Skip to Content Skip to Navigation

The “Right to Object” is one of the eight data subject rights that organisations must uphold in order to comply with the General Data Protection Regulation (GDPR).

Article 21 of the EU legislation states that data subjects (i.e. citizens based in the European Union) have the right to object to the processing of their personal data, where “processing” is defined as the use of someone’s personal data. This includes activities such as the collection, recording, organisation, structuring, storage, adaptation, retrieval, disclosure, dissemination, combination, restriction, erasure, or destruction of data.

“Personal data” refers to any information that could be used to personally identify an individual, such as names, email addresses, photos, and even digital identifiers like IP addresses and online account usernames.

People who choose to exercise their right to object can do so in relation to certain types of processing, or to processing of certain types of personal data.

When does the Right to Object apply?

The Right to Object applies when the lawful basis an organisation uses to process your data is related to:

  • Tasks carried out in the public interest, as laid down by law
  • The exercise of official authority
  • Legitimate interests
  • Scientific or historical research, or statistical purposes

You also have the absolute right to object if an organisation is using your personal data for direct marketing purposes.

How do I object to my personal data being processed?

Your request to object to data processing can be made directly to an organisation verbally or in writing. Once your request is submitted, the organisation must action it “without undue delay”.

However, an organisation could continue to process your data if they can provide legitimate grounds which “override the interests, rights, and freedoms of the data subject” or for the establishment, exercise, or defence of legal claims.

An organisation can also reject your request if they consider your request to be “manifestly unfounded or excessive”. For example, if you make the request solely to harass an organisation or your request is repetitive in nature, it could be rejected.

Either way, the organisation must respond to let you know of their assessment of your request and how you can proceed with your case.

Create a GDPR privacy policy for your business is a free website privacy policy generator, trusted by thousands of small businesses around the world. Get your GDPR-ready privacy policy now.