Your right to object (Article 21)


What is the right to object?

Under the GDPR, there are six legal bases to process your data. For example, your consent, a contract (e.g. your address is used to deliver goods you ordered), or a legal requirement (e.g. obligation to preserve records under tax laws). Your right to object depends on the legal basis that a company chooses. For example, if your data is processed based on consent, you do not have to object to processing, but you can just withdraw your consent (see above).

If you are not sure if the company asked you for consent, you should be able to find the correct legal basis in the privacy policy. If there is no way of finding out, you can exercise your right to withdraw anyways – worst case, it gets denied.

Under Article 21 GDPR, you have the right to object when the processing of your data is based on legitimate interest or when your data is processed for public interest. A legitimate interest is an interest of a company that outweighs the right of a user. For example, the use of data for legitimate security reasons. In essence, this is a balancing test between your rights and the interests of a company. 

Only when data is used for so-called “direct marketing”, is there a clear right to object. The term “direct marketing” is actually quite narrow, but many companies argue that any kind of advertising falls under it.

 You have the right to object in the following cases:

  • You have an absolute right to object if your data is used for directmarketing.
  • In all other cases, you have to show that your particular situation justifies a stop in processing by the company. The company then has to show that its rights still override yours.

Your request to object may be refused if:

  • The law of your country provides exemptions (most commonly) in the field for law enforcement and police, national security, or taxation.
  • The request is excessive (e.g. several similar requests on the same matter) or manifestly unfounded (e.g. with the intention of causing disruption).
  • They can prove that they have “compelling legitimate grounds”.
  • The processing is necessary for the establishment, exercise or defense of legal claims.
  • Your data is used for research purposes. The company may refuse your request and continue with the processing if it is considered necessary for public interest reasons.

How can I exercise the right to object?

  • You can just send an informal message to the company or use a template
  • Clearly identify if you object to direct marketing or some other processing operation.
  • In case you do not object merely to direct marketing, explain the specific situation that you feel should change their balancing test in your favor.
  • You should request that any recipients of the data should also stop further processing it and that the company informs them of this.

What are the consequences of objecting?

  • Unless the company rejects your request, it must stop the processing of your data (which usually means to delete them) as soon as you object.
  • The right to object is not retroactive, which means any operations which took place before you objected will not become illegal (like a marketing campaign done before you objected).
  • The company is not allowed to process your data based on this legal ground anymore unless there are other legal basis that justify to continue processing the data (e.g. a contract you have with the company or legal obligations on their side).

Typical Problems

  • It’s difficult to know whether a company is basing the processing on legitimate interest. The GDPR requires that the legal basis for each operation is clearly mentioned in the privacy policy of the company.
  • Many companies take the view that your special situation does not change their assessment.
  • Companies often don’t know how to react to requests and therefore reject them.
  • The company doesn’t respond within the deadline.