25# Data Subject Rights – The right to object

This week’s post is going to cover, as announced last week, the data subjects’ right to object. The right means that an individual requests you, as the controller, to stop processing their personal data. It works as follows:

1. The right is absolute when the processing is for direct marketing purposes.
2. The right to object applies, but it is not absolute (i.e., specific exemptions from this right exist) if the processing is:
   1. necessary for a task carried out in the public interest;
   2. in the exercise of official authority vested in you;
   3. necessary for legitimate interests (either of you or a third party).

If the right to object applies to a certain processing activity, then it is imperative to explicitly bring this right to the individual’s attention. You should present this clearly and separately from any other information, at the time of the first communication with the data subject.

Let’s break down the meaning of the right a bit. By ‘stop processing’, the GDPR’s wording may have a broad meaning. This may mean that you even have to erase data, as ‘processing’ includes storing it. However, this might not always be the most appropriate action to take according to the ICO. Erasure may not be appropriate if you process the data for other purposes, as you need to retain the data for those purposes. For example, when an individual objects to the processing of their data for direct marketing, you can then place their details onto a suppression list to ensure that you continue to comply with their objection. The personal data may still be retained, however, if you have correct purposes and lawful basis.

When I write ‘not absolute’, I mean that you can continue processing under some circumstances, like if:

• You can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
• The processing is for the establishment, exercise, or defence of legal claims.

The GDPR doesn’t lay it out what ‘compelling legitimate grounds’ are, but the WP29 have elaborated a bit about it in relation to profiling. Compelling legitimate grounds may be the case when processing is beneficial for society at large and not just the business interests of the controller in question. They propose that a three-step test would be needed to be done.

1. Consider the importance of the processing (or profiling in WP29’s case) to the particular objective.
2. Consider the impact of the processing (once again profiling in their case) on the data subject’s interests, rights and freedoms. The impacts should be limited to the minimum necessary to meet the objective.
3. Carry out a balancing exercise.

The burden of proof is flipped from how it was with the Data Protection Directive from 1995 when it was the data subject who had to prove their compelling legitimate interests. Now, it is you as the controller who needs to prove that.

If you have decided to not stop the processing of the personal data in question, you should let the individual know. Any decision would have to be explainable to the data subject and justified. When informing the data subject of the decision, there is also a good idea to inform them about their right to make a complaint to the supervisory authority and to enforce their rights through a judicial remedy.

There are a few purposes in the GDPR that are privileged. Inter alia, processing for scientific and historical research purposes, or statistical purposes. If your processing activity has these purposes, then the right to object exists only if the processing is not considered necessary for the performance of a task carried out for reasons of public interest.

In DPOrganizer’s tool, it is easy to respond to a right to object-request by having the entire processing operations mapped, which would be a time-saver in identifying what data are processed, where, how, and why. You can also create a case and have a case log readily available in the Data Subject Request module for responding to the request.

As the ICO stated in their guide, there is no formal way to make a valid objection. This means that the controller must be ready to receive it in any format, and that could be challenging. Another challenge would be to identify an objection in the data subject’s written or oral message to the organisation.

For questions, I direct you to either my mail albin.thelin@nulldporganizer.com or the privacy pros’ community Watercooler. Please join me next week for the exciting topic of automated decision-making and profiling!