GDPR Article 21 and Right to Object

Continuing our deep dive into the General Data Protection Regulation and data subject rights, this time we will be look at Article 21 – The Right to Object.

The General Data Protection Regulation has introduced so many new rights for EU citizens that it is sometimes quite difficult to tell them apart. So what is the “right to object”, and how does it differ from Article 17 and the “right to be forgotten”?

What is the GDPR Right to Object?

If citizens are to regain full control of their personal data, they must have the right to control how it is used. At the most basic level, Article 21 outlines how an individual can request that your business does not process their data.
For example, any individual can lodge an objection to having their data processed for marketing purposes. Your GDPR-compliant data capture processes will already include an opt-out mechanism to deal with this scenario. Article 21 simply extends that right to anyone whose data you captured before GDPR came into force.
The GDPR right to object is not limited to marketing purposes however. An objection can be lodged against virtually data processing operation. The individual must provide a specific reason as to why they want you to stop processing their data, based on their own particular situation.

Can a data subject object to all processing?

GDPR rights to object to processing are not absolute though. If your business can prove that information is being processed for public interest purposes, then there are grounds for rejecting an objection. As paragraph 4 states:
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her personal situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The Information Commissioner’s Office adds further guidance, saying:
The individual does not have a right to object if your lawful basis for processing is public task because it is necessary for the performance of a task carried out in the public interest.
That said, you should still apply best practices as far as possible, using data anonymisation and pseudonymisation to protect individual privacy.

What are your obligations under GDPR Article 21?

Like every other aspect of the GDPR, your organisation has several important obligations under Article 21. And they begin immediately.
From your first communication with an individual it is your duty to advise them that they have a right to object where data collection is being performed for marketing purposes. You make a similar notification when collection and processing is taking place for purposes conducted in the public interest, to complete an officially-authorised activity, or as part of ‘legitimate interests’.
Unlike warning notices of the past however, this notification needs to be clear and unambiguous. You cannot bury the right to object among the rest of your data processing policy – it must be ‘presented clearly and separately from any other information’.
And if you don’t meet the conditions above? You must still include references to the GDPR right to object within your privacy notice.

Are we exempt from the GDPR right to object to processing?

When it comes to using personal data for marketing purposes, no organisation is exempt from GDPR Article 21. Data subject rights always apply to marketing, so you must comply with an objection, no matter what your core business activities are.
There is also no exemption for general business activities. If a data subject objects, you must respect their wishes and cease processing.
The only exemptions to GDPR Article 21 are for data processing activities that are:

  • In the public interest.
  • Part of an exercise conducted on behalf of an official authority.
  • Classified as legitimate interests.

In these cases you are permitted to reject a data subject’s objection.
There is one other situation where you can turn down a request – if you deem the objection to be ‘manifestly unfounded or excessive’. Should you receive such an objection, you are permitted to request a “reasonable fee” to cover your costs fulfilling it. Otherwise, you could choose to reject the request.
If you do decide to reject an objection you will need to write to the data subject. You should explain your decision and the factors considered to justify it.
Be aware that citizens could still appeal your rejection via the Information Commissioner’s Office.

Do you have to delete data after an objection?

It is important to note that the “right to object” is different to the “right to erasure” (Article 17). Just because an individual objects to you processing their personal data does not mean that you must delete it.
In most cases, objections will relate to processing for marketing purposes. So instead of removing it from your systems, you should mark it as being not to be used for marketing, similar to the “do not mail” record flag present in most CRM systems.
If you are processing that same personal data for other activities you must have a similar way of tagging records so that they are excluded from operations for which the data subject has withdrawn their consent. Ideally you should already have a GDPR compliancy system in place that allows you to discover, classify and tag personal data, simplifying the process of dealing with Article 21 objections.
If you cannot create this meta information, you may be forced to delete the information to maintain GDPR compliance.

How to apply GDPR data subject rights correctly

Adherence to Article 21 is very similar to Article 17. To ensure compliance with both, you should:

  • Conduct a data discovery audit to locate personal data.
  • Identify where this data is being stored in applications, databases and archive backups. Don’t forget to include paper hard copies too.
  • Assess whether your data processing activities fall under any of the specified exemptions.
  • Define and document a procedure for assessing and executing Article 21 GDPR requests.
  • Create a form letter/email to inform data subjects about the outcome of their objections.
  • Define a method by which data can be tagged so that in future it is only processed in accordance with the individual’s wishes.

With a process in place you will find it much easier (and more cost-effective) to maintain 100% GDPR compliance.
The Consentric Platform can help prepare your systems to handle Article 21 objections and other GDPR data subject rights. You can learn more here.