AÉSZ Kft., as the operator of the Benczúr Hotel*** (address: 1068 Budapest, Benczúr u.35.; website: www.hotelbenczur.hu) and as a data controller undertakes that all data processing related to its activities complies with this information and the requirements defined in the effective national legislation and in the legal acts of the European Union.
AÉSZ Kft. manages the personal data provided by the guests or future guests of the Benczúr Hotel when they use the hotelbenczur.hu website, as well as those persons identified as guests in this Information Sheet and who are otherwise, through our employees contact us.
The purpose of this information is that our guests who use our services can receive adequate information about the purpose and legal basis of the processing of their data, the scope of the processed data and the deadline before providing their personal data.

Data and contact details of the Data Controller:
Company name of the data controller: Autonóm-ÉSZT-SZEF Vagyonkezelő Kft.
Abbreviated company name: AÉSZ Kft.
Headquarters and postal address: 1068 Budapest, Benczúr u.35.
Company registration number: Cg.01-09-266727
Representative: Managing Director Tamás Varga
Telephone number: +36 1 478 5090
E-mail address: info@hotelbenczur.hu, titkarsag@aeszkft.hu
(hereinafter also referred to as "Data Controller" or "Company")

Data protection guidelines applied by the Data Controller
Our Company is committed to protecting the personal data of its customers and partners, and considers it highly important to respect its customers' right to informational self-determination. The Company treats personal data confidentially and takes all security, technical and organizational measures that guarantee data security.
The data manager uses personal data based on the legal basis included in the GDPR and only for a specific purpose.
Personal data can only be processed for specific purposes. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal. Only personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose can be processed. Personal data can only be processed to the extent and for the time necessary to achieve the purpose. The data controller does not use personal data for purposes other than those indicated.
In any case, if the Data Controller intends to use the provided personal data for a purpose other than the purpose of the original data collection, the Data Subject shall be informed of this, and the Data Subject shall be given prior, express consent to this, and shall be given the opportunity to prohibit the use of his personal data.
Our data management principles are in line with the current legislation on data protection, in particular with the following:

 Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) - on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC ( general data protection regulation, hereinafter: GDPR)

 CXII of 2011 on the right to information self-determination and freedom of information. law (Infotv.)

 Act V of 2013 on the Civil Code (Ptk.)

 Act C of 2000 on accounting

 the CL Act of 2017 on the taxation system

 CVIII of 2001 on certain issues of electronic commerce services and services related to the information society. law

   XLVIII of 2008 on the basic conditions and certain limitations of economic advertising. law

TERMS APPEARING IN THE INFORMATION
Data subject: According to the GDPR, "data subjects" are natural persons living anywhere who are in contact with a "data controller" in the EU, or natural persons living within the EU who are in contact with a data controller outside the EU.
Data controller: the legal entity that determines the purposes and method of processing personal data;
Personal data: any information linked to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
Data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, systematization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or making accessible in any other way by item, alignment or connection, restriction, deletion or destruction;
Data processor: the legal entity that processes personal data on behalf of the data controller;
Data processing: performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;

The consent of the data subject: the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;
Data deletion: making data unrecognizable in such a way that their recovery is no longer possible;
Profiling: any form of automated processing of personal data in which personal data is used to evaluate certain personal characteristics of a natural person, in particular characteristics related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement used to analyze or predict;
Pseudonymization: Encoding or maintaining personal data in a different way, by which they cannot be linked to a specific data processing subject without providing additional information. Additional information must be stored separately and protected from unauthorized use by technical and organizational measures.
Third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data manager, the data processor or the persons who have been authorized to process personal data under the direct control of the data manager or data processor;
Third country: any state that is not a member of the European Economic Area (EEA)

Disclosure: making personal data available to anyone;
We provide the following information about the data management carried out during certain services of our Company:
1. ACCOMMODATION RESERVATION
In the case of a room reservation made online, in person at the hotel or by telephone, our Company may request one or all of the personal data listed under "scope of personal data handled".
The purpose of the data management: the identification of the guest booking the room at the time of check-in and the registration of the payment instrument, which avoids the associated financial risk if the guest does not check in at the hotel.  
The legal basis for data management: the prior consent of the person booking the accommodation (GDPR Article 6(1)(a)) and the need to take steps at the data subject's request prior to the conclusion of the contract between the Data Controller and the Data Subject (GDPR Article 6(1) .point b).
Scope of processed personal data: surname, first name, residential address (country, postal code, city, street, house number), number of employees, date of arrival, date of departure, according to payment method: bank account number or full credit card details, telephone number, e-mail address, any other your preferences (e.g. allergies, etc.)
In the case of third-country nationals, in addition to those listed above: place, time, visa number of border crossing

Duration of data management: The data processed to provide the services will be kept for 2-8 years, depending on the data.  
In some cases, there is a legal obligation to keep personal data for a longer period of time.  Such cases e.g.:
•    If the data is needed for issuing invoices or other tax records, the data must be kept for 8 years from the end of the calendar year.  
•    For all guests who use the accommodation, the hotel must pay a tourist tax to the local government and guests from outside the EU must be reported to the police.  According to the law, the data contained in these reports are kept for 6 years from the date of registration.
If you request the preservation of your data by ticking the box for this purpose in order to simplify future bookings (data management purpose), the legal basis for data management will be your voluntary consent. You can withdraw your consent at any time, but the withdrawal does not affect the legal data processing that preceded it.
We will delete the data after the longest period of the mentioned relevant data retention periods.
Possible consequences of not providing data: If you do not provide the requested data, no contract will be created for the use of the hotel room, and we will not be able to contact you in the event of a problem.

2. REQUEST FOR OFFER FROM WEBSITE
The purpose of data management is to provide advance information about the hotel's services and prices, as well as the possibility of making an online connection.
Legal basis for data management: prior consent of the person booking the accommodation (GDPR Article 6 (1) point a)
Scope of processed personal data: surname and first name; telephone number; e-mail address; number of guests, date of arrival and departure
Duration of data management: until the end of the business relationship, review every 5 years
Possible consequences of not providing data: If you do not provide the requested data, we cannot provide you with a personalized offer.

3. REGISTRATION SHEET
The purpose of the data management: realization of accommodation reservation, recording of data required by law
The legal basis for data management: data management is necessary to take steps at the request of the data subject prior to the conclusion of the contract (GDPR Article 6 (1) point b) and data management is necessary to fulfill the legal obligation of the data controller (GDPR Article 6 (1) point c)
Scope of processed personal data: Surname, first name, date of birth, identity card number/passport number, residential address/invoicing address, e-mail address, payment method, date of arrival and departure, vehicle registration number
Duration of data management: The data processed in order to provide the services will be kept for 2-8 years, depending on the data.  
In some cases, there is a legal obligation to keep personal data for a longer period of time.  Such cases e.g.:
•    If the data is needed for issuing invoices or other tax records, the data must be kept for 8 years from the end of the calendar year.  
•    The hotel must pay a tourist tax to the local government for all guests who use the accommodation, and guests from outside the EU must be reported to the police.  According to the law, the data contained in these reports are kept for 6 years from the date of registration.
If you request the preservation of your data by ticking the box for this purpose in order to simplify future bookings (data management purpose), the legal basis for data management will be your voluntary consent. You can withdraw your consent at any time, but the withdrawal does not affect the legal data processing that preceded it.
We will delete the data after the longest period of the mentioned relevant data retention periods.
The provision of mandatory data by the Guest is a condition for using the hotel service.

4.    REGISTRATION OF REGISTERED GUESTS
Purpose of data management: discount for returning guests, information about regular guest discounts, personal greeting
The legal basis for data management: the guest's prior consent to the processing of their personal data (GDPR Article 6 (1) point a)
You can withdraw your consent at any time and request the deletion of your data. However, this does not affect the legal data management prior to that.
Scope of processed personal data: surname, first name, gender, date of birth, e-mail address, telephone number, mailing address, date(s) of hotel stay
Duration of data management: The Company stores the personal data of the regular guest for the period specified in the current tax law and accounting regulations, and deletes them after the deadline or at the request of the regular guest.

GUEST QUESTIONNAIRE AND EVALUATION
Benczúr Hotel's goal is to provide its guests with high-quality services, and to this end, it constantly asks for feedback from its guests about their experiences during their stay at our hotel.
Purpose of data management: contact with reviewer and complaint handling
The legal basis for data management: the consent of the data subject (GDPR Article 6 (1) point a)
Scope of processed personal data: surname, first name, contact information (e-mail address, telephone, residential address), room number, date of arrival and departure
Entering the data is not mandatory, but it is advisable to provide it in order to accurately investigate complaints and ensure a response. If you give us your opinion anonymously, we do not process personal data.
Duration of data management: Personal data received during feedback will be deleted one year after the request, question or complaint has been answered.

5.    BANK CARD DATA
The purpose of data management is to ensure the reservation and to collect the total amount of the service or, depending on the cancellation, a partial amount.
The legal basis for data management: fulfillment of the contract concluded for the sake of the service (GDPR Article 6 (1) point b). Entering the data is mandatory, it is a condition for the provision of the service.
Scope of processed personal data: name on the card; card number; expiry date, CVV/CVC code
Duration of data management: Bank card data are encrypted, their disclosure is only possible for the sake of the transaction, and only to the authorized person. After leaving the hotel, the data can no longer be disclosed, access is not possible (aliasing). The data will be deleted after 8 years.

6.    NEWSLETTER
The Benczúr Hotel keeps in touch with its guests by means of a newsletter, to whom it recommends its services, and informs it of news and special offers related to its operation.   
Purpose of data management: information about current promotions, discounts, information about the hotel and related events
Legal basis for data management: voluntary consent of the data subject (GDPR Article 6 (1) point a)
Scope of processed personal data: surname, first name, e-mail address
Duration of data management: until you unsubscribe from the newsletter. You can cancel the newsletter by clicking the Unsubscribe link at the bottom of the newsletter.
Possible consequences of not providing data: The person concerned will not receive a newsletter from our company.

7.    CAMERA SYSTEM

Cameras are in operation in the Benczúr Hotel area for the personal and property security of the Guests. Camera surveillance is indicated by the pictogram and warning text.

The purpose of data management is to protect the lives and physical integrity of persons staying in the Benczúr Hotel, to maintain personal and property safety by using the electronic surveillance system (camera system).

The legal basis for data management: the Data Subject's express voluntary consent [GDPR Article 6 (1) point a) and Szvtv. Pursuant to Section 26 (1) point e) and Section 31 (1)-(4) asserting the Data Controller's legitimate interest [GDPR Article 6 (1) point f)].

Scope of processed personal data: facial image and behavior of the persons concerned as seen in photographs

Duration of data management: 3 working days from the Data Subject entering the Benczúr Hotel area, 30 days in the case of a public event.

8. SOCIAL MEDIA (Facebook, Twitter)
Benczúr Hotel is available on the social portal Facebook and Twitter.

Purpose of data management: new information, news, current events about the hotel, contact.

Legal basis for data management: voluntary consent of the data subject (GDPR Article 6 (1) point a)
Consent can be revoked at any time by unsubscribing. The revocation does not affect the legal data processing that preceded it. In the event of withdrawal, you will not receive a notification about our news feed, our news will not appear on your news feed, but you will still have access to the news feed, as our site is public.

Scope of personal data handled: The Company has access to the profile of "followers", but does not record or manage it in its own internal system.
Duration of data management: data management lasts until you unsubscribe.
The Company also publishes pictures/films of various events/hotels/restaurants etc. on its Facebook page. If it is not a mass photograph, the Company always asks for the written consent of the person concerned before publishing the images.

Facebook and Twitter are data managers independent of us. You can get information about the data management of the site from the data protection guidelines and regulations on the Facebook website.
Facebook privacy policy
Twitter Privacy Policy

9. AUTOMATICALLY RECORDED DATA, COOKIES AND REMARKETING CODES
Automatically recorded data

When you view our website, certain data of your device (e.g. laptop, PC, telephone, tablet) are automatically recorded. Such data is the IP address, the time and date of the visit, the type of browser used, the type of operating system, and the domain name and address of the Internet service provider. The recorded data is automatically logged by the web server serving the website when viewing the website without any special declaration or action from you. The system automatically generates statistical data from this data. These data cannot be combined with other personal data, except in cases made mandatory by law. We only use this information in an aggregated and processed (aggregated) form, to correct possible errors in our services, to improve their quality, and for statistical purposes.

The purpose of data management: Technical development of the IT system, control of the operation of the service and preparation of statistics. In case of abuse, the data can also be used to determine the source of the abuse in cooperation with the visitors' internet service provider and the authorities.

Legal basis for data management: CVIII of 2001 on certain issues of electronic commercial services and services related to the information society. Act 13/A. § (3) is a condition for the provision of the service.

Duration of data management: 30 days from the date of viewing the website.

What cookies do we use?

1. Tools essential for the operation of the website:
Such cookies are essential for the proper functioning of the website, so in this case the legal basis for data management is CVIII of 2001 on certain issues of electronic commercial services and services related to the information society. Act 13/A. (3) of § No data transfer takes place.


a) It helps in the search
The purpose of data management: It helps you to find what you are looking for as quickly as possible
Data management time: lasts for the duration of your stay on the website

b) Identification of language setting:
Purpose of data management: During your visit to the website, the system identifies you as a unique user with the help of a standard cookie in order to remember your language settings.
Data management time: This setting (cookie) is stored for 29 days.

c) Social network cookie (Facebook, Instagram, Google+, Youtube)
Purpose of data management: This cookie provides the opportunity to share the content on the website.
The data management time: We store this cookie until the time of sharing.

d) Multimedia player (youtube)
Purpose of data management: This cookie enables you to play the videos on the website.
Data management time: This cookie is stored for the duration of the playback.

2.    Cookies that collect statistical data
These cookies only collect statistical data, so they do not process personal data. During their operation, they monitor how you use the website, which topics you view, what you click on, how you scroll the website, which pages you visit. However, it only collects information anonymously. This way we can find out, for example, how many visitors the page has per month. These statistical data also help to adapt our site to user needs. Google Tag Manager (and Google Analytics) helps to collect such data.
3. Cookies for marketing purposes
The data management purpose of such cookies is to send personalized advertisements.
Legal basis for data management: In all cases, your consent, which you enter in the pop-up window on the website. You can withdraw your consent at any time, but the withdrawal does not affect the legal data processing that preceded it. In the event of withdrawal, advertisements designed for you will not appear on other platforms.

a) Categorization according to the place of the visit,
Data management time: 269 days

b) Personalized Facebook offers
Time of data management: maximum 180 days

c) Monitoring clicks on the Company's advertisements
The data management period: 2 years


10.    REFERENCES AND LINKS
Our website may also contain links that are not operated by the Company and are only for the information of visitors. The Company has no influence whatsoever on the content and security of websites operated by partner companies, so it is not responsible for them. Please review the data management information of the pages you visit before entering your data in any form on that page.

11.    BILLING
Purpose of data management: Use of the services provided by Benczúr Hotel by the data subject, determination of the consideration for the services and invoicing.
Legal basis for data management: § 69 of Act C of 2000 on accounting. (1) and (2) fulfillment of legal obligations (GDPR Article 6 (1) clause (c)).
Scope of processed personal data: surname, first name, billing address provided for issuing the invoice, duration of stay (arrival-departure date), tax number in the case of a VAT invoice
Duration of data management: 8 years from the date of the provision of the personal data by the person concerned and from the preparation of the report, business report, or accounting for the given business year.
Possible consequences of failure to provide data: The person concerned may not use the services of the Benczúr Hotel.

12. COMPLAINT HANDLING PROTOCOL
During the handling of consumer complaints, if you do not agree with the handling of the complaint or the immediate investigation of the complaint is not possible, the Company is obliged to record the complaint and its position on it without delay.
The minutes contain the following information:
•    The name and address of the consumer
•    Place, time and method of presenting the complaint
•    Detailed description of the consumer's complaint, list of documents, documents and other evidence presented by the consumer
•    The Company's statement on its position regarding the consumer's complaint, if the complaint can be investigated immediately
•    The signature of the person recording the report and - with the exception of verbal complaints communicated by phone or electronically - the signature of the consumer
•    Place and time of taking the minutes
•    In the case of a complaint communicated by telephone or electronically, the unique identification number of the complaint
The purpose of data management is to investigate the complaint and maintain contact with the complainant.

Legal basis for data management: CLV of 1997 on consumer protection. Act 17/A. § (7), which makes the above data management mandatory.

Duration of data management: 5 years from the recording of the record.

If you wish to exercise any of your rights contained in point 18 of this data protection information in relation to the data provided in this way, or if you wish to contact us for any other reason in connection with the above data management, please notify us at H-1068 Budapest, Benczúr u. 35. or via e-mail to info@hotelbenczur.hu.

13. CONTACT

You have the opportunity to contact us through any of our contacts (Facebook, phone, e-mail, website, mail). In such a case, we assume your consent to the processing of the data shared with us.

The purpose of data management: answering questions and requests, maintaining contact with the requester.
Legal basis for data management: voluntary consent of the data subject (GDPR Article 6 (1) point a) Consent can be withdrawn at any time. The revocation does not affect the legitimate data management that preceded it.
Scope of processed personal data: we ask for the most necessary data to answer the given question.
Duration of data management: received personal data will be deleted one year after the given request, question or complaint has been answered. However, if, due to the nature of the correspondence, it is necessary for tax law or accounting reasons, or perhaps from the point of view of protecting the rights and interests of the Company or the requester, it will be archived and stored for the necessary period of time, which is examined individually in each case.

14. BUSINESS CONTACT
Like most companies, our Company maintains a business relationship with some employees of other organizations, whose name, business position and contact information we store.

Purpose of data management: communication with our partners for the purpose of cooperation.

Legal basis for data management: Legitimate interest related to the performance of the contract or the relationship between the companies (GDPR Article 6 (1) point (f)).
Scope of personal data handled: contact person's name, business position, telephone number, e-mail address
We store the contact information of these business contacts solely for the purpose of facilitating the establishment and maintenance of business cooperation with partner companies.  

Duration of data management: we check the contact details of our business contacts at least once a year and remove those that are no longer up-to-date from the system. At the partner's request, we modify or remove their data from our system.

We act in the same way as above when handling the personal data of members of the press.

15.    OTHER DATA MANAGEMENT
We provide information on data management not listed in this information when the data is collected. We inform our customers that certain authorities, bodies performing public duties, and courts may contact our company for the purpose of providing personal data. If the relevant body has specified the exact purpose and the scope of the data, our company will release personal data to these bodies only to the extent and to the extent that is absolutely necessary to fulfill the purpose of the request, and if the fulfillment of the request is required by law.

16. TRANSMISSION OF DATA, RECEIVING REQUESTS OF DATA PROCESSORS
Our company uses the help of IT service providers as follows:
Data processor name

Hotelstart Kft.                         1016. Bp. Hegyalja út 23.         providing the possibility of online accommodation 

Mediaorigo Kft. 1062.Bp.Andrássy út 74.fsz.1.          website operation, server hosting tasks

Hostware Kft.                     1149. Bp. Róna u. 120-122          Performing customer management tasks when using the Hostware Front Office hotel system   

OTP Bank Nyrt.                             1077. Bp. Király u. 49. Conducting the data communication required for payment transactions between the merchant and the payment service provider's system; confirming transactions and ensuring their traceability, providing fraud control 

SIX Payment Services Hungary       1117.Bp. Budafoki út 91-93.    Conducting the data communication required for payment transactions between the merchant and the payment service provider's system; confirmation of transactions and ensuring their traceability, providing fraud control

17. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT
Our company's computer systems and other data storage locations are located at the headquarters and at its data processors. For the management of personal data, we select and operate the IT tools used in the provision of the service in such a way that the processed data:
a) accessible to those authorized to do so (availability)
b) its authenticity and authentication are ensured (authenticity of data management)
c) its immutability can be verified (data integrity)
d) be protected against unauthorized access (data confidentiality).

We pay special attention to the security of the data, we also take the technical and organizational measures and develop the procedural rules that are necessary to enforce the guarantees according to the GDPR. We protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility resulting from changes in the technology used.
The IT system and network of our company and our partners are both protected against computer-assisted fraud, computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures. Daily data backup is done. In order to avoid data protection incidents, our company takes all possible measures, in the event of such an incident, we take immediate action to minimize risks and eliminate damages.
Regardless of the protocol (email, web, etc.), electronic messages transmitted over the Internet are vulnerable to network threats that can lead to dishonest activity or the disclosure or modification of information. To protect against such threats, the Company takes all necessary precautions. However, the Internet is not 100% secure, as is well known to users. The Company is not responsible for any damage caused by undefended attacks that take place despite the greatest care that can be expected.

18. RIGHTS OF THE DATA PARTIES
Right to information
The data controller takes appropriate measures to ensure that all information related to the processing of personal data referred to in Articles 13 and 14 of the GDPR and Articles 15-22 are provided to the data subjects. and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded, and at the same time precise.
The right to information can be exercised in writing, via the contact details provided under "Data controller data and contact information". At the request of the person concerned, information can also be provided orally after proof of identity. We inform our customers that if our company's employees have doubts about the identity of the data subject, we can request the provision of information necessary to confirm the identity of the data subject.

Right of access
The Data Subject has the right to receive feedback from the Data Controller as to whether his personal data is being processed, and if such data processing is in progress, he is entitled to receive access to the personal data and the following information:
•    The purposes of data management in relation to the given personal data,
categories of personal data concerned,
•    categories of recipients to whom or to whom the Data Subject's personal data has been or will be communicated, including in particular recipients from third countries (outside the European Union) and international organizations,
•    the planned period of storage of personal data,
•    the data subject’s rights (the right to correction, deletion or restriction, the right to data portability and the right to object to the processing of such personal data),
•    the right to submit a complaint addressed to the supervisory authority;
•    if the Data Controller did not obtain the data from the Data Subject, then all available information about the source,
•    the fact of automated decision-making regarding the Data Subject's personal data, including profiling, as well as understandable information regarding the applied logic and the significance of such data management and the expected consequences for the Data Subject.

The right to erasure ("the right to be forgotten")
The Data Subject has the right to request that the Data Controller delete his personal data without undue delay, if one of the following reasons exists:
•    the personal data indicated by the Data Subject are no longer needed for the purpose for which they were collected or otherwise managed by the Data Controller,
•    the Data Subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management,
•    the Data Subject objects to data processing based on the legitimate interests of the Data Controller, and there is no compelling legitimate reason for the Data Controller that takes priority over the interests, rights and freedoms of the Data Controller, or which are related to the submission, enforcement or defense of legal claims,
•    the Data Controller handled the personal data illegally,
•    the personal data managed by the Data Controller must be deleted in order to fulfill the legal obligation prescribed by the EU or national law applicable to the Data Controller,
•    the Data Subject objects to data processing and there is no overriding reason for data processing.

The right to restrict data processing
The Data Subject has the right to request that the Data Controller limit the processing and use of personal data relating to him, if one of the following reasons exists:
•    the Data Subject disputes the accuracy of the personal data (in this case, the restriction lasts until the Data Controller checks the accuracy of the data),
•    the Data Controller handled the personal data illegally, but the Data Subject requests restriction instead of deletion,
•    for the Data Controller, the purpose of data management has ceased, but the Data Subject requires them to present, enforce or defend legal claims,
•    the Data Subject objects to data processing based on the legitimate interests of the Data Controller, and there is no compelling legitimate reason for the Data Controller that takes precedence over the interests, rights and freedoms of the Data Controller, or which are related to the submission, enforcement or defense of legal claims; in this case, the restriction will remain in place until it is determined whether the Data Controller's legitimate reasons take precedence over the Data Subject's legitimate reasons.
In case of restriction, personal data may only be processed with the Data Subject's consent, with the exception of storage, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of another natural or legal person, or for the important public interest of the EU or a member state of the European Union.
The Data Controller informs the Data Subject in advance of the lifting of the restrictions on data management.

The right to protest
In the case of a data controller, the exercise of the right to protest may arise in the case of data processing based on legitimate interests.
The Data Subject has the right to object to the processing of his personal data and in such case the Data Controller may no longer process the Data Subject's personal data, unless it can be proven that
•    data management is justified by compelling legitimate reasons on the part of the Data Controller