Article 21 GDPR attributes to the data subject the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. Blocking cookies on a web page, for instance, is an example of objection.
This provision and its reference to the data subject’s particular situation aim at balancing its rights with the legitimate ones of others in processing their data. This is exemplified in the data subject’s professional interest in confidentiality. It is important to emphasize that the right to object is applicable where the legal basis for the processing is the controller’s performance of a task carried out in the public interest, or where the processing is based on the controller’s legitimate interests. In any event, the burden of proof lies with the controller, who must demonstrate compelling grounds for continuing the processing.
The successful objection, in fact, leads to the impossibility of processing the data at stake, whereas, according to the Fundamental Rights Agency (2018) processing operations performed prior to the objection remain legitimate. Voigt and von demBussche, instead, argue that it is unclear whether the successful objection results in the compulsory erasure of the data. In any event, a successful objection allows the data subject to exercise the right to erasure pursuant to Article 17.1(c) GDPR.
At the latest at the time of the first communication with the data subject, the right to object must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
It is nonetheless the case that Article 21.6 GDPRprevents the data subject from objecting the data processing, on the condition that the latter is performed for scientific or historical research purposes and statistical purposes and is necessary for the performance of a task carried out for reasons of public interest.The burden of proof concerning the necessity falls on the controller, who, however, does not have to demonstratethe existence of compelling legitimate grounds, such as in the case of the first paragraph of Article 21 GDPR.In this regard, it is important to remind that, according to the EDPB (2020),the scope of this derogation should be restricted to cases where the integrity of the research would be compromised by the exercise of data subject’s rights.As a matter of fact, the objection to all or part of a scientific research by several data subjects may negatively influence the representativeness and reliability of the research data.
Albeit unrelated to research purposes, the GDPR provides other two nuances relating to the right to object. First,Article 21.2 GDPR also includes a specific right to object relating to the use of personal data for direct marketing. This right can be exercised at any time and free of charge and the data subject must be informed about its existence in a clear way, separate from any other information.
Second, Article 21.5 of the GDPR regulates the right to object, when the processing is carried out by information society services through automated means. In this context, which is particularly relevant in terms of ICT research, the data controller must develop appropriate technical arrangements and procedures to guarantee that the right to object can be exercised effectively, such as in the case of blocking cookies on the webpage and turning off the tracking of internet browsing.
Checklist for complying with an objection request
Is the exercise of the right to object compliant with GDPR?
☐ Did you receive an objection request from a legal entity? If not, please indicate that the request was not lodged by an individual.
☐ Does the request fall within one of the exceptions laid down in Article 21.2-6 GDPR? If yes, please inform the data subject that the request shall be denied.
☐ Have the data subjects correctly identified themselves? If not, please ask for further information to confirm identity.
☐ Can the request be fulfilled within one month? If not, please inform why and how long will it take to process the request.
☐ The request needs to be fulfilled.
How to further comply with all the GDPR obligations:
☐ Check the data subject’s particular situation aim at balancing its rights with the legitimate ones of others in processing their data.
1Fundamental Rights Agency (ed.), op. cit., p. 231 ↑
2P. Voigt & von dem Bussche, op. cit., p. 179 ↑
3G. Zanfir-Fortuna, ‘Article 21. Right to Object’, in C. Kuner, L. A. Bygrave & C. Docksey (eds.),The EU General Data Protection Regulation (GDPR) A Commentary, Oxford: Oxford University Press, 2020, p. 519 ↑
4EDPB, op. cit., pp. 21-22 ↑