What is the Right to Object?
Defined in Article 21, Right to Object is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).
Right to Object Summary
- Right to object allows data allows data subjects to send organizations requests to stop processing their personal data in certain circumstances
- Data subjects must give specific reasons why they are objecting to the processing of their data. These reasons should be based upon their particular situation
- Organizations must disclose to data subjects their right to object processing; often communicated within their privacy notice
- Right to object requests can be made to an organization verbally or in writing
- Objection requests must be handled, by an organization (data controller), without undue delay and within one month after receiving the request
- Exceptions apply to extend an organization’s response by an additional two months
Business Considerations for Organizations to Understand
What are the steps for answering right to object requests?
The initial step in answering right to object requests is to verify whether the claims for objection are legitimate. If verified, the organization must ensure processing is stopped for any legitimate claims made within the request. Once complete, notification to the data subject should be made, confirming the actions made in response to their request.
How does the right to object apply to processing personal data for direct marketing purposes?
If an organization is processing personal data for direct marketing, the data subject has an absolute right to object processing of their data. There are no exemptions or grounds for an organization to refuse requests to stop processing personal data for direct marketing. The same absolute right includes uses for any data profiling which may be related to the personal data the organization is processing. However, this does not mean an organization is forced to erase the data subject’s information. Instead, an organization can suppress their details by using techniques such as pseudonymization or organizational practices like data minimization to ensure the data subject no longer receives direct marketing in the future.
How does the right to object apply to processing based upon public task or legitimate interests?
Similar to the case of direct marketing, an individual has the right to object processing of their personal data if an organization is using the data for research or statistical purposes. However, unlike direct marketing, the right is not absolute. Some exceptions and requirements apply:
- data subjects may object the processing of their personal data if legal basis the organization is relying upon involves legitimate interests or public tasks either performing tasks carried out in the public interest or exercising official authority vested to the organization
- when trying to apply their right to objects for the purposes above, the data subject must provide specific reasons why they are objecting to the processing of their personal data, based upon their particular situation.
However, since the above mentioned purposes do not guarantee an absolute right to objection, an organization can continue processing the personal data if:
- they can demonstrate compelling legitimate grounds for processing the data, which overrides the interests, rights and freedoms of the individual
- the processing is necessary for the establishment, exercise or defense of legal claims of legitimate interests in which data subjects may have exercised a right to object to the processing of their data.
In a case like that, the individual must provide specific reasons why they are objecting to the processing based upon their particular situation. Additionally, an organization may continue processing personal data if they can demonstrate compelling legitimate grounds for their processing which override the interests and rights of the individual or that processing such personal data is for the establishment in exercising or defending legal claims.
How does the right to object apply to research or statistical purposes?
If processing for scientific or historical research or statistical purposes, then individuals only have highly limited rights to object. As long as an organization applies appropriate safeguards while processing for research purposes as mentioned above, such as either data minimization or pseudonymization, the data subject’s right to object is only legitimate if the lawful basis for processing is either:
- a public task specifically on the basis that it is necessary to exercise the official authority granted to the organization
- for legitimate interests
This distinction is critical when compared to either the cases of general purposes based upon public tasks or of legitimate interests since the GDPR omits specifying the lawful basis for public entities performing tasks carried out in the public interest. This distinction can confuse organizations and generate risk to them because it may not always be clear whether the basis for tasks is solely in the public interest or for the exercise of official authority. Differentiating between the two may be difficult. For this reason, organizations relying upon the public task lawful basis to continue processing personal data should give deference to the data subject’s reason for objection rather than pursue a lawful basis to continue processing.