) In response to the question of whether customization is possible apart from acceptance, tenyek.hu regarding cookies used on the website, the Customer replied that "tenyek.hu" website was renewed on December 16, 2020, which includes the entire IT, hardware and it also affected its software background, and development has been continuous ever since. The Customer is the examiner in connection with the procedure, he noticed that it was placed in the pop-up window on the "tenyek.hu" website link (button) does not direct to the right place, probably due to a technical error, which the Customer shall repair by September 30, 2021 at the latest. (iii) According to the table attached to the answer, the following types of cookies are available on the "tenyek.hu" website can be found: necessary (3 pcs), statistical (8 pcs), social (9 pcs), marketing (15 pcs). (iv) In all cases, the legal basis for cookies is the consent of the data subject. (v) Regarding the "tv2play.hu" website, there are two different consents framework at the same time, since the pop-up window belongs to the competence of atmedia Kft solution related to the advertising interface, the setting can be found in the blue bar at the bottom and the interface belongs to the management of the Customer. The blue bar is for cookies outside the advertising space provides information to users. The Customer works together with atmedia Kft on a unified solution, which he intends to implement by October 31, 2021. (vi) In relation to the fact that in the absence of acceptance in the blue bar below, it is not possible to use the website - i.e. there is no real possibility of opting out - the Customer that declared that cookies fundamentally influence the operation of the "tv2play.hu" website have been placed under this settings interface, without which the available information cannot be viewed contents available as part of a media service. (vii) In relation to the "tv2play.hu" website, cookies related to the advertising interface only atmedia Kft. can mark it, the Customer cannot send a list of it. This is currently 754 pcs means partner cookies. (viii) In connection with the "tv2play.hu" website, there are cookies with the following functions a in addition to cookies outside the advertising interface: google tag manager (not used by default cookies, only in preview and debug mode), google analytics (including a token contains which can retrieve the Client ID from the AMP Client ID service, distinguishes users), gemius (handling questionnaires), facebook (ad display and retargeting), youtube (stores a unique user ID, among other things), tiktok- embed (monitors user interaction with embedded content), instagram-embed, yusp (cookie storing userID and Client IP address for personalized recommendations, Yusp when using software, by turning off the cookie, the video recommendation is not unique to the user history, but based on general trends). (ix) On the "legitimate interest" tab in the pop-up window of the "tv2play.hu" website, the website necessary for its operation, as well as Article 6 (1) of the General Data Protection Regulation categories of cookies based on legitimate interest according to point f) can be viewed, with which it is possible to object. The name does not refer to the legal basis, but to a "category" 4 means, so here the term "legitimate interest" only serves to make it easier to understand, it does not answer and the term according to the General Data Protection Regulation. So the website does not manage cookies with the legal basis of legitimate interest, so no consideration of interests was made. (x) The general market practice with third parties listed under the "partners" tab according to the Customer does not have a written data processing contract. Customer's point of view according to Article 28 (3) of the General Data Protection Regulation "The data processor data processing carried out by the EU law or the law of the Member States was established based on such - that the subject, duration, nature and purpose of data processing, the type of personal data, the data subjects to a contract defining its categories and the obligations and rights of the data controller or must be regulated by another legal act that binds the data processor to the data controller against.", on the basis of which atmedia Kft., which operates the advertising platform, is only such uses partners whose general terms and conditions and data management policy complies with domestic and European Union data protection requirements. atmedia Kft. is the following provided a link with a list of vendors: https://iabeurope.eu/vendor- list-tcf-v2-0/ (xi) With regard to the advertising surfaces, everything on the interface that appears in the pop-up window partner's data management information is listed, as well as those outside the advertising interface separate information about cookies is available, which the Customer attached to the answer. (xii) At the email address "adatvedelem@tv2.hu" in the period preceding the History Case a This may have occurred due to a setup problem with Microsoft's cloud-based mail system. that the person concerned who sent the request to the above email address received an error message by mistake, however e-mails were received during this period as well, they were not lost. The Customer blames the Authority he averted it based on his signal, he had not received a signal about this before. 1.5. In the History Case, prepared by the Authority on December 6, 2021, from the Websites based on screenshots, the following facts can be established: (i) When you arrive at the "tenyek.hu" website, a pop-up window will appear on which "OK, continue" button, the settings can be accepted invisibly, while the other "data management information" button redirects to atv2play.hu" website. The following is displayed in the pop-up window of the "tenyek.hu" website text reads: “[Facts] logo The protection of your data is important to us We and our partners store information, such as cookies, on a device or we have access to the information stored on the device and personal data — for example, unique identifiers and basic information sent by the device — we handle it personally for providing tailored ads and content, advertising and content measurement, viewership to collect data and to develop products and improve products. With your permission, we and our partners obtain accurate data using the device scanning method we may also use geolocation data and identification information. To the right place by clicking you can consent to us and our partners processing data as described above let's finish Alternatively, before giving or refusing consent you can get more detailed information and change your settings. Please note, that certain processing of your personal data does not necessarily require you consent, but has the right to object to this type of data processing. Your settings only are valid for this website. Returning to this website is your privacy policy you can change your settings at any time using our policy.” (ii) After pressing the "data management information" button, the website redirects to to the "tv2play.hu" website, on which a new pop-up window appears for managing cookies, 5 whose text – with the [TV2 Group] logo instead of the [Tények] logo – is identical in content with the text of the pop-up window on the "tenyek.hu" website detailed in subsection (i) above. That's it at the bottom of a new pop-up window, next to the "ok, continue" button that contributes to everything invisibly, a there is a "more options" button. (iii) If you click on the "more options" button, it is visible on the second level of the interface the text detailed in subsection (i) above remains in the upper part of the pop-up window, below it "reject all" and "accept all" buttons are visible, below this static interface a About one-eighth of the pop-up window can contain the information in a scroll bar to read about the cookies, of which an average of 2-4 lines are visible at a time. At least "partners" a "legitimate interest" and "save and exit" buttons are available. (iv) The narrow scroll bar on the second level of the interface can be used for the following data management purposes give consent individually: "Storing and/or accessing information stored on the device Selection of basic ads Create a personalized advertising profile Selecting personalized ads Create a personalized content profile Selecting personalized content Measuring ad performance Measuring the performance of your content Using market research to generate viewership data Product development and improvement" (v) After clicking on the "legitimate interest" button on the second level of the interface, the interface on the third level, there is a protest interface against the following goals: “Choosing basic ads Create a personalized advertising profile Selecting personalized ads Create a personalized content profile Selecting personalized content Measuring ad performance Measuring the performance of your content Using market research to generate viewership data Product development and improvement" (vi) "Storage of information stored on the device and/or when you click on the goal, the following description of the goal appears: "The suppliers they can store and access information stored on the device, such as the user presented cookies and device identifiers.". (vii) Clicking on the "Select basic ads" button on the second level of the interface the following description of the purpose is displayed: “In order to select basic advertisements suppliers can use real-time information about whether the ad in what environment it should appear and to present the ad, including content and device information such as device type and capabilities, user agent, URL, and IP address. They can use the user's inaccurate geolocation data. They can control it for users frequency of displayed ads. You can choose to display ads sequence. They can block the display if an ad is inappropriate it would appear in an editorial (inappropriate from the point of view of brand safety) environment. THE suppliers cannot create personalized advertising profiles from this information 6 using it to select future ads, personalized advertising without a separate legal basis for creating profiles. Note: The term is not accurate means only an approximate location, including a circle with a radius of at least 500 meters.". (viii) After the cookie settings in the pop-up window, clicking on the "save and exit" button regardless of any objections to it, the "tv2play.hu" website is at the bottom in the pop-up bar, enter the following text (the "click here" part is a link to the Customer information): "We inform you that the TV2 Play service uses advertising and analytical cookies (cookies) use For more information, please click here. The "accept" or "reject" button by pressing it, you accept or reject all advertising and analytical cookies use." (ix) After clicking the "decline" button in the pop-up bar, the text below can be read, after which there is only an "I accept" button (the "you can find it here" part is one reference to the Customer information sheet): "Attention! If you do not accept the cookies necessary for the operation of the site, you will not access our latest videos and shows. You can find detailed information here about cookies.” (x) The Websites in the settings in any case also in the event of an objection cookies are created on the user's computer, which store a unique identifier for years they also include google ads and google analytics cookies. 1.6. Based on the information revealed in the Background Case, general data protection arose direct risk of violation of several articles of the Decree with the data management under investigation in connection with the Authority's ex officio procedure and action with official means he justified. The data protection issues raised concern the Customer's general data management practices are affected, they cannot be linked to a specific person concerned. In view of the above, the Authority approves Infotv. Section 55 based on subsection (1) point a) b) closed the History Case and ex officio initiated this data protection official procedure for the Customer related to the Questionnaire in the subject of data management. I.2. This data protection official procedure 2.1. In this data protection official procedure, the Customer - by the Authority, requests the Authority requested, after the extension of the response deadline authorized by the Authority – 2022. In his reply letter received on March 28, sent under NAIH-3195-4/2022, the following made statements relevant to the decision: (i) The development of the advertising interface on the Websites is still in progress, with atmedia Kft Legal and technical negotiations have been ongoing since July 2021 in order to ensure that the existing situation of the General Data Protection Regulation and the available technical will be resolved according to conditions. (ii) The Customer, in cooperation with atmedia Kft., the state of science and technology and the implementation costs, as well as the nature, scope, circumstances and purposes of data management, and the rights and freedoms of natural persons, variable will do its best, taking into account the probability and severity of the risk in order to eliminate the existing situation. The Customer requested its 7 taking into account that information about data management has been provided, only a the data controllers did not agree on the design of the communication interface, and the misunderstanding resulted from this arose and the data management affects a narrow category of personal data. Customer's point of view according to the data, the stakeholders did not suffer any damage, only the duplication of information could have caused it misunderstandings. After the initiation of this official procedure, the Customer shall immediately started negotiations with atmedia Kft. for a solution. The Client is the Authority has not previously been subject to a data protection fine, and the Customer always cooperates with with authority. 2.2. On June 2, 2022, the Authority recorded the screenshots of the Websites again, which based on the following facts, which do not affect the data management of the examined period are affected, they are only relevant in terms of future legal consequences: (i) Basic operating principles of the "tv2play.hu" website (buttons, consent and legitimate interest significant overlap of targets, after the first adjustment surface another lower adjustment bar, which does not have possibility of rejection) have not changed in substance, from the previous one of December 6, 2021 condition are essentially the same. (ii) The "tenyek.hu" website does not redirect to the "tv2play.hu" website, but to the "data management information" button is replaced by a "more options" button, which is the third in terms of "legitimate interest" purposes that can be found at the level of objection, completely, a in its basic content with regard to purposes that allow consent to be found on the second level identical to the previous status of the "tv2play.hu" website on December 6, 2021, but there is no a pop-up bar following a pop-up window. 2.3. In this data protection official procedure, the Customer, at the request of the Authority, June 2022 In his reply letter received on the 24th, sent under the number NAIH-3195-7/2022, the following, the decision made relevant statements in terms of: (i) The Customer maintains a separate email mailbox for data subject requests at "adatvedelem@tv2.hu". An employee receives incoming mail based on their subject forwards it to the appropriate organizational unit. (ii) The Customer currently does not have a procedure for processing incoming stakeholder requests internal regulations adopted regarding (iii) The Customer's email address according to subparagraph (i) above, according to the record attached to the reply during the period investigated by this data protection authority procedure (from May 25, 2018 to 2022 until February 21) 54 letters were received and dealt with. 2.4. CL of 2016 on the general administrative procedure. Act (hereinafter: Act) On the basis of § 76, the Authority provided the Client with the opportunity to obtain the documents of the procedure which the Customer took advantage of on July 14, 2022. The Authority NAIH-3195- In accordance with its order numbered 6/2022, it provided the Customer with 15 days thereafter to make an additional statement or motion for proof, however, the Customer did not do so as of today day. 2.5. The Customer from the public database https://e-beszamolo.im.gov.hu/oldal/kezdolap Based on the available 2021 financial report, the Customer's net sales in 2021 are 48,934 It was HUF 915,000. 2.6. About the traffic information available on the traffic analysis site similarweb.com June 2022 Based on screenshots taken on the 7th, it can be established that tv2play.hu and tenyek.hu are on the 8th website visits in the last 3 months ranged from 1.6 million to 2.4 million was moving. II. Legal provisions applicable in the case According to Article 2 (1) of the General Data Protection Regulation, the general data protection regulation must be applied to personal data in part or in whole in an automated manner processing, as well as the non-automated processing of data that are part of a registration system or which are a registration system want to be part of. You are identified as "personal data" on the basis of Article 4, point 1 of the General Data Protection Regulation any information relating to an identifiable natural person ("data subject"), including also the online ID. According to Article 4, point 2 of the General Data Protection Regulation, "data management" is personal any performed on data or data files in an automated or non-automated manner operation or a set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, transmission of communication, by means of distribution or other means of making available, coordination or connection, restriction, deletion or destruction. Based on Article 4, point 4 of the General Data Protection Regulation, "profiling" is personal data any form of automated processing during which personal data to evaluate certain personal characteristics related to a natural person, especially for work performance, economic situation, health status, for personal preferences, interest, reliability, behavior, residence used to analyze or predict characteristics related to location or movement. Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or legal entity, public authority, agency or any other body that is personal determines the purposes and means of data management independently or together with others. If that the purposes and means of data management are determined by EU or member state law, the data controller or special considerations for the appointment of the data controller by the EU or the Member States can also be determined by law Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject". of the will of the person concerned, based on voluntary, specific and adequate information and clear declaration by which the relevant statement or confirmation is unambiguously expressed indicates by action that he gives his consent to the processing of his personal data. According to Article 5 (1) point a) of the General Data Protection Regulation, personal data must be handled legally and fairly, as well as in a transparent manner for the data subject carry out ("legality, due process and transparency"). According to Article 5 (1) point b) of the General Data Protection Regulation, personal data should only be collected for specific, clear and legitimate purposes and should not be processed in a manner inconsistent with these purposes; in accordance with Article 89 (1). is not considered incompatible with the original purpose for the purpose of archiving in the public interest, further data management for scientific and historical research purposes or for statistical purposes ("goal-boundness"). 9 Based on Article 5 (2) of the General Data Protection Regulation, the data controller is responsible for (1) for compliance with paragraph and must also be able to demonstrate this compliance ("accountability"). According to Article 6 (1) point a) of the General Data Protection Regulation, it may be legal to processing of personal data, if the data subject has given his consent to a or for its management for several specific purposes. Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant takes measures in order to allow the data subject to process personal data all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34 according to each information is concise, transparent, comprehensible and easily accessible provide it in a clear and comprehensible form, especially to children for any information received. Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal data were obtained from the data subject, the data controller makes the data available to the data subject following information: a) the identity of the data controller and, if any, the representative of the data controller and your contact details; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) based on point f) of Article 6 (1) of the General Data Protection Regulation in the case of data management, the legitimate interests of the data controller or a third party; e) where appropriate, recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is in a third country or international organization wishes to forward the personal data to, and the Commission the existence or absence of a compliance decision, or general data protection regulation in Article 46, Article 47 or Article 49 (1) second in the case of data transfer referred to in subsection, the appropriate and suitable guarantees designation, as well as methods for obtaining a copy of i.e. or those reference to your contact information; g) on the duration of storage of personal data, or if this is not possible, on this aspects of determining the duration; h) on the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and may object to the processing of such personal data, as well as the data subject about your right to data portability; i) point a) of Article 6 (1) of the General Data Protection Regulation or Article 9 (2) in the case of data processing based on point a) of paragraph 1, the consent at any time the right to withdraw, which does not affect consent before the withdrawal the legality of data processing carried out on the basis of; j) on the right to submit a complaint to the supervisory authority; k) that the provision of personal data is legal or contractual is based on an obligation or is a prerequisite for concluding a contract, and whether the person concerned 10 whether you are required to provide personal data, and how it is possible failure to provide data may have consequences; l) automated referred to in Article 22 (1) and (4) of the General Data Protection Regulation the fact of decision-making, including profiling, and at least in these cases understandable information on the applied logic and that such data management what significance it has and what expected consequences it has for the person concerned. Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3) it does not have to be applied if and to what extent the data subject already has the information. Based on Article 26 (3) of the General Data Protection Regulation, the data subject is (1) regardless of the terms of the agreement referred to in paragraph in relation to and against each data manager according to this regulation rights. For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2) according to paragraph of the general data protection regulation in the provisions indicated there must be used with included additions. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2 in connection with operations defined in the general data protection regulation may apply legal consequences. Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully acquired during its procedures can use documents, data or other means of proof in other proceedings. Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6) exercises its powers in accordance with the principle of proportionality, especially with the fact that you are in the legislation regarding the handling of personal data The regulations defined in the mandatory legal act of the European Union are being implemented for the first time in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation in accordance with - takes action primarily with the warning of the data manager or data processor. It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation the data manager or the data processor to perform its data management operations - where applicable in a specified manner and within a specified period of time - is brought into line with this regulation with its provisions. On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83. imposes an administrative fine in accordance with Article, depending on the circumstances of the given case in addition to or instead of the measures mentioned in this paragraph. Based on Article 83 (1) of the General Data Protection Regulation, all supervisory authority ensures that due to the violation mentioned in paragraphs (4), (5), (6) of this regulation the administrative fines imposed on the basis of this article are effective in each case, be proportionate and dissuasive. 11 According to Article 83 (2) of the General Data Protection Regulation, administrative fines depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph When deciding whether it is necessary to impose an administrative fine or a sufficiently in each case when determining the amount of the administrative fine the following should be taken into account: a) the nature, severity and duration of the infringement, taking into account the one in question the nature, scope or purpose of data processing, as well as the number of data subjects affected by the breach affected, as well as the extent of the damage they suffered; b) the intentional or negligent nature of the infringement; c) damage suffered by data subjects on the part of the data controller or data processor any measures taken to mitigate; d) the extent of the responsibility of the data controller or data processor, taking into account the technical and organizational measures; e) relevant violations previously committed by the data controller or data processor; f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation extent of cooperation to mitigate its effects; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular whether the data controller or the data processor has reported the breach, and if so, in what detail; i) if against the relevant data manager or data processor previously - in the same a subject matter - ordered referred to in Article 58 (2) of the General Data Protection Regulation one of the measures, compliance with the measures in question; j) whether the data manager or the data processor has observed general data protection for approved codes of conduct under Article 40 of the Decree or the general for approved certification mechanisms under Article 42 of the Data Protection Regulation; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, financial gain as a direct or indirect consequence of the infringement or avoided loss. In the absence of a different provision of the general data protection regulation, the data protection authority for procedure in the Acr. provisions shall be applied with the deviations specified in Infotv. III. Decision III.1. The person of the data controller 1.1. The Customer - among other things, based on what is written in points I.1.4.(i)-(ii) above - the Websites uses it to distribute its own media content, exclusively for its own business interests. Third party does not have the right to decide whether the Customer distributes through the Websites its media content, or the Customer stops doing so, and whether advertisements should be displayed in addition, and through which service provider. 12 1.2. The Customer operates the Websites based on his own decision and business interest conditions - for example, with which partner it contracts to run advertisements - the Customer Define. 1.3. In the case of all data management examined in connection with the Websites, with the data management related goals and tools were determined by the Customer or made possible by a third party parties to place content on the Websites, thus Article 4 of the General Data Protection Regulation Based on point 7, the Customer is considered a data controller. The basic structure of the Websites and operation, the information and consent framework found on them its compliance depends on the active behavior of the Customer, a third party against the Customer's will you cannot modify the Websites. For this reason, it is related to the investigated data management responsibility - obtaining information and consent from the person concerned - all of the cases based on its circumstances, the Customer is responsible regardless of who provided the individual modules of the Website obtained, or whether this data is forwarded to third parties. There is no third party in direct contact with the stakeholders, so the information and consent framework is legal those who can have a direct and final influence on it can primarily be responsible for its compliance. This does not affect the mutual accounting of different data managers and data processors, and the internal agreements on the responsibility towards the data subjects of the General Data Protection Regulation It is not amended based on Article 26 (3). This interpretation is reinforced by, among other things Court of Justice of the European Union C-40/17. also paragraph 102 of its decision no.: "Directive 95/46 2. in relation to the consent referred to in point h) of Article 7 and point a) of Article 7 it can be established that the collection and transmission of the data subject's personal data must be given beforehand. In such circumstances, the website is the source of consent the task of the operator, not the provider of the community module, since a the personal data management process is initiated by the visitor viewing this website. As the general counsel pointed out in point 132 of his opinion, there would not be in accordance with the effective and timely protection of the rights of the data subject, if a consent should be given to the joint data controller who only at a later stage plays a role, i.e. the provider of the mentioned module.". III.2. Description of data management 2.1. In the History Case, prepared by the Authority on December 6, 2021, from the Websites according to the state recorded with screenshots, according to the facts detailed in point I The Customer publishes media content on the Websites in connection with its display uses cookies, as well as statistical, ad display, and I.1.5.(iv)-(v) above "Creating a personalized advertising profile", "Personalised select ads", "Create a personalized content profile", "Personalised to adapt to personal preferences in an automated manner based on "content selection". it is also used for profiling purposes according to Article 4, point 4 of the General Data Protection Regulation a personal data contained in cookies. 2.2. Based on what is described in point I.1.5.(i) above, the examined cookies are assigned unique identifiers to a specific person, which are, at least as pseudonymous data, definitely personal data they matter, since their purpose is to identify a specific active user who is a natural person. 2.3. Based on the revealed facts, the "tenyek.hu" website mostly contains news, a The "tv2play.hu" website focuses on audiovisual media content. 2https://curia.europa.eu/juris/document/document.jsf?text=&docid=216555&doclang=HU 13 2.4. The Websites may display advertisements during browsing, which may include the above Depending on the choices according to I.1.5.(iv)-(v), personalized or general, and a Recommended content on websites can also be adapted to individual browsing history, furthermore, the use of the Websites is measured using unique identification data stored in cookies. Some cookies contain session tokens to prevent online attacks, which they make communication between the user's device and the Customer's servers more secure, in which case a unique identifier is necessarily used. 2.5. I.1.5 above. on the basis of the information detailed in section personal data - for example, which content you viewed, which ads you viewed, which ads were clicked by the data subject - they are also used to personalize the content, both with regard to the Websites and with regard to third-party partners. 2.6. In the examined period (from May 25, 2018 to February 21, 2022), the Websites had content recorded on December 6, 2021, so the Authority in the present case, he used this as a basis for judging legality. A statement to the contrary During the procedure, the client did not indicate any other status regarding the examined period yes. Later changes will be made by the Authority in determining the legal consequences for the future considered, they do not affect the legality of the examined period. III.3. The information in the examined period 3.1. According to Article 12 (1) of the General Data Protection Regulation, the Customer is the subject it is the duty of the data controller responsible for data management to take appropriate measures in order to ensure that, for the data subjects, Articles 13 and 14 relating to the processing of personal data all the information mentioned in Article 15-22. and each according to Article 34 information in a concise, transparent, understandable and easily accessible form, clearly and provide it in a comprehensible way. 3.2. The system of appropriate information in the general data protection regulation serves to so that the data subject can be aware of which personal data, which data controller and for which purpose, how you will handle it. This is essential to be in a position to to be able to meaningfully exercise its stakeholder rights. 3.3. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation based on Article 4, point 11 of the General Data Protection Regulation, not only the data management beginning, but before obtaining consent, the data controller is obliged to to provide information on the basis of which informed consent can be given. 3.4. In relation to the legal basis of data subject consent according to the General Data Protection Regulation it is important to emphasize that it does not mean that the data controller is subject to other legal obligations applies as a general authority regardless of conditions that at any time and can handle any personal data without limits for any reason. For data management stakeholder consent can only be valid if it is for specific purpose(s) - per purpose can be specified separately - they ask, and before that they provide adequate information, which in such a situation brings the data subject to be able to make an appropriate decision about giving consent, and complies with all other validity conditions prescribed in the General Data Protection Regulation requirement. According to Article 12 (1) of the General Data Protection Regulation, the data controller must provide assistance to the data subject in such a way that it is all relevant to the data subject can exercise his right in an informed manner. 14 3.5. As explained above, the obligation to provide information is not a mere "paperwork" 3 is an obligation in the General Data Protection Regulation. All in the preamble contained, all the articles of the general data protection regulation require the achievement of results when determining the obligations of a data controller, not just a specified minimum proof of effort on the part of the data controller. The aim of the information is to put you in such a situation brings the data subject so that the data subject's rights are in the right decision-making position regarding its exercise. 3.6. In relation to the Websites, the Customer has indicated only the legal basis of consent for all browsing-related data management, regardless of whether I.1.5.(ix) above as written in point, the Websites cannot actually function without some technical cookies function, and some cookies are definitely used regardless of consent with unique identifiers. It is expected that the data management information of the 754 partners concerned read it and withdraw the information provided for these third-party partners one by one consent, in the opinion of the Authority, it is not a transparent and fair condition. That this practice may be widely used by other data controllers, but not yet legal. In relation to the vendor partner list referred to in point I.1.4.(x) above, the Customer indicated the use of the IAB Europe framework. With data management by IAB Europe in connection with the Belgian data protection authority stated that it is - among other things due to lack of transparency and information - violates general data protection decree, the legal interpretation of this decision also applies mutatis mutandis in this case. That's a fact also supports that the argument put forward by the Customer - that it is a common solution in the industry use - does not in itself affect the findings according to this procedure, no is proof of compliance with the General Data Protection Regulation. 3.7. In relation to the Websites, it can be established that it is related to data management extremely long informative text in an unreasonably small area of the screen, all at once was available legibly in a few lines. The long text cannot even be called concise, not clear either. "Accepting everything" is information that can be called meaningful at the first level is possible without, "reject all" is only available at the second level. By the Customer The term "legitimate interest" used can clearly correspond to general data protection as a concept according to the decree, so it was either used completely incorrectly by the Customer - and because of this the information was misleading - or you used it correctly, but all information and without consideration of interests. In both cases, unfair and opaque are essentially the same indication of goals on the consent and legitimate interest interface as well, as it gives the impression in those concerned, that they are possible in the same way even without giving their consent data management is another protest - now marked on the interface located on the third level in its absence. If data processing according to the purposes placed on the "legitimate interest" interface is consent in the absence of them, they do not take place, then the information and the interface are therefore misleading if they happen, then because of that. 3.8. "Storing and/or accessing information stored on the device" is the only purpose that only a giving or refusing consent can be found on the interface and not in the legitimate interest, even though it is precisely this, without which the cookies necessary for operation cannot be placed and the Websites would not work, so the legal basis for this consent is not appropriate, since a The operation of websites means that writing and hosting is done independently of consent reading, it cannot be denied or revoked. Because of this, for other reasons, but this is the goal unfair and non-transparent information also exists. 3 it should be fair. For natural persons, it must be transparent that the information concerning them is personal how their data is collected and used, how it is viewed or in what other way it is handled, as well as in connection with the extent to which personal data is or will be processed. [...]" 4https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf 15 3.9. Itemized and accurate identification of personal data and cookies necessary for operation the definition of its purpose is completely absent from the information, and their legal basis as legitimate no interest was indicated in connection with these and in the present procedure the Authority his request was not supported in the consideration of interests. In the absence of this, the information is necessarily incomplete and misleading, long and difficult to read however, it is poor in useful information. Among other things, it does not show that specifically which functions, which data is managed in cookies, why is it specifically essential a for technical operation and whether this data is used for other purposes. 3.10. In all cases, it also lacks the same ease as giving consent revocability, which is not easily ensured by the framework used on the Websites available option neither directly managed by the Customer nor to third parties regarding transmitted personal data. This deficiency also applies to information, that is nor does it indicate in an easily accessible way how consent can be withdrawn. 3.11. The Customer could not indicate any reasonable reason why there are two parallel consent management system in relation to the "tv2play.hu" website, to which the The "tenyek.hu" website was also redirected during the examined period. Being the owner of the Websites he did not properly coordinate with the advertising organizer contracted with him, and therefore for two years consent was also requested in different ways to the cookies used by the Websites, no can be accepted as an excuse. As explained earlier, achieving the right result is Customer's responsibility as data controller. Intentional violation if the Customer knows about it you reasonably need to know about your own online content, and over the years does not take any meaningful steps for a quick solution. 3.12. Due to the above, it can be established that during the period under review, the Customer a The information provided on websites about the management of personal data was violated by fair and the principle of transparent data management, Article 12 (1) and Article 13. III.4. The legality of the data management of the Websites during the examined period 4.1. In the absence of adequate information, as a general rule, it was based on consent data management in itself is illegal. This is supported by the European Data Protection Board Also paragraph 62 of the 5/2020 Guidelines (hereinafter: 5/2020 Guidelines). Accordingly if the data controller does not provide accessible information, the user has control over the data its provision becomes apparent and consent becomes an invalid basis for data management. The basic requirement of easy accessibility is confirmed by Guideline 66 of 5/2020. and also paragraph 67. 5/2020 regarding information regarding consent Paragraph 63 of the guidelines also emphasizes that consent based on information the consequence of not complying with relevant requirements is that a consent will be invalid and the data controller may violate the general data protection regulation Article 6. Pursuant to paragraph 69 of Directive 5/2020, the electronic transfer in the case of information, multi-level information can typically be used, however, the accurate and it must be comprehensive and understandable. Multilevel should help, not hinder access to basic information. 5 Guideline No. 5/2020 of the European Data Protection Board on consent pursuant to Regulation (EU) 2016/679: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf 16 4.2. Based on paragraph 64 of Directive 5/2020, in order for the consent to be informed be based on, the data subject must be informed about certain key elements. That's why it is The European Data Protection Board believes that valid consent requires at least a the following information is required: (i) the identity of the data controller - this was not fulfilled in this case, "we and our partners" are the 754 regardless of the partner, it is not specific enough, even the identity of the Customer is not clear marked on the settings interface available in the pop-up window; (ii) the purpose of each data processing operation for which consent is sought - this is not fulfilled properly, as indicated in the framework used by the Websites goals at two different levels in two different contexts, essentially the same - or it is for those involved, it can easily be assumed to be the same at first glance - with content its inclusion calls into question compliance with the goal-bound principle at the system level, furthermore, in addition to this systemic problem, the definition of certain goals - such as "That storing and/or accessing information stored on a device” both in itself and in on the basis of a more detailed description, it is too broad and can formally enable such data management, which obviously cannot be the purpose of the data subject in general (e.g. on the device accessing stored photos and documents; (iii) what type of data will be collected and used - this was not met accordingly, it is not clear and obvious to an average person concerned that the individual purposes for which your consent is requested, exactly which data will be used for what purpose use; (iv) the existence of the right to withdraw consent - this has not been fulfilled, it is not adequate clear information in the large amount of text, based on which it can be known that how and how consent can be revoked, this is about the operation it is not even possible; (v) where applicable, to use the data for automated decision-making relevant information in accordance with point c) of Article 22 (2) - this is present relevant and not relevant due to the recommendation system and personalized advertisements fulfilled, there is no specific information that both on and off the Websites how browsing will be affected by automatic profiling and targeting, only meaningless general statements; (vi) the compliance decision for data transmissions and described in Article 46 possible risks arising from the lack of adequate guarantees - in this case, this is Article 754 presumably exists because of a partner, but no information is known and a neither the Client nor the Authority knew about partners or their types to provide information. 4.3. At the end of the above list, the European Data Protection Board specifically indicates that it is based on Article 13 of the General Data Protection Regulation, it is only a minimum requirement, but in addition it is necessary to provide all information that may be important to a typical stakeholder decision. 4.4. It is important to choose the right legal basis and fulfill its conditions. The present due to the information problems and revocability problem explained above in the case of consent was not valid for any purpose, and for some purposes - which a Necessary for the actual technical operation of websites - consent is conceptually excluded 17 use. Guideline 2/2019 of the European Data Protection Board (hereinafter: 2/2019 Guidelines) 17–21. based on its paragraphs, it may be necessary to consider whether it is general Which legal basis according to Article 6(1) of the Data Protection Regulation is the appropriate one? for a given online data management, it may not always be consent. 4.5. Specific definition of the scope of data and – in this case missing – consideration of interests in its absence, it cannot be decided whether it is legally necessary for operation processing of held data based on legitimate interest or contract fulfillment. Not the affected and the specific data management is not the task and responsibility of the Authority, instead of the data manager identification, description and justification of its purpose and legal basis. The Customer must specifically, broken down by data and goals, to clearly justify, consider and guarantee yours to establish for what purpose and with what legal basis - in the case of legitimate interest for a specific legitimate interest - which personal data you wish to process through the Websites. These guarantees must ensure, among other things, that the data subject is aware of this with data management and can object to it even before the data management, because after data processing - especially for a short-term or one-time data processing, 754 after being forwarded to a partner - your right to protest is already exhausted, so in fact it is not this right is guaranteed to him. 4.6. Due to the above, it can be established that during the period under review, the Customer a 5 of the General Data Protection Regulation was violated by data management on websites. the principle of purpose limitation according to Article (1) point b) and Article 6 (1) ARC. Legal consequences 1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation may impose a data protection fine instead of or in addition to the other measures. There is no doubt that in case of violation of the general data protection regulation, the general to oblige the data controller based on Article 58 (2) point d) of the Data Protection Regulation necessary to bring data management into line with the general data protection regulation, i.e. with adequate information and legal grounds for the necessary personal data data management should be limited. Given that it is about an online consent framework is in question, and the Client has already indicated several times during the procedure that he has been working for a long time solution, the 30-day deadline for changes should be sufficient. I.2.2 above. in point based on recorded facts, it can be determined that the operation of the Websites is still not satisfactory data protection requirements. The Authority applies legal consequences takes into account the fact that the Client is significant both in the Background Case and in the present procedure has been given time to modify the data management of the Websites, however, the fundamental problems no significant changes have taken place. The general data protection regulation does not require that for the data controller to negotiate the legal terms with each data processor for months or years compliance, but to ensure compliance. From the Customer's organizational size and annual due to its income, the experienced slowness of the amendment is unacceptable, hence the fine required. The Authority, in accordance with the governing judicial practice, in such cases the fine listed in Article 83 (2) of the General Data Protection Regulation among the aspects, it presents the merits taken into account in the justification of the decision. 2. On the question of whether the imposition of a data protection fine is justified, the Authority made a decision based on statutory discretion, taking into account Infotv. Section 61 (1) 6 Guideline No. 2/2019 of the European Data Protection Board for personal data 6 of the General Data Protection Regulation. of its processing according to Article 1(1)(b) in the context of online services provided to data subjects: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_hu.pdf 18 to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation. (2) and Article 58 (2) of the General Data Protection Regulation, which based on this, the conviction in itself would not be a proportionate and dissuasive sanction, therefore a fine must be imposed. In this case, the protection of personal data - which is the Authority task - it is not available based on the totality of the fine imposition circumstances detailed below without imposing a data protection fine. The imposition of fines is both special and general it also serves prevention, for which purpose the decision should also be published on the website of the Authority costs 3. Regarding the necessity and amount of the fine, the Authority took into account that The customer's net sales revenue in 2021 was HUF 48,934,915,000. 4. When determining the amount of the data protection fine, the Authority as a mitigating circumstance took into account the following: (i) The Authority has not previously established a data protection violation against the Client. (General Data Protection Regulation Article 83 (2) point e) (ii) Fines that the Authority has not previously published on a similar topic decision on its website, and the legal environment is the delay in the adoption of the new ePrivacy rules because of this, the existing general data protection rules impose more tasks on the data controllers in accordance with the application of the regulation. (General Data Protection Regulation Article 83 (2) paragraph k) 5. When determining the amount of the data protection fine, the Authority as an aggravating circumstance took into account the following: (i) Over the years related to the data of millions of data subjects of the infringement (general Article 83 (2) point a) of the Data Protection Regulation (ii) The infringement is not precisely defined and is difficult for those concerned to understand related to personal data, including to hundreds of data controllers for the purpose of profiling with data transmission, so the violation is considered serious. (general data protection Regulation Article 83 (2) point a) (iii) The violation of the above III.3.11. as explained in point, it was intentional for profit through data sharing and advertisements. (general Article 83 (2) point b) of the Data Protection Regulation (iv) The Client is not involved with the Authority during the procedure, it is only that in the procedure with the aim of answering - he cooperated, however, the results of the cooperation there were only promises to achieve the compliance of the Websites and the double to cancel requests for consent that the Customer did not fulfill in practice for a long time. (General Data Protection Regulation Article 83 (2) point f) A. Other questions 1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data, and the right to access data of public interest and public interest 7 see: https://www.naih.hu/dontesek-adatvedelem-tajekoztatok-koezlemenyek?download=71:tajekoztato-kozlemeny-a- in relation to the protection of personal data burden-declaration-obligations-fulfil 19 control and promotion of the validity of personal data in the European Union facilitating its free flow within. Infotv. According to Section 38 (2a), the general tasks and powers established for the supervisory authority in the data protection decree general data protection for legal entities under the jurisdiction of Hungary is exercised by the Authority as defined in the decree and this law. The Authority its jurisdiction covers the entire territory of Hungary. 2. The Art. Based on § 112, subsections (1) and (2), § 114, subsection (1) and § 116, subsection (1) the decision can be appealed through an administrative lawsuit. * * * 3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3). Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1) according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act does not have the effect of postponing its entry into force. 4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. applicable according to § 604 of the Act, electronic administration and trust services CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77. 5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure half. 6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if the Customer did not comply with the obligation contained in the Authority's final decision, that is can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134. pursuant to § the execution - if it is a law, government decree or municipal authority the local government decree does not provide otherwise - the state tax authority undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision, to carry out a specific act, to perform a specific behavior, to tolerate or regarding the obligation to stop, the Authority will implement the decision undertakes. dated: Budapest, according to the electronic signature Dr. Attila Péterfalvi president c. professor