Right to object
lets a data subject object to processing based on the controller's legitimate interests. The objection shifts the burden of proof to the controller to show compelling legitimate grounds overriding the subject's interests, rights and freedoms (a key change from the Directive). No form is required - objections can be verbal or written, sent to any part of the organisation, and need not cite Article 21. For direct marketing (now expressly including profiling) the right is absolute and must be flagged separately at the latest at first communication.
Where a controller relies on legitimate interests, the data subject can object under Article 21(1). The objection shifts the burden of proof to the controller to demonstrate compelling legitimate grounds overriding the subject's interests, rights and freedoms (or for legal claims). Under the Directive the burden lay with the data subject - the GDPR reverses this.
- No form required: objections can be verbal or in writing, to any part of the organisation, without citing Article 21
- Staff who interact with individuals may need training to spot objections; document objections, especially those by phone or in person
- WP 217: a legitimate interest must be lawful, sufficiently specific, and a real and present (not speculative) interest
- Direct marketing: the right to object is absolute and now expressly includes profiling
- The right to object to direct marketing must be flagged explicitly, clearly and separately, at the latest at the first communication
- Art 21(6): for research/statistics, objection only succeeds where processing is not necessary for a public-interest task
Distinguish two limbs: objecting to legitimate-interests processing triggers a balancing test the controller must win; objecting to direct marketing is absolute - no balancing, processing must stop.