NAIH (Hungary) - NAIH-3195-11/2022: Difference between revisions

From GDPRhub
mNo edit summary
m (→‎Holding: Removed duplication of the word "data" from the underlined sentence confirming that TV2 was the controller.)
 
(7 intermediate revisions by 2 users not shown)
Line 25: Line 25:
|Date_Published=01.02.2023
|Date_Published=01.02.2023
|Year=2023
|Year=2023
|Fine=10000000
|Fine=10,000,000
|Currency=HUF
|Currency=HUF


Line 71: Line 71:
}}
}}


The Hungarian DPA fined a media provider 10,000,000 HUF (approx. €25,650) for failing to properly inform data subjects about processing on its websites and for using unclearly worded cookie policies being opaque on consent and legal bases.
The Hungarian DPA fined a media provider 10,000,000 HUF (approx. €25,650) for, among other things, failing to properly inform data subjects about the processing on its websites and for confusingly using the term "legitimate interest" without referring to its meaning under the GDPR.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The TV2 Media Group Ltd. is one of Hungary's largest content providers, operator of several TV channels and online streaming services. Its websites tv2play.hu and tenyek.hu, which are the subject of the present proceedings, had between 1.6 million and 2.4 million visits in the months during the investigation, and had a net revenue of HUF 49,000,000,000 (approx. €127,000,000) in 2021. The tenyek.hu website, based on the facts found, contains predominantly news content, while the tv2play.hu website focuses on audiovisual media content.
The TV2 Media Group Ltd., the controller, is one of Hungary's largest content providers. It operates several TV channels and online streaming services and has two websites tv2play.hu and tenyek.hu. "Tenyek.hu" contains predominantly news content, while "tv2play.hu" focuses on various audiovisual media content. In 2021, they had between 1.6 million and 2.4 million monthly visitors and a net revenue of 49,000,000,000 HUF (approx. €127,000,000).  


The subject matter of the present proceedings is that the controller did not provide adequate information to data subjects regarding the processing of personal data processed through the websites and that the consent management framework on the websites did not collect the consent of data subjects in a transparent and clear manner.
Based on a "public interest notification" the Hungarian DPA started an ''ex officio'' investigation into the data processing of the websites. There was a concern that the controller did not provide data subjects with adequate information about the processing and that the consent management platform (CMP) on the websites did not collect the consent of data subjects in a transparent and clear manner.


In a previous case (NAIH-2905/2021), the DPA investigated whether the cookie-related data management of websites operated by the controller complied with the provisions of the GDPR. The controller's responses in the previous case, detailed below, did not provide credible evidence of the legal compliance of the websites' cookie-related processing practices with regard to necessity, legal basis and information to data subjects, and the DPA therefore initiated ex officio proceedings on 21 February 2022 in relation to the data processing of the websites operated by the controller.
The investigation revealed a number of potential data protection deficits.


=== Holding ===
The CMP of the controller offered data subject's with the possibility to give consent to cookies by clicking an "OK, continue" button. However, the only alternative was a "more options" button which redirected to a second level of the CMP with more information and more detailed consent options. On this second level of the CMP, users were provided with two tabs for different categories of processing. On one tab, the user was able to give "consent" to different processing purposes. The other tab was titled "legitimate interest" and allowed the data subjects to object to data processing. Confusingly, the processes listed in both tabs was almost completely identical. They included purposes such as "selection of basic ads", "Measuring ad performance", and "creating a personalized advertising profile". The processing purposes ""storing and/or accessing information stored on the device"" was only listed under the consent tab.
The DPA decided that the controller's conduct was in breach of the GDPR.


''First'', the DPA concluded that the controller is ultimately responsible for the processing of data.
Regarding the meaning of "legitimate interest" the controller explained that, the way in which it is used on the website, the term would not relate to the legal basis under the GDPR but was meant as a "category". Consequently, the controller also had made no interest assessment.


The controller uses the websites to distribute its own media content, solely for its own business interests. No third party has the right to decide whether the controller should distribute its media content through the websites or whether the controller should cease to do so, and whether and through which service provider advertising should be displayed. The controller operates the websites at its own discretion and in its commercial interest, the terms of which – such as the partner with which it contracts to carry out advertising – are determined by the controller.
Lastly, it was unclear to the DPA how consent could be withdrawn, once it had been given.  


For all the processing examined in relation to the websites, the controller determined the purposes and means of the processing and enabled third parties to place content on the websites, and is therefore the controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]]. The basic structure and functioning of the websites, the adequacy of the information and the consent framework on the websites depend on the active behaviour of the controller, and third parties cannot modify the websites against the will of the controller. Therefore, the responsibility for the data processing operations under consideration - obtaining information and consent from the data subject - rests with the controller in all the circumstances of the case, irrespective of who the website modules are obtained from or whether these data are transferred to third parties.
=== Holding ===
 
The DPA decided that the controller's conduct was in breach of the GDPR.
''Second'', the DPA held that [[Article 12 GDPR#1|Article 12(1) GDPR]] requires the controller to take appropriate measures to provide data subjects with all the information referred to in [[Article 13 GDPR|Article 13 GDPR]] and [[Article 14 GDPR|Article 14 GDPR]] and all the information referred to in [[Article 15 GDPR|Article 15 GDPR]] to [[Article 22 GDPR|Article 22 GDPR]] and [[Article 34 GDPR|Article 34 GDPR]] concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language.


In the case of processing based on [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 4 GDPR#11|Article 4(11) GDPR]] requires the controller to provide information on the basis of which informed consent can be given, not only before the processing starts, but also before consent is obtained.
<u>First, the DPA concluded that the content provider is the controller, which is ultimately responsible for the processing of the personal data.</u>


In relation to the websites, the controller indicated only consent as a legal basis for all browsing-related processing, irrespective of the fact that without certain technical cookies the websites cannot actually function and that in any case certain cookies with specific unique identifiers are used irrespective of consent. Expecting the data subject to read the privacy policies of the listed 754 partners and to withdraw consent individually for these third parties is not, in the view of the DPA, a transparent and fair condition. The fact that this practice may be widely used by other controllers does not make it lawful.  
The content provider used the websites to distribute its media content for its business interests. No other party had the right to decide whether the content provider should distribute its media content through the websites or whether it should cease to do so, and whether and through which service provider advertising should be displayed. The content provider operated the websites at its own discretion and in its commercial interest.


With regard to the websites, the exceptionally long information text on data management was available in an unreasonably small area of the screen, readable only a few lines at a time. The long text cannot be described as concise or clear. The usage of the “accept all” button was possible without any meaningful information at the first level, the “reject all” was only available at the second level.  
For all the processing examined in relation to the websites, the content provider determined the purposes and means of the processing and enabled third parties to place content on the websites. The DPA therefore held that the content provider was the controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]].


The term “legitimate interest” term used by the controller is clearly the same used in the GDPR, so it was either used completely wrongly by the controller – and therefore misleading – or used correctly, but without any information and without any consideration of the interests involved. In both cases, it is unfair and opaque to indicate substantially the same purposes on both the consent and the legitimate interest interfaces. As it gives the impression to data subjects that the same processing is possible even if consent is not given, in the absence of a further objection – now indicated on a third level interface. If the processing for the purposes set out in the “legitimate interest” interface does not take place in the absence of consent, the information and the interface are therefore misleading, and if it does take place, it is misleading because of that.
<u>Second, the DPA held that the controller violated the principle of fairness and transparency pursuant to [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 12 GDPR#1|Article 12(1),]] and [[Article 13 GDPR]] by not appropriately informing the data subjects about the legal basis of the processing.</u>


Only the purpose “To store and/or access information stored on the device” is the one that is only in the consent or opt-out interface and not in the legitimate interest. However, it is without this purpose that cookies cannot be placed and websites would not function. So the legal basis for consent is not appropriate, as the functioning of websites means that they are written and read regardless of consent, and cannot be opted out or withdrawn. According to the DPA, that means there is also unfair and non-transparent information for this purpose.
The DPA pointed out that [[Article 12 GDPR#1|Article 12(1) GDPR]] required controllers to take appropriate measures to provide data subjects with all the information referred to in [[Article 13 GDPR|Article 13 to]] [[Article 14 GDPR|14 GDPR]], in [[Article 15 GDPR]] to [[Article 22 GDPR]], and in [[Article 34 GDPR]]. The information has to be provided in a concise, transparent, intelligible manner and an easily accessible form, in clear and plain language. Moreover, [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]] requires, among other things, that the controller informs its data subjects about the correct legal basis for their processing.


The accurate indication of the personal data and cookies required for the operation and the exact purpose of the information is completely absent from the information. Also, the legal basis for these as a legitimate interest was not indicated in relation to them and was not substantiated in the present proceedings in a legitimate interests assessment in response to the DPA's request. In its absence, the information is incomplete and misleading and, despite its length and difficulty of reading, lacks useful information. In particular, it does not explain why the processing of data in cookies is indispensable for the technical functioning and whether these data are used for other purposes.
However, in the present case, the controller indicated "consent" as a legal basis for browsing-related processing, irrespective of the fact that without certain technical cookies the websites cannot function. The purpose “To store and/or access information stored on the device” was only based on consent instead of legitimate interest. However, the DPA argued that without these cookies the websites would not be able to work. Consequently, the legal basis for consent is not appropriate, as a successful website visit of a data subject means that information on the data subject's terminal were written and read regardless of consent, and could not be opted out or withdrawn.


In all cases, there is also a lack of withdrawability with the same ease as giving consent, for which the framework used on websites does not provide an easily accessible possibility, neither for personal data directly processed by the controller nor for personal data transferred to third parties. This deficiency also applies to the information given, which does not indicate in an easily accessible way how consent can be withdrawn.
In addition, the term “legitimate interest” used by the controller is equivalent to the term used in the GDPR under [[Article 6 GDPR#1f|Article 6(1)(f)]]. Therefore, since the controller explained that its "legitimate interest" would not refer to the "GDPR legitimate interest", it was either used incorrectly by the controller – and misleading – or used correctly, but without any information and without any consideration of the interests involved. Either way, the DPA considered it unfair and opaque contrary to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] to indicate substantially the same purposes on both the consent and the legitimate interest tabs. It gives data subjects the impression that the same processing is possible even if consent is not given. Moreover, the information on the second level of the CMP was provided in an exceptionally long text on data management and was only available in an unreasonably small area of the screen, readable only a few lines at a time. The long text cannot be described as concise or clear.  


The fact that the owner of the websites has not properly consulted the advertising service provider contracted by him and has therefore been asked for consent for cookies used by the websites in two different ways over a period of years cannot be accepted as an excuse. As explained above, it is the responsibility of the controller as controller to achieve the lawful result. It is a deliberate infringement if the controller knows or has a reasonable need to know about its own online content and does not take any meaningful steps to resolve it promptly for years.
As a result of the above, the DPA concluded that the controller violated the principle of fair and transparent processing pursuant to [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].


As a result of the above, it can be concluded that the information provided by the controller on the websites about the processing of personal data during the investigated period violated the principle of fair and transparent processing pursuant to Article 5(1)(a), [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].
<u>Third, the DPA held that the controller processed personal data without a legal basis as it neither fulfilled the conditions for Article 6(1)(a) GDPR "consent" nor Article 6(1)(f) "legitimate interest".</u>


''Third'', the DPA stated that in the absence of adequate information, as a general rule, processing based on consent is in itself unlawful. This is also supported by paragraph 62 of the European Data Protection Board's (hereinafter: “EDPB”) Guideline 5/2020 (hereinafter “5/2020 Guideline”). According to this, if the controller does not provide accessible information, the data subject’s control over the data becomes apparent and consent becomes an invalid legal basis for processing. According to paragraph 69 of Guideline 5/2020, where information is provided by electronic means, multiple layers of information may typically be used, but must be accurate, complete and comprehensible. The layering should facilitate, not hinder, access to basic information. It is important to choose the appropriate legal basis and to meet its conditions. In the present case, due to the problems of information and withdrawability explained above, consent was not valid for any of the purposes. Also, for some purposes, which are necessary for the actual technical functioning of the websites, the use of consent is conceptually excluded. Based on paragraphs 17-21 of the EDPB Guideline 2/2019, it is necessary to consider on a case-by-case basis which legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] is appropriate for the online processing in question, which may not always be consent.
The DPA decided that consent could not be used as a legal basis. It noted that it was not as easy to withdraw consent as it was to give it. The CMP did not provide an easily accessible possibility, neither for personal data directly processed by the controller nor for personal data transferred to third parties. There was no information provided on how to easily withdraw consent. Moreover, in addition, due to the opaqueness of the processing and the lack of clear information, as described above, consent, as a general rule, could not be considered to be a valid legal basis as it could not have been informed.


In the absence of a concrete definition of the scope of the data and of a legitimate interests assessment, it is not possible to decide whether the processing of data deemed necessary for the performance of a legitimate interest or of a contract is lawful in a given case. It is not the task and responsibility of the data subject, nor of the DPA, rather than the controller’s, to identify, describe and justify the specific purposes and legal grounds for the processing. The controller is required to clearly justify, consider and provide safeguards for the purposes and on what legal basis – in the case of legitimate interests, for which specific legitimate interests – it intends to process which personal data through the websites. These safeguards should ensure, inter alia, that the data subject is aware of the processing and can object to it before the processing takes place. As his or her right to object is exhausted after the processing, in particular in the case of a short period of processing or a one-off processing after transfer to a partner (and there were 754 possibilities in this case), and is therefore not effectively guaranteed.
Next, the controller could also not rely on legitimate interest for its processing. During the investigation, it became clear that the controller had not clearly indicated which processes were to be based on legitimate interest and which not. However, the DPA asserted that it is not the task and responsibility of the data subject, nor of the DPA, rather than that of the controller, to identify, describe and justify the specific purposes and legal grounds for the processing. Controllers are required to clearly justify, consider and provide safeguards for the purposes and legal basis on which they intend to process which personal data. These safeguards should ensure, among other things, that the data subject is aware of the processing and can object to it before the processing takes place.


For the above reasons, it can be concluded that, during the investigated period, the controller infringed the purpose limitation principle under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]] by processing data on websites.
For the above reasons, the DPA concluded that the controller infringed [[Article 6 GDPR#1|Article 6(1) GDPR]].


Consequently, the DPA found the information provided by the controller to be unlawful and found that the information violated the principles of fair and transparent processing under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|Article 13 GDPR]], and the purpose limitation principle under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 6 GDPR#1|Article 6(1) GDPR]]. The controller was fined 10,000,000 HUF (approx. €25,650). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the DPA had not previously found a data protection breach against the controller, and that the DPA has not previously published a fine decision on a similar matter and the legal environment imposes more tasks on controllers due to the delay in the adoption of the new ePrivacy rules. Aggravating circumstances were that the breach involved millions of data subjects' data over a period of years, and that the breach concerned personal data that were not well defined and difficult for data subjects to understand, including transfers to hundreds of controllers for profiling purposes, and therefore the breach is considered serious. Moreover, the infringement was intentional in nature for profiteering through data sharing and advertising.  
In sum, the DPA found the controller to be in violation of the GDPR, specifically [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR]]. It fined the controller 10,000,000 HUF (approx. €25,650). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the DPA had not previously found a data protection breach against the controller. Aggravating circumstances were that millions of data subjects were affected and that the processing was done for profiling purposes with commercial intent.


== Comment ==
== Comment ==

Latest revision as of 08:48, 23 February 2023

NAIH - NAIH-3195-11/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started: 21.02.2022
Decided: 30.01.2023
Published: 01.02.2023
Fine: 10,000,000 HUF
Parties: TV2 Média Csoport Zrt.
TV2 Média Csoport Zrt.
National Case Number/Name: NAIH-3195-11/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA fined a media provider 10,000,000 HUF (approx. €25,650) for, among other things, failing to properly inform data subjects about the processing on its websites and for confusingly using the term "legitimate interest" without referring to its meaning under the GDPR.

English Summary

Facts

The TV2 Media Group Ltd., the controller, is one of Hungary's largest content providers. It operates several TV channels and online streaming services and has two websites tv2play.hu and tenyek.hu. "Tenyek.hu" contains predominantly news content, while "tv2play.hu" focuses on various audiovisual media content. In 2021, they had between 1.6 million and 2.4 million monthly visitors and a net revenue of 49,000,000,000 HUF (approx. €127,000,000).

Based on a "public interest notification" the Hungarian DPA started an ex officio investigation into the data processing of the websites. There was a concern that the controller did not provide data subjects with adequate information about the processing and that the consent management platform (CMP) on the websites did not collect the consent of data subjects in a transparent and clear manner.

The investigation revealed a number of potential data protection deficits.

The CMP of the controller offered data subject's with the possibility to give consent to cookies by clicking an "OK, continue" button. However, the only alternative was a "more options" button which redirected to a second level of the CMP with more information and more detailed consent options. On this second level of the CMP, users were provided with two tabs for different categories of processing. On one tab, the user was able to give "consent" to different processing purposes. The other tab was titled "legitimate interest" and allowed the data subjects to object to data processing. Confusingly, the processes listed in both tabs was almost completely identical. They included purposes such as "selection of basic ads", "Measuring ad performance", and "creating a personalized advertising profile". The processing purposes ""storing and/or accessing information stored on the device"" was only listed under the consent tab.

Regarding the meaning of "legitimate interest" the controller explained that, the way in which it is used on the website, the term would not relate to the legal basis under the GDPR but was meant as a "category". Consequently, the controller also had made no interest assessment.

Lastly, it was unclear to the DPA how consent could be withdrawn, once it had been given.

Holding

The DPA decided that the controller's conduct was in breach of the GDPR.

First, the DPA concluded that the content provider is the controller, which is ultimately responsible for the processing of the personal data.

The content provider used the websites to distribute its media content for its business interests. No other party had the right to decide whether the content provider should distribute its media content through the websites or whether it should cease to do so, and whether and through which service provider advertising should be displayed. The content provider operated the websites at its own discretion and in its commercial interest.

For all the processing examined in relation to the websites, the content provider determined the purposes and means of the processing and enabled third parties to place content on the websites. The DPA therefore held that the content provider was the controller pursuant to Article 4(7) GDPR.

Second, the DPA held that the controller violated the principle of fairness and transparency pursuant to Article 5(1)(a), Article 12(1), and Article 13 GDPR by not appropriately informing the data subjects about the legal basis of the processing.

The DPA pointed out that Article 12(1) GDPR required controllers to take appropriate measures to provide data subjects with all the information referred to in Article 13 to 14 GDPR, in Article 15 GDPR to Article 22 GDPR, and in Article 34 GDPR. The information has to be provided in a concise, transparent, intelligible manner and an easily accessible form, in clear and plain language. Moreover, Article 13(1)(c) GDPR requires, among other things, that the controller informs its data subjects about the correct legal basis for their processing.

However, in the present case, the controller indicated "consent" as a legal basis for browsing-related processing, irrespective of the fact that without certain technical cookies the websites cannot function. The purpose “To store and/or access information stored on the device” was only based on consent instead of legitimate interest. However, the DPA argued that without these cookies the websites would not be able to work. Consequently, the legal basis for consent is not appropriate, as a successful website visit of a data subject means that information on the data subject's terminal were written and read regardless of consent, and could not be opted out or withdrawn.

In addition, the term “legitimate interest” used by the controller is equivalent to the term used in the GDPR under Article 6(1)(f). Therefore, since the controller explained that its "legitimate interest" would not refer to the "GDPR legitimate interest", it was either used incorrectly by the controller – and misleading – or used correctly, but without any information and without any consideration of the interests involved. Either way, the DPA considered it unfair and opaque contrary to Article 5(1)(a) GDPR to indicate substantially the same purposes on both the consent and the legitimate interest tabs. It gives data subjects the impression that the same processing is possible even if consent is not given. Moreover, the information on the second level of the CMP was provided in an exceptionally long text on data management and was only available in an unreasonably small area of the screen, readable only a few lines at a time. The long text cannot be described as concise or clear.

As a result of the above, the DPA concluded that the controller violated the principle of fair and transparent processing pursuant to Article 5(1)(a), Article 12(1) GDPR and Article 13 GDPR.

Third, the DPA held that the controller processed personal data without a legal basis as it neither fulfilled the conditions for Article 6(1)(a) GDPR "consent" nor Article 6(1)(f) "legitimate interest".

The DPA decided that consent could not be used as a legal basis. It noted that it was not as easy to withdraw consent as it was to give it. The CMP did not provide an easily accessible possibility, neither for personal data directly processed by the controller nor for personal data transferred to third parties. There was no information provided on how to easily withdraw consent. Moreover, in addition, due to the opaqueness of the processing and the lack of clear information, as described above, consent, as a general rule, could not be considered to be a valid legal basis as it could not have been informed.

Next, the controller could also not rely on legitimate interest for its processing. During the investigation, it became clear that the controller had not clearly indicated which processes were to be based on legitimate interest and which not. However, the DPA asserted that it is not the task and responsibility of the data subject, nor of the DPA, rather than that of the controller, to identify, describe and justify the specific purposes and legal grounds for the processing. Controllers are required to clearly justify, consider and provide safeguards for the purposes and legal basis on which they intend to process which personal data. These safeguards should ensure, among other things, that the data subject is aware of the processing and can object to it before the processing takes place.

For the above reasons, the DPA concluded that the controller infringed Article 6(1) GDPR.

In sum, the DPA found the controller to be in violation of the GDPR, specifically Article 5(1)(a) GDPR, Article 12(1) GDPR and Article 13 GDPR. It fined the controller 10,000,000 HUF (approx. €25,650). In determining the height of the fine, the DPA took into account some mitigating circumstances, namely, that the DPA had not previously found a data protection breach against the controller. Aggravating circumstances were that millions of data subjects were affected and that the processing was done for profiling purposes with commercial intent.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File number: NAIH-3195-11/2022 Subject: decision




                                     DECISION


On February 21, 2022, the Authority launched an official data protection procedure against TV2
by Média Csoport Zrt. (headquarters: 1145 Budapest, Róna u. 174.; (hereinafter: Customer)

operated "tenyek.hu" and "tv2play.hu" websites (hereinafter: Websites)
in relation to its data management, to check whether it is related to the Websites
whether data management is suitable for natural persons, the management of personal data
regarding its protection and the free flow of such data, as well as 95/46/EC
Directive 2016/679/EU on repealing the directive (hereinafter: general
of the provisions of the Data Protection Regulation), as well as the exercise of the rights of stakeholders in this regard
whether it is handled properly. The Authority is the following in the above official data protection procedure

makes decisions:

I. The Authority determines that the Client did not provide adequate information to the persons concerned
in relation to the management of personal data managed through the Websites, and a
consent management framework is not transparent and clear on the Websites
collected the consent of those concerned, thus the personal data managed on the Websites
violated Article 5 (1) of the General Data Protection Regulation in the period under review

the principle of fair and transparent data management according to point a), Article 5 (1).
point b) of the purpose-related principle, Article 6 (1), Article 12 (1) and
Article 13.

II. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation
ex officio instructs the Customer to modify the Websites as such
practice related to the management of personal data to comply with the general

of the data protection regulation, i.e. clearly separate the necessary for the operation of the site and
it is not necessary to manage data, the consent should be uniform on the Websites
managed through no more parallel systems with invisible connections to each other,
and consent can be given on the basis of appropriate concise and clear information
For handling personal data not required for technical operation on websites, that is
and personal data based on consent that does not comply with this must be deleted.


CXII of 2011 on the right to information self-determination and freedom of information.
Act (hereinafter: Infotv.) to challenge the decision based on Section 61 (6).
until the expiration of the open deadline for filing an action, or in the case of an administrative lawsuit, the court
until a final decision, the data affected by the disputed data management cannot be deleted or not
can be destroyed.

III. The Authority ex officio the Customer due to the above data protection violations


                            HUF 10,000,000, i.e. ten million forints
                                    data protection fine

                                  obliged to pay.

The II. the fulfillment of the obligation prescribed by the Customer towards this decision

must be in writing within 30 days after the expiration of the legal remedy deadline - the supporting 2





together with the presentation of evidence - to prove it to the Authority. Data management exclusively
in addition to defining the appropriate scope of data, for real and specific purposes, a valid legal basis,
and it is possible to continue with the proof of the maximum guarantee of the rights of the stakeholders, otherwise

in this case, the Customer has to delete personal data that does not have a valid legal basis and
you must prove the termination of your further treatment to the Authority within the above deadline.

The III. fine according to point 30 days from the date of this decision becoming final
within the forint settlement account of the Authority for the collection of centralized revenues

(10032000-01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000
0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-3195/2022
FINE.” number must be referred to.

If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default
is obliged to pay a penalty. The rate of penalty is the legal interest, which is

is the same as the central bank base rate valid on the first day of the relevant calendar semester.

Non-payment of the fine and late fee, or the above II. obligation according to point
in case of non-compliance, the Authority orders the implementation of the decision.

There is no place for administrative appeal against the decision, but only from the announcement

public director1i with a letter of claim addressed to the Metropolitan Court within 30 days
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which
forwards it to the court together with the case documents. The request for the holding of the trial is submitted by the
must be indicated in the application. For those who do not receive full personal tax exemption
the fee for the judicial review procedure is HUF 30,000, the lawsuit is subject to the right to record the fee. THE
Legal representation is mandatory in proceedings before the Metropolitan Court.


Infotv. Pursuant to § 61, subsection (2), point a), the Authority publishes this decision a
Authority website.

                                       JUSTIFICATION


I. Procedure and clarification of the facts

I.1. History matters

1.1. The Authority's history investigation procedure No. NAIH-2905/2021 (hereinafter:

History Case) based on a public interest report, verified that by the Customer
does the cookie-related data management of operated websites comply with the general
provisions of the data protection regulation.

1.2. The Authority sent the documents created in the History Case to Infotv. Based on § 71, paragraph (2).
can be used in this procedure.


1.3. The Customer's answers detailed below were not credibly verified in the History Case
the legal compliance of the website's cookie-related data management practices a
necessity, in the matter of the legal basis and information to the stakeholders, so the Authority February 2022
On the 21st, the current data protection authority procedure was initiated ex officio by the Customer

Regarding the data management of websites. The subject of the official data protection procedure is only that
general data protection regulation becoming applicable (May 25, 2018) and the present

1 The NAIH_K01 form is used to initiate an administrative lawsuit: NAIH_K01 form (16.09.2019) The form is
can be filled out using a general form filling program (ÁNYK program). 3





the period between the initiation of official data protection proceedings (February 21, 2022), however a
when determining legal consequences, the Authority takes into account the duration of the procedure
changes.

1.4. In the History Case, the Client received the Authority's inquiry on August 9, 2021,

In his reply letter sent under NAIH-2905-6/2021, the following, from the point of view of the decision
made relevant statements:

   (i) It is not controlled by any website operated by the Customer other than the "tenyek.hu" website
   transfer users to the "tv2play.hu" website.

   (ii) In response to the question of whether customization is possible apart from acceptance, tenyek.hu
   regarding cookies used on the website, the Customer replied that "tenyek.hu"
   website was renewed on December 16, 2020, which includes the entire IT, hardware and
   it also affected its software background, and development has been continuous ever since. The Customer is the examiner
   in connection with the procedure, he noticed that it was placed in the pop-up window on the "tenyek.hu" website

   link (button) does not direct to the right place, probably due to a technical error, which
   the Customer shall repair by September 30, 2021 at the latest.
   (iii) According to the table attached to the answer, the following types of cookies are available on the "tenyek.hu" website

   can be found: necessary (3 pcs), statistical (8 pcs), social (9 pcs), marketing (15 pcs).
   (iv) In all cases, the legal basis for cookies is the consent of the data subject.

   (v) Regarding the "tv2play.hu" website, there are two different consents
   framework at the same time, since the pop-up window belongs to the competence of atmedia Kft
   solution related to the advertising interface, the setting can be found in the blue bar at the bottom
   and the interface belongs to the management of the Customer. The blue bar is for cookies outside the advertising space
   provides information to users. The Customer works together with atmedia Kft

   on a unified solution, which he intends to implement by October 31, 2021.
   (vi) In relation to the fact that in the absence of acceptance in the blue bar below, it is not possible
   to use the website - i.e. there is no real possibility of opting out - the Customer that

   declared that cookies fundamentally influence the operation of the "tv2play.hu" website
   have been placed under this settings interface, without which the available information cannot be viewed
   contents available as part of a media service.

   (vii) In relation to the "tv2play.hu" website, cookies related to the advertising interface only
   atmedia Kft. can mark it, the Customer cannot send a list of it. This is currently 754 pcs
   means partner cookies.

   (viii) In connection with the "tv2play.hu" website, there are cookies with the following functions a
   in addition to cookies outside the advertising interface: google tag manager (not used by default
   cookies, only in preview and debug mode), google analytics (including a token

   contains which can retrieve the Client ID from the AMP Client ID service,
   distinguishes users), gemius (handling questionnaires), facebook
   (ad display and retargeting), youtube (stores a unique user ID, among other things), tiktok-
   embed (monitors user interaction with embedded content), instagram-embed,
   yusp (cookie storing userID and Client IP address for personalized recommendations, Yusp
   when using software, by turning off the cookie, the video recommendation is not unique to the user
   history, but based on general trends).


   (ix) On the "legitimate interest" tab in the pop-up window of the "tv2play.hu" website, the website
   necessary for its operation, as well as Article 6 (1) of the General Data Protection Regulation
   categories of cookies based on legitimate interest according to point f) can be viewed, with which
   it is possible to object. The name does not refer to the legal basis, but to a "category" 4





   means, so here the term "legitimate interest" only serves to make it easier to understand, it does not answer
   and the term according to the General Data Protection Regulation. So the website does not manage
   cookies with the legal basis of legitimate interest, so no consideration of interests was made.

   (x) The general market practice with third parties listed under the "partners" tab

   according to the Customer does not have a written data processing contract. Customer's point of view
   according to Article 28 (3) of the General Data Protection Regulation "The data processor
   data processing carried out by the EU law or the law of the Member States was established based on such - that
   the subject, duration, nature and purpose of data processing, the type of personal data, the data subjects
   to a contract defining its categories and the obligations and rights of the data controller
   or must be regulated by another legal act that binds the data processor to the data controller
   against.", on the basis of which atmedia Kft., which operates the advertising platform, is only such

   uses partners whose general terms and conditions and data management policy
   complies with domestic and European Union data protection requirements. atmedia Kft. is the following
   provided a link with a list of vendors: https://iabeurope.eu/vendor-
   list-tcf-v2-0/

   (xi) With regard to the advertising surfaces, everything on the interface that appears in the pop-up window
   partner's data management information is listed, as well as those outside the advertising interface

   separate information about cookies is available, which the Customer attached to the answer.

   (xii) At the email address "adatvedelem@tv2.hu" in the period preceding the History Case a
   This may have occurred due to a setup problem with Microsoft's cloud-based mail system.
   that the person concerned who sent the request to the above email address received an error message by mistake, however
   e-mails were received during this period as well, they were not lost. The Customer blames the Authority
   he averted it based on his signal, he had not received a signal about this before.


1.5. In the History Case, prepared by the Authority on December 6, 2021, from the Websites
based on screenshots, the following facts can be established:

   (i) When you arrive at the "tenyek.hu" website, a pop-up window will appear on which "OK, continue"
   button, the settings can be accepted invisibly, while the other "data management information"
   button redirects to atv2play.hu" website. The following is displayed in the pop-up window of the "tenyek.hu" website

   text reads:
   “[Facts] logo The protection of your data is important to us

   We and our partners store information, such as cookies, on a device or
   we have access to the information stored on the device and personal data — for example, unique
   identifiers and basic information sent by the device — we handle it personally
   for providing tailored ads and content, advertising and content measurement, viewership

   to collect data and to develop products and improve products.
   With your permission, we and our partners obtain accurate data using the device scanning method
   we may also use geolocation data and identification information. To the right place
   by clicking you can consent to us and our partners processing data as described above

   let's finish Alternatively, before giving or refusing consent
   you can get more detailed information and change your settings. Please note,
   that certain processing of your personal data does not necessarily require you
   consent, but has the right to object to this type of data processing. Your settings only
   are valid for this website. Returning to this website is your privacy policy
   you can change your settings at any time using our policy.”

   (ii) After pressing the "data management information" button, the website redirects to
   to the "tv2play.hu" website, on which a new pop-up window appears for managing cookies, 5





whose text – with the [TV2 Group] logo instead of the [Tények] logo – is identical in content
with the text of the pop-up window on the "tenyek.hu" website detailed in subsection (i) above. That's it
at the bottom of a new pop-up window, next to the "ok, continue" button that contributes to everything invisibly, a
there is a "more options" button.

(iii) If you click on the "more options" button, it is visible on the second level of the interface
the text detailed in subsection (i) above remains in the upper part of the pop-up window, below it
"reject all" and "accept all" buttons are visible, below this static interface a
About one-eighth of the pop-up window can contain the information in a scroll bar

to read about the cookies, of which an average of 2-4 lines are visible at a time. At least "partners" a
"legitimate interest" and "save and exit" buttons are available.
(iv) The narrow scroll bar on the second level of the interface can be used for the following data management purposes

give consent individually:
    "Storing and/or accessing information stored on the device
    Selection of basic ads

    Create a personalized advertising profile
    Selecting personalized ads
    Create a personalized content profile
    Selecting personalized content
    Measuring ad performance
    Measuring the performance of your content
    Using market research to generate viewership data

    Product development and improvement"

(v) After clicking on the "legitimate interest" button on the second level of the interface, the interface
on the third level, there is a protest interface against the following goals:

    “Choosing basic ads
    Create a personalized advertising profile
    Selecting personalized ads
    Create a personalized content profile
    Selecting personalized content
    Measuring ad performance
    Measuring the performance of your content

    Using market research to generate viewership data
    Product development and improvement"

(vi) "Storage of information stored on the device and/or
when you click on the goal, the following description of the goal appears: "The suppliers
they can store and access information stored on the device, such as the user
presented cookies and device identifiers.".

(vii) Clicking on the "Select basic ads" button on the second level of the interface
the following description of the purpose is displayed: “In order to select basic advertisements
suppliers can use real-time information about whether the ad

in what environment it should appear and to present the ad, including
content and device information such as device type and
capabilities, user agent, URL, and IP address. They can use the
user's inaccurate geolocation data. They can control it for users
frequency of displayed ads. You can choose to display ads
sequence. They can block the display if an ad is inappropriate
it would appear in an editorial (inappropriate from the point of view of brand safety) environment. THE

suppliers cannot create personalized advertising profiles from this information 6





   using it to select future ads, personalized advertising
   without a separate legal basis for creating profiles. Note: The term is not accurate
   means only an approximate location, including a circle with a radius of at least 500 meters.".

   (viii) After the cookie settings in the pop-up window, clicking on the "save and exit" button
   regardless of any objections to it, the "tv2play.hu" website is at the bottom
   in the pop-up bar, enter the following text (the "click here" part is a link to the Customer
   information):

   "We inform you that the TV2 Play service uses advertising and analytical cookies (cookies)
   use

   For more information, please click here. The "accept" or "reject" button
   by pressing it, you accept or reject all advertising and analytical cookies
   use."

   (ix) After clicking the "decline" button in the pop-up bar, the text below
   can be read, after which there is only an "I accept" button (the "you can find it here" part is one
   reference to the Customer information sheet):

   "Attention!
   If you do not accept the cookies necessary for the operation of the site, you will not

   access our latest videos and shows. You can find detailed information here
   about cookies.”
   (x) The Websites in the settings in any case also in the event of an objection

   cookies are created on the user's computer, which store a unique identifier for years
   they also include google ads and google analytics cookies.

1.6. Based on the information revealed in the Background Case, general data protection arose

direct risk of violation of several articles of the Decree with the data management under investigation
in connection with the Authority's ex officio procedure and action with official means
he justified. The data protection issues raised concern the Customer's general data management practices
are affected, they cannot be linked to a specific person concerned. In view of the above, the Authority approves Infotv. Section 55
based on subsection (1) point a) b) closed the History Case and ex officio
initiated this data protection official procedure for the Customer related to the Questionnaire
in the subject of data management.


I.2. This data protection official procedure

2.1. In this data protection official procedure, the Customer - by the Authority, requests the Authority
requested, after the extension of the response deadline authorized by the Authority – 2022.
In his reply letter received on March 28, sent under NAIH-3195-4/2022, the following
made statements relevant to the decision:


   (i) The development of the advertising interface on the Websites is still in progress, with atmedia Kft
   Legal and technical negotiations have been ongoing since July 2021 in order to ensure that the existing
   situation of the General Data Protection Regulation and the available technical
   will be resolved according to conditions.

   (ii) The Customer, in cooperation with atmedia Kft., the state of science and technology and the

   implementation costs, as well as the nature, scope, circumstances and purposes of data management,
   and the rights and freedoms of natural persons, variable
   will do its best, taking into account the probability and severity of the risk
   in order to eliminate the existing situation. The Customer requested its 7





   taking into account that information about data management has been provided, only a
   the data controllers did not agree on the design of the communication interface, and the misunderstanding resulted from this
   arose and the data management affects a narrow category of personal data. Customer's point of view
   according to the data, the stakeholders did not suffer any damage, only the duplication of information could have caused it
   misunderstandings. After the initiation of this official procedure, the Customer shall immediately

   started negotiations with atmedia Kft. for a solution. The Client is the Authority
   has not previously been subject to a data protection fine, and the Customer always cooperates with
   with authority.

2.2. On June 2, 2022, the Authority recorded the screenshots of the Websites again, which
based on the following facts, which do not affect the data management of the examined period
are affected, they are only relevant in terms of future legal consequences:


   (i) Basic operating principles of the "tv2play.hu" website (buttons, consent and legitimate interest
   significant overlap of targets, after the first adjustment surface another lower adjustment bar, which does not have
   possibility of rejection) have not changed in substance, from the previous one of December 6, 2021
   condition are essentially the same.

   (ii) The "tenyek.hu" website does not redirect to the "tv2play.hu" website, but to the "data management

   information" button is replaced by a "more options" button, which is the third
   in terms of "legitimate interest" purposes that can be found at the level of objection, completely, a
   in its basic content with regard to purposes that allow consent to be found on the second level
   identical to the previous status of the "tv2play.hu" website on December 6, 2021, but there is no
   a pop-up bar following a pop-up window.

2.3. In this data protection official procedure, the Customer, at the request of the Authority, June 2022

In his reply letter received on the 24th, sent under the number NAIH-3195-7/2022, the following, the decision
made relevant statements in terms of:

   (i) The Customer maintains a separate email mailbox for data subject requests
   at "adatvedelem@tv2.hu". An employee receives incoming mail based on their subject
   forwards it to the appropriate organizational unit.


   (ii) The Customer currently does not have a procedure for processing incoming stakeholder requests
   internal regulations adopted regarding

   (iii) The Customer's email address according to subparagraph (i) above, according to the record attached to the reply
   during the period investigated by this data protection authority procedure (from May 25, 2018 to 2022
   until February 21) 54 letters were received and dealt with.


2.4. CL of 2016 on the general administrative procedure. Act (hereinafter: Act)
On the basis of § 76, the Authority provided the Client with the opportunity to obtain the documents of the procedure
which the Customer took advantage of on July 14, 2022. The Authority NAIH-3195-
In accordance with its order numbered 6/2022, it provided the Customer with 15 days thereafter
to make an additional statement or motion for proof, however, the Customer did not do so as of today
day.


2.5. The Customer from the public database https://e-beszamolo.im.gov.hu/oldal/kezdolap
Based on the available 2021 financial report, the Customer's net sales in 2021 are 48,934
It was HUF 915,000.

2.6. About the traffic information available on the traffic analysis site similarweb.com June 2022
Based on screenshots taken on the 7th, it can be established that tv2play.hu and tenyek.hu are on the 8th





website visits in the last 3 months ranged from 1.6 million to 2.4 million
was moving.


II. Legal provisions applicable in the case


According to Article 2 (1) of the General Data Protection Regulation, the general data protection
regulation must be applied to personal data in part or in whole in an automated manner
processing, as well as the non-automated processing of data that
are part of a registration system or which are a registration system
want to be part of.


You are identified as "personal data" on the basis of Article 4, point 1 of the General Data Protection Regulation
any information relating to an identifiable natural person ("data subject"), including
also the online ID.

According to Article 4, point 2 of the General Data Protection Regulation, "data management" is personal
any performed on data or data files in an automated or non-automated manner
operation or a set of operations, such as collection, recording, organization, segmentation, storage,

transformation or change, query, insight, use, transmission of communication,
by means of distribution or other means of making available, coordination or
connection, restriction, deletion or destruction.

Based on Article 4, point 4 of the General Data Protection Regulation, "profiling" is personal data
any form of automated processing during which personal data
to evaluate certain personal characteristics related to a natural person,

especially for work performance, economic situation, health status,
for personal preferences, interest, reliability, behavior, residence
used to analyze or predict characteristics related to location or movement.

Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or
legal entity, public authority, agency or any other body that is personal
determines the purposes and means of data management independently or together with others. If that

the purposes and means of data management are determined by EU or member state law, the data controller
or special considerations for the appointment of the data controller by the EU or the Member States
can also be determined by law

Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject".
of the will of the person concerned, based on voluntary, specific and adequate information and clear
declaration by which the relevant statement or confirmation is unambiguously expressed

indicates by action that he gives his consent to the processing of his personal data.

According to Article 5 (1) point a) of the General Data Protection Regulation, personal data
must be handled legally and fairly, as well as in a transparent manner for the data subject
carry out ("legality, due process and transparency").

According to Article 5 (1) point b) of the General Data Protection Regulation, personal data

should only be collected for specific, clear and legitimate purposes and should not be processed
in a manner inconsistent with these purposes; in accordance with Article 89 (1).
is not considered incompatible with the original purpose for the purpose of archiving in the public interest,
further data management for scientific and historical research purposes or for statistical purposes
("goal-boundness"). 9





Based on Article 5 (2) of the General Data Protection Regulation, the data controller is responsible for (1)
for compliance with paragraph and must also be able to demonstrate this compliance
("accountability").

According to Article 6 (1) point a) of the General Data Protection Regulation, it may be legal to

processing of personal data, if the data subject has given his consent to a or
for its management for several specific purposes.

Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant
takes measures in order to allow the data subject to process personal data
all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34
according to each information is concise, transparent, comprehensible and easily accessible

provide it in a clear and comprehensible form, especially to children
for any information received.

Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal
data were obtained from the data subject, the data controller makes the data available to the data subject
following information:

   a) the identity of the data controller and, if any, the representative of the data controller and
   your contact details;

   b) contact details of the data protection officer, if any;

   c) the purpose of the planned processing of personal data and the legal basis of data processing;

   d) based on point f) of Article 6 (1) of the General Data Protection Regulation
   in the case of data management, the legitimate interests of the data controller or a third party;

   e) where appropriate, recipients of personal data, or categories of recipients, if any;

   f) where appropriate, the fact that the data controller is in a third country or international
   organization wishes to forward the personal data to, and the Commission
   the existence or absence of a compliance decision, or general data protection
   regulation in Article 46, Article 47 or Article 49 (1) second
   in the case of data transfer referred to in subsection, the appropriate and suitable guarantees
   designation, as well as methods for obtaining a copy of i.e. or those

   reference to your contact information;
   g) on the duration of storage of personal data, or if this is not possible, on this

   aspects of determining the duration;
   h) on the data subject's right to request from the data controller the personal data relating to him

   access to data, their correction, deletion or restriction of processing, and
   may object to the processing of such personal data, as well as the data subject
   about your right to data portability;

   i) point a) of Article 6 (1) of the General Data Protection Regulation or Article 9 (2)
   in the case of data processing based on point a) of paragraph 1, the consent at any time
   the right to withdraw, which does not affect consent before the withdrawal
   the legality of data processing carried out on the basis of;

   j) on the right to submit a complaint to the supervisory authority;

   k) that the provision of personal data is legal or contractual
   is based on an obligation or is a prerequisite for concluding a contract, and whether the person concerned 10





   whether you are required to provide personal data, and how it is possible
   failure to provide data may have consequences;

   l) automated referred to in Article 22 (1) and (4) of the General Data Protection Regulation
   the fact of decision-making, including profiling, and at least in these cases
   understandable information on the applied logic and that such data management
   what significance it has and what expected consequences it has for the person concerned.


Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3)
it does not have to be applied if and to what extent the data subject already has the information.

Based on Article 26 (3) of the General Data Protection Regulation, the data subject is (1)
regardless of the terms of the agreement referred to in paragraph
in relation to and against each data manager according to this regulation
rights.


For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2)
according to paragraph of the general data protection regulation in the provisions indicated there
must be used with included additions.

Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).
in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and

may initiate official data protection proceedings ex officio.

Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure
in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2
in connection with operations defined in the general data protection regulation
may apply legal consequences.


Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully acquired during its procedures
can use documents, data or other means of proof in other proceedings.

Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6)
exercises its powers in accordance with the principle of proportionality,
especially with the fact that you are in the legislation regarding the handling of personal data
The regulations defined in the mandatory legal act of the European Union are being implemented for the first time

in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation
in accordance with - takes action primarily with the warning of the data manager or data processor.

It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation
the data manager or the data processor to perform its data management operations - where applicable
in a specified manner and within a specified period of time - is brought into line with this regulation
with its provisions.


On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83.
imposes an administrative fine in accordance with Article, depending on the circumstances of the given case
in addition to or instead of the measures mentioned in this paragraph.

Based on Article 83 (1) of the General Data Protection Regulation, all supervisory
authority ensures that due to the violation mentioned in paragraphs (4), (5), (6) of this regulation

the administrative fines imposed on the basis of this article are effective in each case,
be proportionate and dissuasive. 11





According to Article 83 (2) of the General Data Protection Regulation, administrative fines
depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation
must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph
When deciding whether it is necessary to impose an administrative fine or a
sufficiently in each case when determining the amount of the administrative fine

the following should be taken into account:
   a) the nature, severity and duration of the infringement, taking into account the one in question
   the nature, scope or purpose of data processing, as well as the number of data subjects affected by the breach

   affected, as well as the extent of the damage they suffered;
   b) the intentional or negligent nature of the infringement;

   c) damage suffered by data subjects on the part of the data controller or data processor
   any measures taken to mitigate;

   d) the extent of the responsibility of the data controller or data processor, taking into account the
   technical and
   organizational measures;

   e) relevant violations previously committed by the data controller or data processor;
   f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation

   extent of cooperation to mitigate its effects;
   g) categories of personal data affected by the infringement;

   h) the manner in which the supervisory authority became aware of the violation, in particular
   whether the data controller or the data processor has reported the breach, and if so,
   in what detail;

   i) if against the relevant data manager or data processor previously - in the same a
   subject matter - ordered referred to in Article 58 (2) of the General Data Protection Regulation
   one of the measures, compliance with the measures in question;

   j) whether the data manager or the data processor has observed general data protection
   for approved codes of conduct under Article 40 of the Decree or the general
   for approved certification mechanisms under Article 42 of the Data Protection Regulation; as well as

   k) other aggravating or mitigating factors relevant to the circumstances of the case,
   for example, financial gain as a direct or indirect consequence of the infringement
   or avoided loss.

In the absence of a different provision of the general data protection regulation, the data protection authority

for procedure in the Acr. provisions shall be applied with the deviations specified in Infotv.


III. Decision

III.1. The person of the data controller


1.1. The Customer - among other things, based on what is written in points I.1.4.(i)-(ii) above - the Websites
uses it to distribute its own media content, exclusively for its own business interests. Third
party does not have the right to decide whether the Customer distributes through the Websites
its media content, or the Customer stops doing so, and whether advertisements should be displayed in addition, and
through which service provider. 12





1.2. The Customer operates the Websites based on his own decision and business interest
conditions - for example, with which partner it contracts to run advertisements - the Customer
Define.


1.3. In the case of all data management examined in connection with the Websites, with the data management
related goals and tools were determined by the Customer or made possible by a third party
parties to place content on the Websites, thus Article 4 of the General Data Protection Regulation
Based on point 7, the Customer is considered a data controller. The basic structure of the Websites and
operation, the information and consent framework found on them
its compliance depends on the active behavior of the Customer, a third party against the Customer's will

you cannot modify the Websites. For this reason, it is related to the investigated data management
responsibility - obtaining information and consent from the person concerned - all of the cases
based on its circumstances, the Customer is responsible regardless of who provided the individual modules of the Website
obtained, or whether this data is forwarded to third parties. There is no third party
in direct contact with the stakeholders, so the information and consent framework is legal
those who can have a direct and final influence on it can primarily be responsible for its compliance.

This does not affect the mutual accounting of different data managers and data processors, and the
internal agreements on the responsibility towards the data subjects of the General Data Protection Regulation
It is not amended based on Article 26 (3). This interpretation is reinforced by, among other things
Court of Justice of the European Union C-40/17. also paragraph 102 of its decision no.: "Directive 95/46 2.
in relation to the consent referred to in point h) of Article 7 and point a) of Article 7
it can be established that the collection and transmission of the data subject's personal data
must be given beforehand. In such circumstances, the website is the source of consent

the task of the operator, not the provider of the community module, since a
the personal data management process is initiated by the visitor viewing this website.
As the general counsel pointed out in point 132 of his opinion, there would not be
in accordance with the effective and timely protection of the rights of the data subject, if a
consent should be given to the joint data controller who only at a later stage
plays a role, i.e. the provider of the mentioned module.".



III.2. Description of data management

2.1. In the History Case, prepared by the Authority on December 6, 2021, from the Websites
according to the state recorded with screenshots, according to the facts detailed in point I

The Customer publishes media content on the Websites in connection with its display
uses cookies, as well as statistical, ad display, and I.1.5.(iv)-(v) above
"Creating a personalized advertising profile", "Personalised
select ads", "Create a personalized content profile", "Personalised
to adapt to personal preferences in an automated manner based on "content selection".
it is also used for profiling purposes according to Article 4, point 4 of the General Data Protection Regulation a
personal data contained in cookies.


2.2. Based on what is described in point I.1.5.(i) above, the examined cookies are assigned unique identifiers
to a specific person, which are, at least as pseudonymous data, definitely personal data
they matter, since their purpose is to identify a specific active user who is a natural
person.


2.3. Based on the revealed facts, the "tenyek.hu" website mostly contains news, a
The "tv2play.hu" website focuses on audiovisual media content.


2https://curia.europa.eu/juris/document/document.jsf?text=&docid=216555&doclang=HU 13





2.4. The Websites may display advertisements during browsing, which may include the above
Depending on the choices according to I.1.5.(iv)-(v), personalized or general, and a
Recommended content on websites can also be adapted to individual browsing history,
furthermore, the use of the Websites is measured using unique identification data stored in cookies.
Some cookies contain session tokens to prevent online attacks, which

they make communication between the user's device and the Customer's servers more secure,
in which case a unique identifier is necessarily used.

2.5. I.1.5 above. on the basis of the information detailed in section
personal data - for example, which content you viewed, which ads you viewed,
which ads were clicked by the data subject - they are also used to personalize the content,
both with regard to the Websites and with regard to third-party partners.


2.6. In the examined period (from May 25, 2018 to February 21, 2022), the
Websites had content recorded on December 6, 2021, so the Authority
in the present case, he used this as a basis for judging legality. A statement to the contrary
During the procedure, the client did not indicate any other status regarding the examined period
yes. Later changes will be made by the Authority in determining the legal consequences for the future
considered, they do not affect the legality of the examined period.



III.3. The information in the examined period

3.1. According to Article 12 (1) of the General Data Protection Regulation, the Customer is the subject
it is the duty of the data controller responsible for data management to take appropriate measures
in order to ensure that, for the data subjects, Articles 13 and 14 relating to the processing of personal data

all the information mentioned in Article 15-22. and each according to Article 34
information in a concise, transparent, understandable and easily accessible form, clearly and
provide it in a comprehensible way.

3.2. The system of appropriate information in the general data protection regulation serves to
so that the data subject can be aware of which personal data, which data controller and
for which purpose, how you will handle it. This is essential to be in a position to

to be able to meaningfully exercise its stakeholder rights.

3.3. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation
based on Article 4, point 11 of the General Data Protection Regulation, not only the data management
beginning, but before obtaining consent, the data controller is obliged to
to provide information on the basis of which informed consent can be given.


3.4. In relation to the legal basis of data subject consent according to the General Data Protection Regulation
it is important to emphasize that it does not mean that the data controller is subject to other legal obligations
applies as a general authority regardless of conditions that at any time and
can handle any personal data without limits for any reason. For data management
stakeholder consent can only be valid if it is for specific purpose(s) - per purpose
can be specified separately - they ask, and before that they provide adequate information, which in such a situation
brings the data subject to be able to make an appropriate decision about giving consent, and

complies with all other validity conditions prescribed in the General Data Protection Regulation
requirement. According to Article 12 (1) of the General Data Protection Regulation,
the data controller must provide assistance to the data subject in such a way that it is all relevant to the data subject
can exercise his right in an informed manner. 14





3.5. As explained above, the obligation to provide information is not a mere "paperwork"
                                                                                            3
is an obligation in the General Data Protection Regulation. All in the preamble
contained, all the articles of the general data protection regulation require the achievement of results
when determining the obligations of a data controller, not just a specified minimum
proof of effort on the part of the data controller. The aim of the information is to put you in such a situation
brings the data subject so that the data subject's rights are in the right decision-making position

regarding its exercise.

3.6. In relation to the Websites, the Customer has indicated only the legal basis of consent
for all browsing-related data management, regardless of whether I.1.5.(ix) above
as written in point, the Websites cannot actually function without some technical cookies

function, and some cookies are definitely used regardless of consent
with unique identifiers. It is expected that the data management information of the 754 partners concerned
read it and withdraw the information provided for these third-party partners one by one
consent, in the opinion of the Authority, it is not a transparent and fair condition. That
this practice may be widely used by other data controllers, but not yet

legal. In relation to the vendor partner list referred to in point I.1.4.(x) above, the Customer
indicated the use of the IAB Europe framework. With data management by IAB Europe
in connection with the Belgian data protection authority stated that it is - among other things
due to lack of transparency and information - violates general data protection
decree, the legal interpretation of this decision also applies mutatis mutandis in this case. That's a fact

also supports that the argument put forward by the Customer - that it is a common solution in the industry
use - does not in itself affect the findings according to this procedure, no
is proof of compliance with the General Data Protection Regulation.

3.7. In relation to the Websites, it can be established that it is related to data management

extremely long informative text in an unreasonably small area of the screen, all at once
was available legibly in a few lines. The long text cannot even be called concise,
not clear either. "Accepting everything" is information that can be called meaningful at the first level
is possible without, "reject all" is only available at the second level. By the Customer
The term "legitimate interest" used can clearly correspond to general data protection

as a concept according to the decree, so it was either used completely incorrectly by the Customer - and because of this
the information was misleading - or you used it correctly, but all information and
without consideration of interests. In both cases, unfair and opaque are essentially the same
indication of goals on the consent and legitimate interest interface as well, as it gives the impression
in those concerned, that they are possible in the same way even without giving their consent

data management is another protest - now marked on the interface located on the third level
in its absence. If data processing according to the purposes placed on the "legitimate interest" interface is consent
in the absence of them, they do not take place, then the information and the interface are therefore misleading if
they happen, then because of that.


3.8. "Storing and/or accessing information stored on the device" is the only purpose that only a
giving or refusing consent can be found on the interface and not in the legitimate interest, even though
it is precisely this, without which the cookies necessary for operation cannot be placed and the
Websites would not work, so the legal basis for this consent is not appropriate, since a

The operation of websites means that writing and hosting is done independently of consent
reading, it cannot be denied or revoked. Because of this, for other reasons, but this is the goal
unfair and non-transparent information also exists.

3
it should be fair. For natural persons, it must be transparent that the information concerning them is personal
how their data is collected and used, how it is viewed or in what other way it is handled, as well as
in connection with the extent to which personal data is or will be processed. [...]"
4https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-21-2022-english.pdf 15






3.9. Itemized and accurate identification of personal data and cookies necessary for operation
the definition of its purpose is completely absent from the information, and their legal basis as legitimate

no interest was indicated in connection with these and in the present procedure the Authority
his request was not supported in the consideration of interests. In the absence of this, the
information is necessarily incomplete and misleading, long and difficult to read
however, it is poor in useful information. Among other things, it does not show that specifically
which functions, which data is managed in cookies, why is it specifically essential a

for technical operation and whether this data is used for other purposes.

3.10. In all cases, it also lacks the same ease as giving consent
revocability, which is not easily ensured by the framework used on the Websites
available option neither directly managed by the Customer nor to third parties
regarding transmitted personal data. This deficiency also applies to information, that is

nor does it indicate in an easily accessible way how consent can be withdrawn.

3.11. The Customer could not indicate any reasonable reason why there are two
parallel consent management system in relation to the "tv2play.hu" website, to which the
The "tenyek.hu" website was also redirected during the examined period. Being the owner of the Websites
he did not properly coordinate with the advertising organizer contracted with him, and therefore for two years

consent was also requested in different ways to the cookies used by the Websites, no
can be accepted as an excuse. As explained earlier, achieving the right result is
Customer's responsibility as data controller. Intentional violation if the Customer knows about it
you reasonably need to know about your own online content, and over the years
does not take any meaningful steps for a quick solution.


3.12. Due to the above, it can be established that during the period under review, the Customer a
The information provided on websites about the management of personal data was violated by
fair and
the principle of transparent data management, Article 12 (1) and Article 13.



III.4. The legality of the data management of the Websites during the examined period

4.1. In the absence of adequate information, as a general rule, it was based on consent
data management in itself is illegal. This is supported by the European Data Protection Board
Also paragraph 62 of the 5/2020 Guidelines (hereinafter: 5/2020 Guidelines). Accordingly

if the data controller does not provide accessible information, the user has control over the data
its provision becomes apparent and consent becomes an invalid basis for data management.
The basic requirement of easy accessibility is confirmed by Guideline 66 of 5/2020.
and also paragraph 67. 5/2020 regarding information regarding consent
Paragraph 63 of the guidelines also emphasizes that consent based on information
the consequence of not complying with relevant requirements is that a

consent will be invalid and the data controller may violate the general data protection regulation
Article 6. Pursuant to paragraph 69 of Directive 5/2020, the electronic transfer
in the case of information, multi-level information can typically be used, however, the accurate and
it must be comprehensive and understandable. Multilevel should help, not hinder
access to basic information.




5 Guideline No. 5/2020 of the European Data Protection Board on consent pursuant to Regulation (EU) 2016/679:
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf 16





4.2. Based on paragraph 64 of Directive 5/2020, in order for the consent to be informed
be based on, the data subject must be informed about certain key elements. That's why it is
The European Data Protection Board believes that valid consent requires at least a
the following information is required:


 (i) the identity of the data controller - this was not fulfilled in this case, "we and our partners" are the 754
       regardless of the partner, it is not specific enough, even the identity of the Customer is not clear
       marked on the settings interface available in the pop-up window;

 (ii) the purpose of each data processing operation for which consent is sought - this is not
       fulfilled properly, as indicated in the framework used by the Websites
       goals at two different levels in two different contexts, essentially the same - or it is

       for those involved, it can easily be assumed to be the same at first glance - with content
       its inclusion calls into question compliance with the goal-bound principle at the system level,
       furthermore, in addition to this systemic problem, the definition of certain goals - such as "That
       storing and/or accessing information stored on a device” both in itself and in
       on the basis of a more detailed description, it is too broad and can formally enable such data management,
       which obviously cannot be the purpose of the data subject in general (e.g. on the device
       accessing stored photos and documents;


 (iii) what type of data will be collected and used - this was not met
       accordingly, it is not clear and obvious to an average person concerned that the individual
       purposes for which your consent is requested, exactly which data will be used for what purpose
       use;

 (iv) the existence of the right to withdraw consent - this has not been fulfilled, it is not adequate

       clear information in the large amount of text, based on which it can be known that
       how and how consent can be revoked, this is about the operation
       it is not even possible;

 (v) where applicable, to use the data for automated decision-making
       relevant information in accordance with point c) of Article 22 (2) - this is present
       relevant and not relevant due to the recommendation system and personalized advertisements

       fulfilled, there is no specific information that both on and off the Websites
       how browsing will be affected by automatic profiling and targeting, only
       meaningless general statements;

 (vi) the compliance decision for data transmissions and described in Article 46
       possible risks arising from the lack of adequate guarantees - in this case, this is Article 754
       presumably exists because of a partner, but no information is known and a

       neither the Client nor the Authority knew about partners or their types
       to provide information.

4.3. At the end of the above list, the European Data Protection Board specifically indicates that it is
based on Article 13 of the General Data Protection Regulation, it is only a minimum requirement, but in addition
it is necessary to provide all information that may be important to a typical stakeholder
decision.


4.4. It is important to choose the right legal basis and fulfill its conditions. The present
due to the information problems and revocability problem explained above in the case of
consent was not valid for any purpose, and for some purposes - which a
Necessary for the actual technical operation of websites - consent is conceptually excluded 17





use. Guideline 2/2019 of the European Data Protection Board (hereinafter: 2/2019
Guidelines) 17–21. based on its paragraphs, it may be necessary to consider whether it is general

Which legal basis according to Article 6(1) of the Data Protection Regulation is the appropriate one?
for a given online data management, it may not always be consent.

4.5. Specific definition of the scope of data and – in this case missing – consideration of interests
in its absence, it cannot be decided whether it is legally necessary for operation

processing of held data based on legitimate interest or contract fulfillment. Not the affected
and the specific data management is not the task and responsibility of the Authority, instead of the data manager
identification, description and justification of its purpose and legal basis. The Customer must specifically,
broken down by data and goals, to clearly justify, consider and guarantee yours
to establish for what purpose and with what legal basis - in the case of legitimate interest

for a specific legitimate interest - which personal data you wish to process through the Websites.
These guarantees must ensure, among other things, that the data subject is aware of this
with data management and can object to it even before the data management, because
after data processing - especially for a short-term or one-time data processing, 754
after being forwarded to a partner - your right to protest is already exhausted, so in fact it is not
this right is guaranteed to him.


4.6. Due to the above, it can be established that during the period under review, the Customer a
5 of the General Data Protection Regulation was violated by data management on websites.
the principle of purpose limitation according to Article (1) point b) and Article 6 (1)



ARC. Legal consequences

1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation
may impose a data protection fine instead of or in addition to the other measures.

There is no doubt that in case of violation of the general data protection regulation, the general
to oblige the data controller based on Article 58 (2) point d) of the Data Protection Regulation
necessary to bring data management into line with the general data protection regulation,
i.e. with adequate information and legal grounds for the necessary personal data
data management should be limited. Given that it is about an online consent framework
is in question, and the Client has already indicated several times during the procedure that he has been working for a long time

solution, the 30-day deadline for changes should be sufficient. I.2.2 above. in point
based on recorded facts, it can be determined that the operation of the Websites is still not satisfactory
data protection requirements. The Authority applies legal consequences
takes into account the fact that the Client is significant both in the Background Case and in the present procedure
has been given time to modify the data management of the Websites, however, the fundamental problems

no significant changes have taken place. The general data protection regulation does not require that
for the data controller to negotiate the legal terms with each data processor for months or years
compliance, but to ensure compliance. From the Customer's organizational size and annual
due to its income, the experienced slowness of the amendment is unacceptable, hence the fine
required. The Authority, in accordance with the governing judicial practice, in such cases the fine

listed in Article 83 (2) of the General Data Protection Regulation
among the aspects, it presents the merits taken into account in the justification of the decision.

2. On the question of whether the imposition of a data protection fine is justified, the Authority
made a decision based on statutory discretion, taking into account Infotv. Section 61 (1)


6 Guideline No. 2/2019 of the European Data Protection Board for personal data 6 of the General Data Protection Regulation.
of its processing according to Article 1(1)(b) in the context of online services provided to data subjects:
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_hu.pdf 18





to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation.
(2) and Article 58 (2) of the General Data Protection Regulation, which

based on this, the conviction in itself would not be a proportionate and dissuasive sanction, therefore
a fine must be imposed. In this case, the protection of personal data - which is the Authority
task - it is not available based on the totality of the fine imposition circumstances detailed below
without imposing a data protection fine. The imposition of fines is both special and general
it also serves prevention, for which purpose the decision should also be published on the website of the Authority

costs

3. Regarding the necessity and amount of the fine, the Authority took into account that
The customer's net sales revenue in 2021 was HUF 48,934,915,000.


4. When determining the amount of the data protection fine, the Authority as a mitigating circumstance
took into account the following:

   (i) The Authority has not previously established a data protection violation against the Client.
   (General Data Protection Regulation Article 83 (2) point e)

   (ii) Fines that the Authority has not previously published on a similar topic
   decision on its website, and the legal environment is the delay in the adoption of the new ePrivacy rules

   because of this, the existing general data protection rules impose more tasks on the data controllers
   in accordance with the application of the regulation. (General Data Protection Regulation Article 83 (2)
   paragraph k)

5. When determining the amount of the data protection fine, the Authority as an aggravating circumstance

took into account the following:

   (i) Over the years related to the data of millions of data subjects of the infringement (general
   Article 83 (2) point a) of the Data Protection Regulation

   (ii) The infringement is not precisely defined and is difficult for those concerned to understand
   related to personal data, including to hundreds of data controllers for the purpose of profiling
   with data transmission, so the violation is considered serious. (general data protection
   Regulation Article 83 (2) point a)

   (iii) The violation of the above III.3.11. as explained in point, it was intentional

   for profit through data sharing and advertisements. (general
   Article 83 (2) point b) of the Data Protection Regulation

    (iv) The Client is not involved with the Authority during the procedure, it is only that
   in the procedure with the aim of answering - he cooperated, however, the results of the cooperation
   there were only promises to achieve the compliance of the Websites and the double
   to cancel requests for consent that the Customer did not fulfill in practice

   for a long time. (General Data Protection Regulation Article 83 (2) point f)



A. Other questions

1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data,
and the right to access data of public interest and public interest


7 see: https://www.naih.hu/dontesek-adatvedelem-tajekoztatok-koezlemenyek?download=71:tajekoztato-kozlemeny-a-
in relation to the protection of personal data
burden-declaration-obligations-fulfil 19





control and promotion of the validity of personal data in the European Union
facilitating its free flow within. Infotv. According to Section 38 (2a), the general
tasks and powers established for the supervisory authority in the data protection decree
general data protection for legal entities under the jurisdiction of Hungary
is exercised by the Authority as defined in the decree and this law. The Authority

its jurisdiction covers the entire territory of Hungary.

2. The Art. Based on § 112, subsections (1) and (2), § 114, subsection (1) and § 116, subsection (1)
the decision can be appealed through an administrative lawsuit.

                                              * * *
3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure

hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3).
Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)
according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp.
According to paragraph (6) of § 39, the submission of a claim is an administrative act
does not have the effect of postponing its entry into force.


4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure.
applicable according to § 604 of the Act, electronic administration and trust services
CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the
the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim
time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing
information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77.


5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure
half.

6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority
considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if

the Customer did not comply with the obligation contained in the Authority's final decision, that is
can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority
the local government decree does not provide otherwise - the state tax authority
undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision,

to carry out a specific act, to perform a specific behavior, to tolerate or
regarding the obligation to stop, the Authority will implement the decision
undertakes.

dated: Budapest, according to the electronic signature

                                                                Dr. Attila Péterfalvi

                                                                       president
                                                                 c. professor