At a glance
- The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
- Individuals have an absolute right to stop their data being used for direct marketing.
- In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
- You must tell individuals about their right to object.
- An individual can make an objection verbally or in writing.
- You have one calendar month to respond to an objection.
Preparing for objections to processing
- We know how to recognise an objection and we understand when the right applies.
- We have a policy in place for how to record objections we receive verbally.
- We understand when we can refuse an objection and are aware of the information we need to provide to individuals when we do so.
- We have clear information in our privacy notice about individuals’ right to object, which is presented separately from other information on their rights.
- We understand when we need to inform individuals of their right to object in addition to including it in our privacy notice.
Complying with requests which object to processing
- We have processes in place to ensure that we respond to an objection without undue delay and within one month of receipt.
- We are aware of the circumstances when we can extend the time limit to respond to an objection.
- We have appropriate methods in place to erase, suppress or otherwise cease processing personal data.
What is the right to object?
Article 21 of the GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data.
An objection may be in relation to all of the personal data you hold about an individual or only to certain information. It may also only relate to a particular purpose you are processing the data for.
When does the right to object apply?
The right to object only applies in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing.
Individuals have the absolute right to object to the processing of their personal data if it is for direct marketing purposes.
Individuals can also object if the processing is for:
- a task carried out in the public interest;
- the exercise of official authority vested in you; or
- your legitimate interests (or those of a third party).
In these circumstances the right to object is not absolute.
If you are processing data for scientific or historical research, or statistical purposes, the right to object is more limited.
These various grounds are discussed further below.
An individual can object to the processing of their personal data for direct marketing at any time. This includes any profiling of data that is related to direct marketing.
This is an absolute right and there are no exemptions or grounds for you to refuse. Therefore, when you receive an objection to processing for direct marketing, you must not process the individual’s data for this purpose.
However, this does not automatically mean that you need to erase the individual’s personal data, and in most cases it will be preferable to suppress their details. Suppression involves retaining just enough information about them to ensure that their preference not to receive direct marketing is respected in future.
Processing based upon public task or legitimate interests
An individual can also object where you are relying on one of the following lawful bases:
- ‘public task’ (for the performance of a task carried out in the public interest),
- ‘public task’ (for the exercise of official authority vested in you), or
- legitimate interests.
An individual must give specific reasons why they are objecting to the processing of their data. These reasons should be based upon their particular situation.
In these circumstances this is not an absolute right, and you can refuse to comply if:
- you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
If you are deciding whether you have compelling legitimate grounds which override the interests of an individual, you should consider the reasons why they have objected to the processing of their data. In particular, if an individual objects on the grounds that the processing is causing them substantial damage or distress (eg the processing is causing them financial loss), the grounds for their objection will have more weight. In making a decision on this, you need to balance the individual’s interests, rights and freedoms with your own legitimate grounds. During this process you should remember that the responsibility is for you to be able to demonstrate that your legitimate grounds override those of the individual.
If you are satisfied that you do not need to comply with the request you should let the individual know. You should explain your decision, and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.
Where you are processing personal data for scientific or historical research, or statistical purposes, the right to object is more restricted.
Article 21(6) states:‘Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her personal situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.’
Effectively this means that if you are processing data for these purposes and have appropriate safeguards in place (eg data minimisation and pseudonymisation where possible) the individual only has a right to object if your lawful basis for processing is:
- public task (on the basis that it is necessary for the exercise of official authority vested in you), or
- legitimate interests.
The individual does not have a right to object if your lawful basis for processing is public task because it is necessary for the performance of a task carried out in the public interest.
Article 21(6) therefore differentiates between the two parts of the public task lawful basis (performance of a task carried out in the public interest or in the exercise of official authority vested in you).
This may cause difficulties if you are relying on the public task lawful basis for processing. It may not always be clear whether you are carrying out the processing solely as a task in the public interest, or in the exercise of official authority. Indeed, it may be difficult to differentiate between the two.
As such, it is good practice that if you are relying upon the public task lawful basis and receive an objection, you should consider the objection on its own merits and go on to consider the steps outlined in the next paragraph, rather than refusing it outright. If you do intend to refuse an objection on the basis that you are carrying out research or statistical work solely for the performance of a public task carried out in the public interest you should be clear in your privacy notice that you are only carrying out this processing on this basis.
If you do receive an objection you may be able to continue processing, if you can demonstrate that you have a compelling legitimate reason or the processing is necessary for legal claims. You need to go through the steps outlined in the previous section to demonstrate this.
As noted above, if you are satisfied that you do not need to comply with the request you should let the individual know. You should provide an explanation for your decision, and inform them of their right to make a complaint to the ICO or another supervisory authority, as well as their ability to seek to enforce their rights through a judicial remedy.
Do we need to tell individuals about the right to object?
The GDPR is clear that you must inform individuals of their right to object at the latest at the time of your first communication with them where:
- you process personal data for direct marketing purposes, or
- your lawful basis for processing is:
- public task (for the performance of a task carried out in the public interest),
- public task (for the exercise of official authority vested in you), or
- legitimate interests.
If one of these conditions applies, you should explicitly bring the right to object to the individual’s attention. You should present this information clearly and separately from any other information.
If you are processing personal data for research or statistical purposes you should include information about the right to object (along with information about the other rights of the individual) in your privacy notice.
Do we always need to erase personal data to comply with an objection?
Where you have received an objection to the processing of personal data and you have no grounds to refuse, you need to stop processing the data.
This may mean that you need to erase personal data as the definition of processing under the GDPR is broad, and includes storing data. However, as noted above, this will not always be the most appropriate action to take.
Erasure may not be appropriate if you process the data for other purposes as you need to retain the data for those purposes. For example, when an individual objects to the processing of their data for direct marketing, you can place their details onto a suppression list to ensure that you continue to comply with their objection. However, you need to ensure that the data is clearly marked so that it is not processed for purposes the individual has objected to.
Can we refuse to comply with an objection for other reasons?
If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request. For more information, please see our guidance on Exemptions.
You can also refuse to comply with a request if it is:
- manifestly unfounded; or
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.
What does manifestly unfounded mean?
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right to restriction. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption. For example:
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated accusations against you or specific employees;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made, and you are responsible for demonstrating that it is manifestly unfounded.
Also, you should not presume that a request is manifestly unfounded because the individual has previously submitted requests which have been manifestly unfounded or excessive or if it includes aggressive or abusive language.
The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unfounded. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unfounded.Example
An individual believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate.
The individual continues to make requests along with unsubstantiated claims against you as the controller.
You refuse the most recent request because it is manifestly unfounded and you notify the individual of this.
What does excessive mean?
A request may be excessive if:
- it repeats the substance of previous requests; or
- it overlaps with other requests.
However, it depends on the particular circumstances. It will not necessarily be excessive just because the individual:
- makes a request about the same issue. An individual may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the controller has not handled previous requests properly;
- makes an overlapping request, if it relates to a completely separate set of information; or
- previously submitted requests which have been manifestly unfounded or excessive.
What should we do if we refuse to comply with an objection?
You must inform the individual without undue delay and within one month of receipt of the request.
You should inform the individual about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
How do we recognise an objection?
The GDPR does not specify how to make a valid objection. Therefore, an objection to processing can be made verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘objection to processing’ or Article 21 of the GDPR – as long as one of the conditions listed above apply.
This presents a challenge as any of your employees could receive a valid verbal objection. However, you have a legal responsibility to identify that an individual has made an objection to you and to handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify an objection.
Additionally, it is good practice to have a policy for recording details of the objections you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the objection. We also recommend that you keep a log of verbal objections.
Can we charge a fee?
In most cases you cannot charge a fee to comply with an objection.
However, you can charge a “reasonable fee” for the administrative costs of complying with the request if it is manifestly unfounded or excessive. You should base the reasonable fee on the administrative costs of complying with the request.
If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.
Alternatively, you can refuse to comply with a manifestly unfounded or excessive request.
How long do we have to comply?
You must comply with an objection without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity (see Can we ask an individual for ID?); or
- a fee (only in certain circumstances – see Can we charge a fee?)
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.Example
An organisation receives a request on 3 September. The time limit will start from the same day. This gives the organisation until 3 October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.Example
An organisation receives a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
Can we ask an individual for ID?
If you have doubts about the identity of the person making the objection you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their objection. The period for responding to the objection begins when you receive the additional information.
Thank you for reading.