Right To Object (To Object To Data Processing Under GDPR)

What is the right to object?

When can a person exercise the right to object GDPR?

How should a company comply with the data protection requirements?

In this article, we will break down the concept of the data subject’s right to object.

We will provide you with all the practical details you need to know so you can understand how to comply.

Are you ready?

Let’s get started!

What is right to object (GDPR)?

The right to object is the right granted to individuals under GDPR to object to the processing of their personal data.

By objecting to the data processing, a person can request that a company effectively stop processing personal data related to them.

Just like the right to restrict processing data, the right to object is not an absolute right.

GDPR outlines the conditions when a person can object to data processing.

Article 21 GDPR states:

“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.”

Let’s look at the grounds based on which a data subject can object.

On what grounds can a data subject object to data processing?

Based on this article, a data subject can object to the data processing, at any time, when processing is done in relation to:

  1. When processing is necessary for the performance of a task in the public interest
  2. When processing is necessary for the exercise of an official authority vested in the controller 
  3. When processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party
  4. Profiling based on the above grounds 

When a data subject objects based on the above grounds, a company should stop processing their data.

The above rights are not absolute, however.

A company may have a compelling legitimate interest to continue processing the data or may need it to exercise or defend against a legal claim.

Right to object to direct marketing 

Individuals have a strong or absolute right to object to the processing of their personal data when used for direct marketing purposes.

In fact, Article 21 GDPR addresses direct marketing as follows:

“2.   Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”

“3.   Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

Based on these two articles, it is clear that GDPR intends to protect individuals from receiving unwarranted or unwanted marketing messages or emails.

At any time, a data subject can object to the processing of personal data for direct marketing purposes and the company must immediately cease processing the personal data.

GDPR right to object exceptions

In some cases, a data controller may have a legitimate interest to continue processing personal data even though the data subject objects to it.

GDPR indicates that an organization may demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the data subject or is for the establishment, exercise or defence of legal claims.

Compelling legitimate grounds

A company should carefully assess its compelling legitimate grounds to ensure that its rights override the interest, rights and freedoms of the data subject.

The GDPR working is important: a company should have compelling legitimate grounds.

An organization must ensure that its legitimate grounds are important enough to override the data subject’s rights and freedoms.

Particular attention should be given to the grounds invoked by the data subject to object to the processing.

When a company decides to continue processing, it will have the responsibility to demonstrate and establish its legitimate interest should the data subject disagree and file a complaint.

It’s an important exercise for the company to clearly identify its legitimate interests and evaluate it against the individual’s rights and freedoms.

Establishment, exercise or defence of legal claims

Another reason why a company can choose to continue processing personal data even though a data subject objected to it is for the establishment, exercise or defence of a legal claim.

The company should assess its legal position and determine whether or not the data may need to be processed in the context of legal action.

Privacy information to data subjects

A company must provide privacy information to data subjects when it intends to process personal data for the following reasons:

  1. Direct marketing 
  2. Performance of a task in the public interest
  3. Exercise of an official authority 
  4. Legitimate interest 

The processing based on the above needs must be disclosed to a data subject upon collection of the personal data in your privacy notice.

Make sure to address each purpose separately so individuals can be informed as to how they may exercise their right to object to the processing of personal data.

Right to object vs right to erasure

GDPR has closely connected the right to object and the right to erasure.

A data subject has the ability to object to the processing of personal data for direct marketing purposes under Article 21 GDPR and subsequently request the erasure of the data further to Article 17 GDPR.

It was also interesting to note that in the case Google Spain, the Court of Justice of the European Union relied on the right to object and the right to erasure to validate the plaintiff’s claim and allow for a person the right to be delisted from search engines.

The right to object has a primary focus on a particular data processing operation while the right to erasure has a primary focus on the personal data itself.

Right to object vs right to restriction 

The right to restrict processing of personal data can be exercised when:

  1. A person contests the accuracy of the data 
  2. The data is unlawfully processed
  3. The data is no longer needed but the individual needs the data to exercise a legal claim or defend against one
  4. A person has objected to data processing and the company is evaluating its legitimate interests

The right to object is possible only for specific processing activities such as:

  1. Direct marketing 
  2. Performance of a task in the public interest
  3. Exercise of an official authority 
  4. Legitimate interest 

Generally, when a person exercises the right to object to data processing, a company should restrict the processing of the data until a decision is made as to how to handle the request.

In this context, the right to restrict is a means to achieve the objective of the right to object in a sense.

Right to object profiling 

If a person’s data is processed for direct marketing, for the performance of a task in the public interest, in the exercise of official authority or based on a company’s legitimate interest by automated decision-making or profiling, a person has the right to object to it.

The right to object under GDPR applies to both the automated decision-making and profiling for the specific processing activities.

If automated decision-making and profiling activities are performed solely based on automated means and producing legal effects on a data subject or significantly affecting him or her, the data subject has the right not to be subjected to such automated decision-making or profiling.

Can a company refuse a data portability request?

A company should comply with a data subject’s request when exercising the right to object to processing of personal data. 

However, there is an exception that companies should be aware of.

Article 12(5) GDPR states that:

where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request”.

Based on this article, a data controller or data process has the right to refuse or reject a subject request provided it has the ability to demonstrate that the request is excessive or unfounded.

What is a manifestly unfounded request? 

GDPR allows a data controller or data processor to either charge a fee or reject a data subject’s right to object when the request is manifestly unfounded.

The term ‘manifestly’ refers to a request that is obvious or leaves no doubt that it is unfounded.

Companies should carefully assess a subject access request before rejecting it to ensure that the request is indeed manifestly unfounded.

Here are some examples of manifestly unfounded requests:

  1. A person has filed a request to get monetary advantages from the company
  2. The person’s request clearly shows that the objective is to disrupt the company operations
  3. The request is a person’s way to attack an employee of your company 
  4. The person’s request is malicious 
  5. The person is using the SAR as a means to harass the organization 

What is an excessive request? 

A data subject request can also be excessive in nature justifying its rejection.

An excessive request is when a person’s demands are excessive in nature or repetitive.

Companies should carefully assess a request before qualifying it as an excessive request though.

The burden to demonstrate that a request was excessive is on the organization’s shoulder.

Here are some examples of an excessive request:

  1. Repeatedly requesting the same thing over and over
  2. The request overlaps with another request 
  3. Submitting the same requests through multiple channels 

What’s advisable is that a company assesses the request carefully before rejecting it.

It may be a good practice to reach out to the data subject in order to clarify the request or better scope the request in such a way to eliminate its excessive nature.

If a data subject is unaware of the excessive nature of the request, they may request information in good faith not knowing any better.

Granted, some other individuals may know exactly what they are doing.

Rather than rejecting a request outright, it may be worth considering the option to have the request clarified.

How to notify the data subject of the request being rejected?

A data controller or data processor has the obligation to respond to the data subject’s request within one month from the request.

If a company intends to fully or partially reject the data subject’s request, it must inform the data subject of its decision in writing within the required timeline.

The data subject must be informed as to why his or her request has been rejected, their right to make a complaint with the relevant supervisory authority and their right to take action before judicial courts.

Infringement of data subject’s right of access

Article 83 GDPR allows the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.

Depending on the nature of the infringement, GDPR classifies it in two categories.

One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover. 

The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.

The violation of Article 21 GDPR having to do with the data subject’s right to object is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to GDPR fines in the amount equal to the greater of €20,000,000 or 4% of a company’s global annual turnover.

In addition, failure to observe the Article 12 GDPR requirements with regards to providing a data subject with supplementary information in response to a data subject exercising his or her right object is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to fines in the amount representing the greater of €20,000,000 or 4% of a company’s global annual turnover.