- Date of final decision: 26 September 2022
- National case
- Controller: TV2 Média Csoport Zrt.
- Legal Reference: Fair and Transparent Processing (Article 5(1)(a)), Purpose Limitation (Article 5(1)(b)), Lawfulness of Processing Article 6(1)), Transparency and Information (Article 12(1), Article 13)
- Decision: Infringement of the GDPR, Order to comply, Administrative fine
- Key words: cookies, fair and transparent data processing, purpose limitation, validity of consent, legitimate interest, information, administrative fine
Summary of the Decision
Origin of the case
Ex officio procedure based on public interest notice.
TV2 Média Csoport Zrt. operates the websites “tenyek.hu” and “tv2play.hu” (Websites) making its media content available to the public. The Websites also display ads at the sole decision of the data controller, who concludes contracts with third parties for the operation and ads on the Websites. TV2 Média Csoport Zrt. is the data controller for all features of the Websites, as no one else can have a significant influence in the decision on the above issues. Based on paragraph 102 of CJEE judgement in case C-40/17, the person having decisive control over the Websites is responsible for all information to be provided to the data subjects, even if this information concern data processing at a later time by a third party, but the personal data is collected through the Websites. The practical GDPR compliance of the cookie consent management system (CMS) was the main focus of the case.
The Websites use the same CMS, and after setting one CMS panel, another different one pops up, which is confusing. Furthermore, the second CMS – after asking for consent – did not take ‘no’ for an answer despite clearly asking for consent. As the cookies can be used for individual tracking and profiling, the information about them to data subjects was not sufficient and was difficult to access due to the user interface. During the several months procedure the data controller stated it would solve the CMS issues it acknowledged, but failed to do that and only made minor changes not effecting the merit of the case. The HU SA found in its decision that the data controller should only continue the data processing on the Websites if such processing was made compliant with the GDPR. An administrative fine was also issued in HUF equal to approximately EUR 25 000.
The data controller initiated a court procedure against the decision.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.