The GDPR Right to Object Explained

Share this article on:

Under the General Data Protection Regulation (GDPR), data subjects can object to certain uses of their data, but what exactly is the GDPR right to object, what can data subjects legitimately object to, and what must companies do when an objection is received from a data subject?

The GDPR Right to Object

The GDPR right to object is detailed in Article 21 of the GDPR. From May 25, 2018 – the compliance date for the GDPR – businesses must have developed policies and procedures for dealing with objections from data subjects.

The GDPR right to object allows data subjects to object to certain types of data processing and stop a company from continuing to process their personal data. There are only certain situations when a legitimate right to object can be sent to a company.

These are:

  1. Direct marketing
  2. The processing of personal data for statistical purposes related to historical or scientific research
  3. The processing of data for tasks in the public interest
  4. The exercising of official authority invested in you
  5. Objections to data processing in yours or a third party’s legitimate interest
  6. Objections to data processing based on their own beliefs and situations

Individuals must be informed of the GDPR right to object at the first point of contact. They must be told they have a right to object to the processing of their data, the lawful basis for you processing their personal data, and when data are being processed for public tasks, legitimate interests, or for research or statistical purposes.

Data subjects should be allowed to make objections verbally or in writing. While not all objections will be valid, individuals do have an absolute right to stop their personal data from being used for direct marketing.

Responding to Objections from Data Subjects

All companies covered by the GDPR must develop policies and procedures for assessing objections from data subjects. An official at the company must be assigned responsibility for checking objections received from data subjects and determining their validity.

When the GDPR right to object is exercised, the data subject must supply a specific reason why they are objecting to the processing of their data, apart from objections related to direct marketing. Not all objections will require action, although each must be carefully considered.

All objections must be assessed and dealt with promptly. Companies only one calendar month to assess and process objections from data subjects.

If an objection is received related to the use of personal data for direct marketing, a company must stop using personal data for direct marketing immediately. That includes any profiling related to direct marketing to that individual. If an objection is received, it does not mean an individual’s data must be immediately deleted, only suppressed to prevent them from receiving any future direct marketing.

Not all objections will be valid. For instance, if a company collects data for legal claims, and can prove that to be the case, the objection can be overridden.  If an objection is received from a data subject relating to the use of personal information for research purposes, issues relating to public safety, public health, or uses that are in the public interest, it may not be necessary to comply with the objection. If an objection is determined to be valid, the company must stop processing the personal data of a data subject for the reasons outlined in the objection.

It is important for businesses to maintain records of any objections received and the action taken in response to those objections.

A data subject cannot be charged for resolving the objection, although in cases where objections are unfounded or excessive, a fee could be charged for processing the request or a company could simply refuse to deal with the request.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On