Exercise your Rights – Article 21 GDPR– object to processing!

Are you receiving “membership offer” messages from a gym? Is your old yoga trainer still using photos of you in their promotions? Do you want any of these entities to stop what they are doing? If so, then making an objection request may be the best move for you to exercise your data protection rights.

Read on to find out how to exercise your right to object to the processing of your data…

Your Right to Object

What is the right to object?

This is the right to request a controller (the organisation/entity/administration/company processing your data) to stop the processing of your personal in certain cases.

Step 1: How to contact the controller

Step 2: Drafting your request

Step 3: Controller’s response

Step 4: What if the controller does not answer or refuses my request?


When do I have a right to object?

Exercising the right to object is possible in the following cases:

  • Your data is used for direct marketing (eg if a gym or yoga studio is using your email address or phone number contacts you regarding membership discounts or other marketing materials)
  • The processing is based on the legitimate interest of the controller or is necessary for the performance of a task carried out in the public interest or for the exercise of official authority vested in the controller (eg if a public library is storing data about your visits or a tax administration keeping data on you to investigate your situation)
  • The processing is for research purposes such as for statistical, historical research or scientific purposes (eg if you take part in a sociological study on young people).

How do I know if my processing falls under one of the categories above?

  • If your data is being processed for one of the reasons mentioned above, the controller should have informed you about your right to object. The controller must do this at the latest the first time it contacts you.
  • If you did not receive this information or cannot find it, have a look at the controller’s privacy policy. If you cannot find this information in the privacy policy, you can make an access request and ask the controller to tell you which legal ground they are using for processing and whether you have the right to object. The controller is required to answer within a month. (Find out how to exercise your right to access information here).

Can I object to the processing in all cases?

  • The law of your country may provide for exemptions. The most common exemptions exist in the field of law enforcement and police, national security, or taxation.
  • The controller can also refuse your request to object if the request is excessive (eg several similar requests on the same matter) of manifestly unfounded (eg with the intention of causing disruption).
  • If your data are used for direct marketing, the controller cannot for any reason refuse your objection request. However, if your data is used for the performance of a “public task” or on the basis of a “legitimate interest”, controllers may refuse your request and continue with the processing
  • if they can prove that they have “compelling legitimate grounds”. For example, a search engine may refuse a gym owner’s request to stop including negative articles about that gym’s hygiene practices in its search results. The search engine then may justify refusing this request, if they demonstrate that the gym has previously been sanctioned by the health authorities or courts, and that informing consumers is a “compelling legitimate ground”.
  • if the processing is necessary for the establishment, exercise or defence of legal claims (eg if the controller has a legal dispute with you).
  • If your data is used for research purposes, the controller may refuse your request and continue with the processing if it is considered necessary for public interest reasons. For example, a hospital could refuse to delete your data if it is necessary to measure the spread of a virus in the hospital.

Is it free ?

Yes! The controller must rectify your data free of charge, unless your request is excessive or manifestly unfounded. In this case, the controller can charge a reasonable fee for the administrative costs of handling your request.


How do I exercise my right to object in practice ?

Step 1: How to contact the controller

Your request to object to the processing of your data should be addressed to the controller.

This can be done by email, letter, fax or through a form, as long as you have a written record of the request. When the processing is online, the controllers must provide automated ways (like a form, or a link to object in an email) to object to the processing of your data.

The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the fault of the controller, not yours - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.


Step 2: Drafting your request

  • Inform the controller that you are objecting to the processing of your data and that you are seeking a confirmation from the controller that they have stopped the processing. If there are several processing operations on you, specify which you would like to stop.
  • Specify your name or other identifier used by the controller (eg an account username). To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname. 
  • Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.
  • Specify to which processing you object. You should choose one of the three circumstances in “When do I have a right to object?” and explain why you object to the processing and the reasons relating to your particular situation. Remember that in case of direct marketing, you do not need to justify why you want to object to the processing of your data.
  • Specify how you would like to receive the information, eg electronically, via an email address.
  • Ask the controller to confirm that they will refrain from processing the contested data while they are handling your request. You can specify that you want to exercise your right of restriction of your data under Article 18(1)(d) GDPR.


Step 3: Controller’s response

Once the controller receives your request, it has one month to respond.  This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.

The controller can ask you for additional information to confirm your identity in case of doubt. However, such a request should be limited to the additional information necessary to confirm who you are. The additional information cannot be disproportionate, having considered the context of the processing of your data (eg a shop asking you for a copy of your passport to change the address of a loyalty card would be disproportionate).

Generally, this information must be provided to you in writing, but it can be communicated to you via electronic means such as email, or it can be provided orally if you request it.


Step 4: What if the controller does not answer or refuses my request?

Unless you are objecting on the basis of direct marketing, the controller may refuse to stop the processing under certain circumstances. If they do this, they must explain why, and what their compelling legitimate grounds are, applicable to your particular case. The controller’s explanation must use one of the reasons mentioned here above to refuse (eg compelling legitimate interest or performance of a public task). The controller cannot refuse to stop processing your data for any other reason, nor can they issue you with a generic, blanket response.

If the controller:

  • rejects your request without a satisfactory explanation,
  • tries to unjustifiably charge you for your request,
  • does not:
    • restrict the processing while handling your request (if you asked of it),
    • respond after a month or after the extension of this period (maximum 3 months in total),


you are entitled to file a complaint with a data protection authority (eg the DPA where you live or work), and the controller should inform you about that.

If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at info@noyb.eu to discuss further steps. 

Back to Exercise Your Rights