Article 21 GDPR: Difference between revisions

From GDPRhub
 
(36 intermediate revisions by 7 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 21 - Right to object'''</center><br />
<br /><center>'''Article 21 - Right to object'''</center>


<span id="1">1.  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.</span>
<span id="1">1.  The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.</span>
Line 200: Line 200:


==Relevant Recitals==
==Relevant Recitals==
{{Recital/69 GDPR}}{{Recital/70 GDPR}}


<span id="r69">
==Commentary==
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
Article 21 ensures the data subject's right to object. In Paragraph 1, a general right to object is provided against the processing of personal data that may be lawful based on a permissible balancing of interests under Article 6(1)(f) or (e) GDPR. Paragraphs 2 and 3 establish a specific and unconditional right to object in the case of data processing for direct marketing purposes. Paragraph 4 reiterates the obligation on the data controller to inform about the existence of the right to object at the time of the first communication with the data subject. In the context of information society services, Paragraph 5 enables the exercise of the right to object through automated procedures using technical specifications. Lastly, Paragraph 6 grants an additional specific right to object to data processing for research or statistical purposes.  
<div>'''Recital 69:''' Right to Object </div>
<div class="mw-collapsible-content">
Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
</div></div>


<span id="r70">
===(1) Right to object===
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
Article 21(1) GDPR grants data subjects the right to object, on grounds relating to their particular situation, to processing based on a legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), or that is necessary for a task carried out in the public interest or in the exercise of official authority ([[Article 6 GDPR|Article 6(1)(e) GDPR]]). Controllers may reject this objection where they demonstrate compelling legitimate grounds for the processing activity which overrides the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of claims.  
<div>'''Recital 70:''' Right to Object to Direct Marketing</div>
<div class="mw-collapsible-content">
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
</div></div>


==Commentary on Article 21==
==== Shall have the right to object ====
Once an objection has been submitted in accordance with Article 21(1) GDPR and is accompanied by appropriate justification, the data controller is obligated to cease processing the data.<ref>Article 21(1) GDPR, second sentence: "''The controller shall no longer process the personal data''".</ref> The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, this right is limited to the circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below.<ref>''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).</ref>


===(1) The right to object to processing, including profiling===
The right to object requires a request from the data subject. There are no specific provisions, therefore the general rules of Article 12 GDPR apply, adapted to the specific cases, where appropriate. The controller must communicate in a clear, understandable, and easily accessible manner the actions taken in response to the request (Article 12(1) GDPR), and facilitate the entire process (Article 12(2) GDPR). The response must be provided promptly, within one month of the request, and no later than three months if the time extension under Article 12(3) GDPR applies.
''You can help us fill this section!''


===(2) The right to object to direct marketing===
The request does not require any specific form and can be submitted in written, oral, or electronic form. A general request, even not framed in legal terms, is sufficient.<ref>Datatilsynet (Norwey) - 20/02319-8 (available [https://edpb.europa.eu/system/files/2022-02/no_2021-11_decisionpublic.pdf here])</ref> Scholars note that there is no need to assign a specific "title" to the request; it can be implied, for example, when the contractual relationship between the parties is terminated.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).</ref> However, the request must at least contain the reasons for the data subject's objection and the prevailing interest believed to be violated.<ref>This is a necessary requirement; otherwise, the controller would not be able to perform the underlying interest balancing, except in the case of paragraphs 2 and 3, where such balancing is not required.</ref> This requirement should not be interpreted too restrictively for the data subject, considering the obligation to facilitate the request under Article 12(2) GDPR. In this regard, if the data subject's request is not clear, the controller may seek clarification and strive for a swift resolution of the dispute.
''You can help us fill this section!''


====On grounds relating to his or her particular situation====
Most commentators view this phrase as a clear threshold. Data subjects will not be able to exercise their right to object to processing under Article 21(1) GDPR, unless they assert specific reasons which pertain to their individual situation.<ref>See, e.g. ''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition); ''Schulz'', in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 8 (C.H. Beck 2018, 2nd Edition).</ref> These reasons can be of a legal, economic, ethical, social, societal, or family nature.<ref>''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition).</ref> It is not clear exactly how a data subject’s reasons will be assessed. ''Herbst'' argues, in line with the Hamburg Regional Court,<ref>LG Hamburg, 23 July 2020, 334 O 161/19 (available [https://www.landesrecht-hamburg.de/bsha/document/JURE200015390 here]).</ref> that their objection must be justified by something “''atypical''”, which can be assumed to have previously been unknown to the controller, and which it could therefore not take into account in its overall assessment under [[Article 6 GDPR|Article 6(1)(f) GDPR]]. For example, it would not be sufficient for a data subject to merely indicate that they do not want the processing to occur.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).</ref> Instead, they might have to assert a threat to their life, property, or the like.<ref>''Schulz'', in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 9 (C.H. Beck 2018, 2nd Edition).</ref> In contrast, others argue that the threshold should not be interpreted too strictly.<ref>''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2019, 3rd Edition); ''Forgó'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (C.H. Beck 2021, 39th Edition).</ref> This view might be supported by a judgement of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.<ref>LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available [https://www.rv.hessenrecht.hessen.de/bshe/document/LARE190005832 here]).</ref> In our view, rather than acting as a prerequisite for the exercise of the right to object, the phrase “''relating to his or her particular situation''” simply indicates that the data subject should have the right to affirm their specific interests in their personal data not being processed, which the controller may consider (or reconsider, in the light of the the data subject's individual position) in its weighing of interests.
In any case, the EDPB states that a controller should not dismiss an objection by a data subject just because they did not elaborate much on their particular situation in their objection under Article 21(1) GDPR. Rather, the controller should ask the data subject to further specify their request.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 71 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref> 
==== To processing of personal data concerning him or her ====
The wording of Article 21(1) does not explicitly define the scope of an objection. However, the wording does not exclude the possibility that the data subject may object to specific forms of processing (e.g. transmission) or to the processing of certain data, rather than objecting to the entire processing. The mention of profiling in Article 21(1)(a) also supports this possibility, as profiling is a distinct form of processing that can coexist with other forms of processing. If the data subject objects solely to profiling, other forms of processing can still be carried out. Therefore, the data subject has the option to object to the entire processing or only to specific parts of it.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 17 (C.H. Beck 2020, 3rd edition).</ref>
==== Based on Article 6(1)(e) or Article 6(1)(f) ====
The right to object is limited to cases where personal data processing is based on Article 6(1)(e) ("''processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller''") or Article 6(1)(f) GDPR ("''processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject''"). Consequently, the right to object applies to cases where the controller has initially considered the prevalence of their defended interest, specifically, the public interest in the case of Article 6(1)(e) and the controller's legitimate interest in the case of Article 6(1)(f). In other words, there is a balancing of interests carried out by the controller at the core of the processing.<blockquote><u>Example</u>: XXX</blockquote>This also explains why the right to object does not apply to other legal bases. For example, consent can be revoked at any time. Revocation does not need to be "explained" and does not require an assessment by the controller. In the case of processing based on a contract, objecting would be inconsistent as it goes against the contractual interest of the data subject. For instance, if a data subject purchases a product and then objects to the use of their address for delivery, it would be a case of "venire contra factum proprium." Lastly, in the case of processing based on a legal obligation, it is assumed that the legislator has already conducted the balancing of interests and has mandated the legitimacy of the processing by law. In this case, the legislative decision takes precedence over the data subject's subjective right.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).</ref>
==== Including profiling based on Article 6(1)(f) or (e) ====
Article 21(1) GDPR specifies that data subjects can object to processing based on [[Article 6 GDPR|Article 6(1)(e) and (f) GDPR]], “''including profiling based on those provisions''.” Profiling is defined in [[Article 4 GDPR|Article 4(4) GDPR]] as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. Because all types of processing based on [[Article 6 GDPR|Article 6(1)(e) or (f) GDPR]] are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref> However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).</ref>
==== The controller shall no longer process personal data ====
Once an objection in accordance with Article 21(1) has been raised with proper justification, the data controller is obligated to cease the processing activities unless it can demonstrate valid grounds for continuing the activities. This does not occur automatically upon the objection,<ref>What occurs immediatly, if the data subjecct so requests, is the restriction of the processing under [[Article 18 GDPR|Article 18(1)(d) GDPR]]. Once a data subject has objected to processing under Article 21(1) GDPR, the controller must restrict the relevant processing activity until it is certain that it is based on compelling legitimate grounds that override the data subject’s rights and freedoms. [[Article 18 GDPR|Article 18(2) GDPR]] states that during this time, the processing may only be: (i) based on the data subject’s consent; (ii) for the exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest in the EU or a member state.</ref> but rather after a prompt assessment by the data controller, determining that the factual requirements are met and there are no grounds for exemptions (see below).<ref>Where a data subject’s right to object is valid, the data must be deleted under [https://gdprhub.eu/Article_17_GDPR Article 17(1)(c) GDPR] “''without undue delay''”.</ref> The assessment must be conducted without delay and its outcome promptly shared with the data subject.<ref>This notification is crucial. In theory, if the objection is successful, the data controller is not only required to cease processing but also to delete the personal data used, in accordance with Article 17(1)(c) of the GDPR. However, the data subject may have an interest in not having the data deleted and instead preferring its restriction, as provided for in Article 18(1)(b) of the GDPR. Without such notification, this possibility of restriction would be practically impossible.</ref> Any processing conducted prior to a valid objection remains unaffected (with an ex-nunc effect).<ref>''Schulz'', in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 15 (C.H. Beck 2022, 3rd edition).</ref>
====Unless the controller demonstrates====
In the event of an objection from the data subject, the controller is required to cease processing (as mentioned above) and potentially delete the involved data. The GDPR includes two fundamental exceptions to this principle, allowing for the continuation of processing even when a valid objection is raised. The first exception applies when the controller demonstrates<ref>Under Directive 95/46/EC, data subjects were required to demonstrate "''compelling legitimate grounds''" in order to exercise their right to object to processing by a controller. The GDPR reverses this burden of proof in the data subject’s favour by requiring controllers to demonstrate "''compelling legitimate grounds''" if they intend to continue the processing activities. See, ''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018). The right to object was therefore strengthened under the GDPR. ''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 516 (Oxford University Press 2020), citing ''Hustinx'', in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017).</ref> that the objected processing is, or continues to be, justified by "''compelling legitimate grounds''" that outweigh the interests of the data subject. The second exception applies when the processing is necessary for "''the establishment, exercise, or defense of legal claims.''"
The burden of proof for this demonstration is on the controller and the presumption is in favor of the data subject objecting to a processing activity.<ref>EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 72 (available [https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf here]).</ref>
This provision presents controversial elements that have sparked debates and varying interpretations. The prevailing interpretation tends to argue that the burden of proving "''compelling legitimate grounds''" applies only to "''processing which overrides the interests, rights, and freedoms of the data subject.''" Consequently, it is not necessary to demonstrate "''compelling legitimate grounds''" for "''the establishment, exercise, or defense of legal claims.''"<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 24 (Beck 2020, 3rd edition). Along the same lines seems to go ''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).</ref> An intermediate interpretation suggests that in the second scenario (legal claims), the "''compelling legitimate grounds''" are presumed because the law itself considers the ability to bring legal action to be "''compelling''". In support of this interpretation, reference is made to the content of Recital 69, which only requires to demonstrate the controller's "legitimate interests", with no reference to the intention or necessity of legal action. However, in this case, it would still be necessary to demonstrate that the legal actions have a minimum level of credibility.<ref>''Martini'', in Paal, Pauly, DS-GVO, Article 21, margin numbers 40-42 (C.H. Beck 2021, 3rd Edition).</ref> Finally, a third interpretation is also possible. Upon closer examination, the phrase "''compelling legitimate grounds''" is followed by a first "''for''" (processing which overrides the interests, rights, and freedoms of the data subject) and a second "''for''" (the establishment, exercise, or defense of legal claims). According to a literal interpretation, the controller would therefore need to demonstrate "''compelling legitimate grounds''" in both the first and second cases.
Having said that, the following analysis presents the prevailing opinion on this matter.
===== Compelling legitimate grounds which override the data subject's interests =====
The GDPR does not elaborate on what constitutes a "''compelling''" legitimate ground. However, the WP29 suggested in its ‘Guidelines on Automated Individual Decision-Making’ that processing may be based on a compelling legitimate ground where, instead of merely furthering the controller’s business interests, it is “''beneficial for society at large (or the wider community)''” (e.g. “''profiling to predict the spread of a contagious disease)''”.<ref>WP29, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 18 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]).</ref> According to ''Zanfir-Fortuna'', "''compelling''" means that the legitimate interest must be “''overwhelming''” and override the data subject’s interests “''in a strong, significant way.''”<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).</ref> Additionally, ''Herbst'' notes that there can be no alternative ways to satisfy the controller’s interest.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).</ref>
The EDPB emphasized that the assessment of what constitutes a compelling legitimate ground is different from the assessment of what is a legitimate interest and the balancing exercise under Article [[Article 6 GDPR|6(1)(f) GDPR]].
{{Quote-EDPB|"If a data subject has invoked their right to object against a processing based on Article 6(1)(f) GDPR, it is not sufficient for the controller to just demonstrate that its earlier legitimate interest assessment regarding that processing was correct. The balancing test to be made under Article 21(1) GDPR is to be carried out in view of the particular situation of the data subject and requires the legitimate grounds invoked by the controller to be compelling, implying a higher threshold for overriding data subject objections. In other words, not all conceivable legitimate interests that may justify processing under Article 6(1)(f) GDPR are relevant in this context. Only interests that can be recognised as ‘compelling’ may be balanced against the rights, freedoms and interests of the data subject to assess whether there are grounds for processing that take precedence, despite the objection of the data subject. In essence, the grounds invoked should be essential to the controller (or to the third party in whose legitimate interest the data are being processed) to be considered compelling. This might be the case, for example, if a controller is compelled to process the personal data in order to protect its organisation or systems from serious immediate harm or from a severe penalty which would seriously affect its business. In contrast, showing that the processing would simply be beneficial or advantageous to the controller would not necessarily meet this threshold. The presence of compelling legitimate grounds needs to be assessed on a case-by-case basis and be linked to a specific objection."|EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 73.|4=https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf|Footnotes omitted.}}
This interest will also be considered compelling if it is recognised as such by EU law (whether expressly or tacitly)<ref>''Martini'', in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 36 (C.H. Beck 2021, 3rd Edition).</ref> or is within the remaining scope for regulation by national law. This includes the interests and purposes outlined in [[Article 23 GDPR|Article 23(1)(a) to (j) GDPR]] (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In any case, the threshold is certainly higher than the overriding legitimate interest that a controller must demonstrate under [[Article 6 GDPR|Article 6(1)(f) GDPR]], as any processing based on [[Article 6 GDPR|Article 6(1)(f) GDPR]] would otherwise be essentially immune to objection.<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).</ref>
For example, the District Court of Amsterdam held that when refusing a data subject’s objection under Article 21(1) GDPR, it is insufficient for a bank to refer in general terms to its legal obligation to participate in a credit registration system.<ref>Rb. Amsterdam, 22 April 2021, C/13/693399 / HA RK 20-337 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:3161 here]).</ref>
===== Or processing concerns the establishment, excercise or defence of legal claims =====
A controller may also refuse a request to object where it has an interest in the establishment, exercise or defence of legal claims. The provision applies when the establishment, exercise, or defense of legal claims is already underway or imminent.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 28 (C.H. Beck 2018, 2nd Edition).
</ref> It is not limited to the judicial claims but also includes out-of-court proceedings.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref> The mere possibility of future legal disputes is not sufficient to justify the further processing of data. In cases of uncertainty regarding potential legal disputes, a balanced prognosis is required, considering factors such as the likelihood of a legal dispute, the significance of the claims involved, and the interests of the data subject. It is necessary for the (probability of) pursuing legal claims to outweigh the interests of the data subject in order to justify the continuation of data processing.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (Beck 2020, 3rd edition).</ref>
===(2) Direct marketing===
Article 21(2) GDPR gives data subjects an absolute right to object to the processing of their personal data for direct marketing purposes.<ref>It is a situation very similar to data processing based on consent, where revocation does not need to be justified and it halts any processing activities. In fact, some authors argue that if direct marketing is based on consent, any objection, although theoretically incorrect, has the effect of revoking consent. See, ''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 51 (C.H. Beck 2018, 2nd Edition).</ref> Unlike the scenario described in paragraph 1, the data subject is not required to provide details about their specific situation. The objection takes effect upon the receipt of the request alone and there is no need for a balancing of interests by the controller, who cannot refuse the objection based on its compelling legitimate grounds. Furthermore, and again unlike under Article 21(1) GDPR, it is not necessary for the processing to be based on a specific legal basis (in that case, Article 6(1)(f) or (e) of the GDPR). The direct marketing purpose can be based on any legal ground, including the contract.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> Regardless, the objection under Article 21(2) GDPR takes effect.<blockquote><u>Example</u>: following an objection, contract-based direct marketing should be stopped - social network case</blockquote>
==== Direct marketing purposes ====
Whilst "direct marketing" is not defined in the GDPR, its meaning can be derived from other EU and national laws. Pursuant to Article 2(a), Directive 2006/114/EC, "''advertising''" means "''the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services, including immovable property, rights and obligations''". It is irrelevant for whom the advertising is made. This includes not only direct advertising for the controller's own products or services, but also direct advertising for the benefit of third parties. Also irrelevant is whether or not the advertised content is communicated along other non-marketing materials. Direct advertising also occurs, for example, when commercial information is given in automatically generated confirmation e-mails.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 47-48 (C.H. Beck 2018, 2nd Edition).</ref> Communications for non-commercial purposes, such as political, social or religious purposes are also covered by the definition.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 26 (Beck 2020, 3rd edition).</ref>
For "''advertising''" (or "''marketing''") to be "''direct''", it is necessary an underlying activity by which the user is singled out and addressed with promoting materials concerning the sale of goods or the provision of services.<ref>''Martini'', in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 48 (C.H. Beck 2021, 3rd Edition) citing Article 2(a) Directive 2006/114/EC and Article 13(1) Directive 2002/58/EC; ''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 45-46 (C.H. Beck 2018, 2nd Edition).</ref> Article 13 of Directive 2002/58/EC (e-Privacy Directive, consolidated version) states that this scenario includes the use of automated calling machines, telefaxes, and e-mails, including SMS messages (Recital 40, e-Privacy Directive). The extent to which online (targeted) advertising may be classified as "''direct marketing''" is not entirely clear, as it is unclear whether online advertising always falls within the scope of Article 13 of the e-Privacy Directive. As a matter of fact, there is room for a broad interpretation of such a provision. Sophisticated online targeted advertising techniques do single-out and specifically target individual users across the internet to promote goods or services, and in this way appear to satisfy direct marketing’s key characteristics.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 26 (Beck 2020, 3rd edition).</ref>
The CJEU case-law seems to support this latter interpretation, giving a broad and evolving meaning to the concept of the medium through which direct marketing is conveyed. In particular, the Court of Justice held that inbox advertising - the display of advertisements disguised as emails in an email inbox - is subjected to the e-Privacy directive, interpreted in line with the evolution of technological means.
CJEU: In StWL Städtische Werke Lauf, margin number 39, the CJEU supports a teleological, extensive and evolutive interpretation of the e-Privacy: “''First, Directive 2009/136, which amended Directive 2002/58, refers, in recital 67 thereof, to kinds of communication other than those mentioned in Directive 2002/58 when it states that the safeguards provided for subscribers against intrusion into their privacy by unsolicited communications for direct marketing purposes by means of electronic mail ‘should also be applicable to SMS, MMS and other kinds of similar applications’. Second, as specified in recital 4 of Directive 2002/58, the objective of providing an equal level of protection of personal data and privacy for users of publicly available electronic communications services must be ensured ‘regardless of the technologies used’, which confirms that it is necessary to adopt an interpretation that is broad, and evolving from a technological perspective, of the types of communication covered by that directive''.”<ref>CJEU, Case 102/20, StWL Städtische Werke Lauf a.d. Pegnitz GmbH,  25 November 2021, margin numbers 39 and 45 (available [[CJEU - C-102/20 - StWL Städtische Werke Lauf a.d. Pegnitz GmbH|here]]).</ref>
==== Including profiling related to direct marketing ====
See section above "''Including profiling based on Article 6(1)(f) or (e)''".
===(3) Stopping direct marketing processing===
===(3) Stopping direct marketing processing===
When a data subject objects to the processing, all the processing for direct marketing purposes must stop.  
Where a data subject objects to processing under Article 21(2) GDPR, all processing of their data for direct marketing purposes must stop. Processing of the personal data for other lawful purposes remains unaffected.<ref>''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).</ref> That said, the relationship between Article 21(3) GDPR and [[Article 17 GDPR]] on the right to erasure must be considered. The tight relationship between Article 21(3) and Article 17(1)(c) GDPR seems to suggest that erasure should automatically follow an objection to processing for direct marketing. ''Zanfir-Fortuna'' highlights that a controller could conceivably argue that personal data only needs to be erased from a specific database kept for direct marketing purposes, and that it can continue to process it for other purposes elsewhere.<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).</ref>
 
To avoid an automatic deletion could also be in the interest of the data subject, as a complete erasure makes it more likely that the controller, having obtained the same or related data in a second moment, accidentally uses them again for marketing purposes. The data subject could thus specify that their objection does not imply a complete deletion of all data. In such cases, including the data subject's contact information in an advertising blocking file is an appropriate measure to respect their preferences.<ref>Some DPAs also recommend keeping certain personal data on the individual who has objected to processing, so that the controller can make sure that it definitely does not market to them again. ''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).</ref> By maintaining this file, it can ensure that the data subject will not receive any future advertising, even if external data is utilized. As part of the notification process in accordance with Article 12(3), data subjects should also be informed about the purpose of including their data in the blocking file. However, if the data subject requests the deletion of all data, they should be informed that they may receive advertising again in the future if third-party data is legally used.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 32a (Beck 2020, 3rd edition).</ref> 
 
===(4) Information on the right to object===
The obligation to inform data subjects of their right to object to processing stems from [[Article 13 GDPR|Articles 13(2)(b)]] and [[Article 14 GDPR|14(2)(c) GDPR]]. However, Article 21(4) GDPR specifies that the right to object under Article 21(1) and 21(2) GDPR (i.e. the right to object against processing based on a legitimate interest, necessary for a task in the public interest, and for direct marketing, respectively) must be communicated to the data subject explicitly, clearly, separately from other information, and at the latest at the time of the first communication. For example, the French DPA has stated that information on the right to object should be provided in a distinct paragraph or pictogram.<ref>CNIL, 17 October 2018, Dispositifs de mesure d’audience et de frequentation dans ses espaces accessibles au public: la CNIL rappelled les regles (available [https://www.cnil.fr/fr/dispositifs-de-mesure-daudience-et-de-frequentation-dans-des-espaces-accessibles-au-public-la-cnil here]).</ref> Any indirect or implied reference to the right of objection will not satisfy Article 21(4) GDPR.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 56 (C.H. Beck 2018, 2nd Edition).</ref> The notification under Article 21(4) GDPR must be made at the time of the first marketing communication, and not necessarily at the time that the data is first processed. However, if data is collected directly from the data subject, [[Article 13 GDPR|Article 13(2)(b) GDPR]] requires that the data subject will be informed of their right to object at the point that the data is collected from them.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 58 (C.H. Beck 2018, 2nd Edition).</ref>
 
===(5) Objection when using information society services===
In accordance with Article 21(5) of the GDPR, the right to object in relation to the use of information society services (ISS) can be exercised using automated procedures and technical specifications.<ref>[[Article 4 GDPR|Article 4(25) GDPR]] refers to the definition of information ISS provided in Article 1(1)(b) of Directive 2015/1535, which states that ISS are: “''services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services''.” The same article clarifies that "''at a distance''" means the service is provided without the parties being simultaneously present, "''by electronic means''" means the service is initially sent and received at its destination by means of electronic equipment for the processing and storage of data, and "''at the individual request of a recipient of services''" means that the service is provided through the transmission of data on individual request. Article 21 GDPR therefore always applies to services offered in an online environment.</ref> Organisations can satisfy Article 21(5) GDPR by, inter alia, enabling a do-not-track function of the data subject’s browser,<ref>''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 148 (C.H. Beck, Hart, Nomos 2018).</ref> including an "''opt-out''" link in a direct marketing email, or by providing a Wi-Fi network that could detect a do-not-track signal from mobile phone users in a monitored area.<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 519 (Oxford University Press 2020).</ref>


===(4) Information about the right to object===
Article 21(5) GDPR applies "''notwithstanding Directive 2002/58/EC''". This means that this type of objection shall be implemented regardless of any e-Privacy conflicting regulations. This applies specifically to Article 14(1) e-Privacy under which no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States. For the purpose of enabling the automated exercise of the right to object, it is permissible to impose such mandatory requirements related to specific technical features.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 45 (Beck 2020, 3rd edition).</ref>
''You can help us fill this section!''
===(6) Processing for scientific or historical research purposes===
Lastly, Article 21(6) GDPR gives users the right to object to processing for scientific or historical research purposes, or statistical purposes, on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out in the public interest. Controllers are therefore exempt from such an objection where processing is based on the first sentence of [[Article 6 GDPR|Article 6(1)(e) GDPR]], but not the second sentence (i.e. where processing is necessary for the performance of a task in the exercise of official authority vested in the controller).


===(5) The right to object to processing by automated means===
In contrast to the right to object under Article 21(1) GDPR, where controllers process data necessary for the performance of a task carried out in the public interests, they do not need to demonstrate "''compelling legitimate grounds''" in order to refuse an objection to processing. As such, the threshold for refusing an objection is lower.
''You can help us fill this section!''


===(5) Processing for scientific or historical research purposes===
The extent to which a controller would still need to carry out a balancing exercise of the importance of their task in the public interest and the objection in the interests of the data subject is not clear. Unlike Article 21(1) GDPR, Article 21(6) GDPR does not explicitly provide for this (note the lack of the word "''override''"). However, ''Munz'' argue that the need for a balancing of interests naturally stems from the principle of proportionality in Article 52(2) of the Charter of Fundamental Rights of the EU, and that Article 21(6) GDPR should be interpreted in light of this.<ref>''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 62 (C.H. Beck 2019, 3rd Edition).</ref> According to ''Martini'', the word "''unless''" in Article 21(6) GDPR implies that the burden of proof for rejecting an objection lies with the controller, meaning that the data subject’s interest should take precedence in case of doubt.<ref>''Martini'', in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 60 (C.H. Beck 2021, 3rd Edition).</ref>
''You can help us fill this section!''


Notably, unlike with Article 21(1) and (2) GDPR, the right to object under Article 21(6) GDPR does not need to explicitly be brought to the attention of the data subject under Article 21(4) GDPR. This may be attributable to the fact that data from a large number of data subjects are often processed during processing for research and statistical purposes, with the effect that satisfying Article 21(4) GDPR would likely be impractical or involve a "''disproportionate effort''” pursuant to [[Article 14 GDPR|Article 14(5) GDPR]]. Controllers are nonetheless still obligated to notify data subjects of their right to object under [[Article 12 GDPR|Article 12(2)(b) GDPR]].
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 21 GDPR]]
→ You can find all related decisions in [[:Category:Article 21 GDPR]]

Latest revision as of 15:01, 24 October 2024

Article 21 - Right to object
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 21 - Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Relevant Recitals

Recital 69: Right to Object
Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

Recital 70: Right to Object to Direct Marketing
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

Commentary

Article 21 ensures the data subject's right to object. In Paragraph 1, a general right to object is provided against the processing of personal data that may be lawful based on a permissible balancing of interests under Article 6(1)(f) or (e) GDPR. Paragraphs 2 and 3 establish a specific and unconditional right to object in the case of data processing for direct marketing purposes. Paragraph 4 reiterates the obligation on the data controller to inform about the existence of the right to object at the time of the first communication with the data subject. In the context of information society services, Paragraph 5 enables the exercise of the right to object through automated procedures using technical specifications. Lastly, Paragraph 6 grants an additional specific right to object to data processing for research or statistical purposes.

(1) Right to object

Article 21(1) GDPR grants data subjects the right to object, on grounds relating to their particular situation, to processing based on a legitimate interest (Article 6(1)(f) GDPR), or that is necessary for a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR). Controllers may reject this objection where they demonstrate compelling legitimate grounds for the processing activity which overrides the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of claims.

Shall have the right to object

Once an objection has been submitted in accordance with Article 21(1) GDPR and is accompanied by appropriate justification, the data controller is obligated to cease processing the data.[1] The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, this right is limited to the circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below.[2]

The right to object requires a request from the data subject. There are no specific provisions, therefore the general rules of Article 12 GDPR apply, adapted to the specific cases, where appropriate. The controller must communicate in a clear, understandable, and easily accessible manner the actions taken in response to the request (Article 12(1) GDPR), and facilitate the entire process (Article 12(2) GDPR). The response must be provided promptly, within one month of the request, and no later than three months if the time extension under Article 12(3) GDPR applies.

The request does not require any specific form and can be submitted in written, oral, or electronic form. A general request, even not framed in legal terms, is sufficient.[3] Scholars note that there is no need to assign a specific "title" to the request; it can be implied, for example, when the contractual relationship between the parties is terminated.[4] However, the request must at least contain the reasons for the data subject's objection and the prevailing interest believed to be violated.[5] This requirement should not be interpreted too restrictively for the data subject, considering the obligation to facilitate the request under Article 12(2) GDPR. In this regard, if the data subject's request is not clear, the controller may seek clarification and strive for a swift resolution of the dispute.

On grounds relating to his or her particular situation

Most commentators view this phrase as a clear threshold. Data subjects will not be able to exercise their right to object to processing under Article 21(1) GDPR, unless they assert specific reasons which pertain to their individual situation.[6] These reasons can be of a legal, economic, ethical, social, societal, or family nature.[7] It is not clear exactly how a data subject’s reasons will be assessed. Herbst argues, in line with the Hamburg Regional Court,[8] that their objection must be justified by something “atypical”, which can be assumed to have previously been unknown to the controller, and which it could therefore not take into account in its overall assessment under Article 6(1)(f) GDPR. For example, it would not be sufficient for a data subject to merely indicate that they do not want the processing to occur.[9] Instead, they might have to assert a threat to their life, property, or the like.[10] In contrast, others argue that the threshold should not be interpreted too strictly.[11] This view might be supported by a judgement of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.[12] In our view, rather than acting as a prerequisite for the exercise of the right to object, the phrase “relating to his or her particular situation” simply indicates that the data subject should have the right to affirm their specific interests in their personal data not being processed, which the controller may consider (or reconsider, in the light of the the data subject's individual position) in its weighing of interests.

In any case, the EDPB states that a controller should not dismiss an objection by a data subject just because they did not elaborate much on their particular situation in their objection under Article 21(1) GDPR. Rather, the controller should ask the data subject to further specify their request.[13]

To processing of personal data concerning him or her

The wording of Article 21(1) does not explicitly define the scope of an objection. However, the wording does not exclude the possibility that the data subject may object to specific forms of processing (e.g. transmission) or to the processing of certain data, rather than objecting to the entire processing. The mention of profiling in Article 21(1)(a) also supports this possibility, as profiling is a distinct form of processing that can coexist with other forms of processing. If the data subject objects solely to profiling, other forms of processing can still be carried out. Therefore, the data subject has the option to object to the entire processing or only to specific parts of it.[14]

Based on Article 6(1)(e) or Article 6(1)(f)

The right to object is limited to cases where personal data processing is based on Article 6(1)(e) ("processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller") or Article 6(1)(f) GDPR ("processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject"). Consequently, the right to object applies to cases where the controller has initially considered the prevalence of their defended interest, specifically, the public interest in the case of Article 6(1)(e) and the controller's legitimate interest in the case of Article 6(1)(f). In other words, there is a balancing of interests carried out by the controller at the core of the processing.

Example: XXX

This also explains why the right to object does not apply to other legal bases. For example, consent can be revoked at any time. Revocation does not need to be "explained" and does not require an assessment by the controller. In the case of processing based on a contract, objecting would be inconsistent as it goes against the contractual interest of the data subject. For instance, if a data subject purchases a product and then objects to the use of their address for delivery, it would be a case of "venire contra factum proprium." Lastly, in the case of processing based on a legal obligation, it is assumed that the legislator has already conducted the balancing of interests and has mandated the legitimacy of the processing by law. In this case, the legislative decision takes precedence over the data subject's subjective right.[15]

Including profiling based on Article 6(1)(f) or (e)

Article 21(1) GDPR specifies that data subjects can object to processing based on Article 6(1)(e) and (f) GDPR, “including profiling based on those provisions.” Profiling is defined in Article 4(4) GDPR as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. Because all types of processing based on Article 6(1)(e) or (f) GDPR are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.[16] However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.[17]

The controller shall no longer process personal data

Once an objection in accordance with Article 21(1) has been raised with proper justification, the data controller is obligated to cease the processing activities unless it can demonstrate valid grounds for continuing the activities. This does not occur automatically upon the objection,[18] but rather after a prompt assessment by the data controller, determining that the factual requirements are met and there are no grounds for exemptions (see below).[19] The assessment must be conducted without delay and its outcome promptly shared with the data subject.[20] Any processing conducted prior to a valid objection remains unaffected (with an ex-nunc effect).[21]

Unless the controller demonstrates

In the event of an objection from the data subject, the controller is required to cease processing (as mentioned above) and potentially delete the involved data. The GDPR includes two fundamental exceptions to this principle, allowing for the continuation of processing even when a valid objection is raised. The first exception applies when the controller demonstrates[22] that the objected processing is, or continues to be, justified by "compelling legitimate grounds" that outweigh the interests of the data subject. The second exception applies when the processing is necessary for "the establishment, exercise, or defense of legal claims."

The burden of proof for this demonstration is on the controller and the presumption is in favor of the data subject objecting to a processing activity.[23]

This provision presents controversial elements that have sparked debates and varying interpretations. The prevailing interpretation tends to argue that the burden of proving "compelling legitimate grounds" applies only to "processing which overrides the interests, rights, and freedoms of the data subject." Consequently, it is not necessary to demonstrate "compelling legitimate grounds" for "the establishment, exercise, or defense of legal claims."[24] An intermediate interpretation suggests that in the second scenario (legal claims), the "compelling legitimate grounds" are presumed because the law itself considers the ability to bring legal action to be "compelling". In support of this interpretation, reference is made to the content of Recital 69, which only requires to demonstrate the controller's "legitimate interests", with no reference to the intention or necessity of legal action. However, in this case, it would still be necessary to demonstrate that the legal actions have a minimum level of credibility.[25] Finally, a third interpretation is also possible. Upon closer examination, the phrase "compelling legitimate grounds" is followed by a first "for" (processing which overrides the interests, rights, and freedoms of the data subject) and a second "for" (the establishment, exercise, or defense of legal claims). According to a literal interpretation, the controller would therefore need to demonstrate "compelling legitimate grounds" in both the first and second cases.

Having said that, the following analysis presents the prevailing opinion on this matter.

Compelling legitimate grounds which override the data subject's interests

The GDPR does not elaborate on what constitutes a "compelling" legitimate ground. However, the WP29 suggested in its ‘Guidelines on Automated Individual Decision-Making’ that processing may be based on a compelling legitimate ground where, instead of merely furthering the controller’s business interests, it is “beneficial for society at large (or the wider community)” (e.g. “profiling to predict the spread of a contagious disease)”.[26] According to Zanfir-Fortuna, "compelling" means that the legitimate interest must be “overwhelming” and override the data subject’s interests “in a strong, significant way.[27] Additionally, Herbst notes that there can be no alternative ways to satisfy the controller’s interest.[28]

The EDPB emphasized that the assessment of what constitutes a compelling legitimate ground is different from the assessment of what is a legitimate interest and the balancing exercise under Article 6(1)(f) GDPR.

EDPB-icon.png

"If a data subject has invoked their right to object against a processing based on Article 6(1)(f) GDPR, it is not sufficient for the controller to just demonstrate that its earlier legitimate interest assessment regarding that processing was correct. The balancing test to be made under Article 21(1) GDPR is to be carried out in view of the particular situation of the data subject and requires the legitimate grounds invoked by the controller to be compelling, implying a higher threshold for overriding data subject objections. In other words, not all conceivable legitimate interests that may justify processing under Article 6(1)(f) GDPR are relevant in this context. Only interests that can be recognised as ‘compelling’ may be balanced against the rights, freedoms and interests of the data subject to assess whether there are grounds for processing that take precedence, despite the objection of the data subject. In essence, the grounds invoked should be essential to the controller (or to the third party in whose legitimate interest the data are being processed) to be considered compelling. This might be the case, for example, if a controller is compelled to process the personal data in order to protect its organisation or systems from serious immediate harm or from a severe penalty which would seriously affect its business. In contrast, showing that the processing would simply be beneficial or advantageous to the controller would not necessarily meet this threshold. The presence of compelling legitimate grounds needs to be assessed on a case-by-case basis and be linked to a specific objection."

EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 73. Footnotes omitted.


This interest will also be considered compelling if it is recognised as such by EU law (whether expressly or tacitly)[29] or is within the remaining scope for regulation by national law. This includes the interests and purposes outlined in Article 23(1)(a) to (j) GDPR (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In any case, the threshold is certainly higher than the overriding legitimate interest that a controller must demonstrate under Article 6(1)(f) GDPR, as any processing based on Article 6(1)(f) GDPR would otherwise be essentially immune to objection.[30]

For example, the District Court of Amsterdam held that when refusing a data subject’s objection under Article 21(1) GDPR, it is insufficient for a bank to refer in general terms to its legal obligation to participate in a credit registration system.[31]

Or processing concerns the establishment, excercise or defence of legal claims

A controller may also refuse a request to object where it has an interest in the establishment, exercise or defence of legal claims. The provision applies when the establishment, exercise, or defense of legal claims is already underway or imminent.[32] It is not limited to the judicial claims but also includes out-of-court proceedings.[33] The mere possibility of future legal disputes is not sufficient to justify the further processing of data. In cases of uncertainty regarding potential legal disputes, a balanced prognosis is required, considering factors such as the likelihood of a legal dispute, the significance of the claims involved, and the interests of the data subject. It is necessary for the (probability of) pursuing legal claims to outweigh the interests of the data subject in order to justify the continuation of data processing.[34]

(2) Direct marketing

Article 21(2) GDPR gives data subjects an absolute right to object to the processing of their personal data for direct marketing purposes.[35] Unlike the scenario described in paragraph 1, the data subject is not required to provide details about their specific situation. The objection takes effect upon the receipt of the request alone and there is no need for a balancing of interests by the controller, who cannot refuse the objection based on its compelling legitimate grounds. Furthermore, and again unlike under Article 21(1) GDPR, it is not necessary for the processing to be based on a specific legal basis (in that case, Article 6(1)(f) or (e) of the GDPR). The direct marketing purpose can be based on any legal ground, including the contract.[36] Regardless, the objection under Article 21(2) GDPR takes effect.

Example: following an objection, contract-based direct marketing should be stopped - social network case

Direct marketing purposes

Whilst "direct marketing" is not defined in the GDPR, its meaning can be derived from other EU and national laws. Pursuant to Article 2(a), Directive 2006/114/EC, "advertising" means "the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services, including immovable property, rights and obligations". It is irrelevant for whom the advertising is made. This includes not only direct advertising for the controller's own products or services, but also direct advertising for the benefit of third parties. Also irrelevant is whether or not the advertised content is communicated along other non-marketing materials. Direct advertising also occurs, for example, when commercial information is given in automatically generated confirmation e-mails.[37] Communications for non-commercial purposes, such as political, social or religious purposes are also covered by the definition.[38]

For "advertising" (or "marketing") to be "direct", it is necessary an underlying activity by which the user is singled out and addressed with promoting materials concerning the sale of goods or the provision of services.[39] Article 13 of Directive 2002/58/EC (e-Privacy Directive, consolidated version) states that this scenario includes the use of automated calling machines, telefaxes, and e-mails, including SMS messages (Recital 40, e-Privacy Directive). The extent to which online (targeted) advertising may be classified as "direct marketing" is not entirely clear, as it is unclear whether online advertising always falls within the scope of Article 13 of the e-Privacy Directive. As a matter of fact, there is room for a broad interpretation of such a provision. Sophisticated online targeted advertising techniques do single-out and specifically target individual users across the internet to promote goods or services, and in this way appear to satisfy direct marketing’s key characteristics.[40]

The CJEU case-law seems to support this latter interpretation, giving a broad and evolving meaning to the concept of the medium through which direct marketing is conveyed. In particular, the Court of Justice held that inbox advertising - the display of advertisements disguised as emails in an email inbox - is subjected to the e-Privacy directive, interpreted in line with the evolution of technological means.

CJEU: In StWL Städtische Werke Lauf, margin number 39, the CJEU supports a teleological, extensive and evolutive interpretation of the e-Privacy: “First, Directive 2009/136, which amended Directive 2002/58, refers, in recital 67 thereof, to kinds of communication other than those mentioned in Directive 2002/58 when it states that the safeguards provided for subscribers against intrusion into their privacy by unsolicited communications for direct marketing purposes by means of electronic mail ‘should also be applicable to SMS, MMS and other kinds of similar applications’. Second, as specified in recital 4 of Directive 2002/58, the objective of providing an equal level of protection of personal data and privacy for users of publicly available electronic communications services must be ensured ‘regardless of the technologies used’, which confirms that it is necessary to adopt an interpretation that is broad, and evolving from a technological perspective, of the types of communication covered by that directive.”[41]

Including profiling related to direct marketing

See section above "Including profiling based on Article 6(1)(f) or (e)".

(3) Stopping direct marketing processing

Where a data subject objects to processing under Article 21(2) GDPR, all processing of their data for direct marketing purposes must stop. Processing of the personal data for other lawful purposes remains unaffected.[42] That said, the relationship between Article 21(3) GDPR and Article 17 GDPR on the right to erasure must be considered. The tight relationship between Article 21(3) and Article 17(1)(c) GDPR seems to suggest that erasure should automatically follow an objection to processing for direct marketing. Zanfir-Fortuna highlights that a controller could conceivably argue that personal data only needs to be erased from a specific database kept for direct marketing purposes, and that it can continue to process it for other purposes elsewhere.[43]

To avoid an automatic deletion could also be in the interest of the data subject, as a complete erasure makes it more likely that the controller, having obtained the same or related data in a second moment, accidentally uses them again for marketing purposes. The data subject could thus specify that their objection does not imply a complete deletion of all data. In such cases, including the data subject's contact information in an advertising blocking file is an appropriate measure to respect their preferences.[44] By maintaining this file, it can ensure that the data subject will not receive any future advertising, even if external data is utilized. As part of the notification process in accordance with Article 12(3), data subjects should also be informed about the purpose of including their data in the blocking file. However, if the data subject requests the deletion of all data, they should be informed that they may receive advertising again in the future if third-party data is legally used.[45]

(4) Information on the right to object

The obligation to inform data subjects of their right to object to processing stems from Articles 13(2)(b) and 14(2)(c) GDPR. However, Article 21(4) GDPR specifies that the right to object under Article 21(1) and 21(2) GDPR (i.e. the right to object against processing based on a legitimate interest, necessary for a task in the public interest, and for direct marketing, respectively) must be communicated to the data subject explicitly, clearly, separately from other information, and at the latest at the time of the first communication. For example, the French DPA has stated that information on the right to object should be provided in a distinct paragraph or pictogram.[46] Any indirect or implied reference to the right of objection will not satisfy Article 21(4) GDPR.[47] The notification under Article 21(4) GDPR must be made at the time of the first marketing communication, and not necessarily at the time that the data is first processed. However, if data is collected directly from the data subject, Article 13(2)(b) GDPR requires that the data subject will be informed of their right to object at the point that the data is collected from them.[48]

(5) Objection when using information society services

In accordance with Article 21(5) of the GDPR, the right to object in relation to the use of information society services (ISS) can be exercised using automated procedures and technical specifications.[49] Organisations can satisfy Article 21(5) GDPR by, inter alia, enabling a do-not-track function of the data subject’s browser,[50] including an "opt-out" link in a direct marketing email, or by providing a Wi-Fi network that could detect a do-not-track signal from mobile phone users in a monitored area.[51]

Article 21(5) GDPR applies "notwithstanding Directive 2002/58/EC". This means that this type of objection shall be implemented regardless of any e-Privacy conflicting regulations. This applies specifically to Article 14(1) e-Privacy under which no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States. For the purpose of enabling the automated exercise of the right to object, it is permissible to impose such mandatory requirements related to specific technical features.[52]

(6) Processing for scientific or historical research purposes

Lastly, Article 21(6) GDPR gives users the right to object to processing for scientific or historical research purposes, or statistical purposes, on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out in the public interest. Controllers are therefore exempt from such an objection where processing is based on the first sentence of Article 6(1)(e) GDPR, but not the second sentence (i.e. where processing is necessary for the performance of a task in the exercise of official authority vested in the controller).

In contrast to the right to object under Article 21(1) GDPR, where controllers process data necessary for the performance of a task carried out in the public interests, they do not need to demonstrate "compelling legitimate grounds" in order to refuse an objection to processing. As such, the threshold for refusing an objection is lower.

The extent to which a controller would still need to carry out a balancing exercise of the importance of their task in the public interest and the objection in the interests of the data subject is not clear. Unlike Article 21(1) GDPR, Article 21(6) GDPR does not explicitly provide for this (note the lack of the word "override"). However, Munz argue that the need for a balancing of interests naturally stems from the principle of proportionality in Article 52(2) of the Charter of Fundamental Rights of the EU, and that Article 21(6) GDPR should be interpreted in light of this.[53] According to Martini, the word "unless" in Article 21(6) GDPR implies that the burden of proof for rejecting an objection lies with the controller, meaning that the data subject’s interest should take precedence in case of doubt.[54]

Notably, unlike with Article 21(1) and (2) GDPR, the right to object under Article 21(6) GDPR does not need to explicitly be brought to the attention of the data subject under Article 21(4) GDPR. This may be attributable to the fact that data from a large number of data subjects are often processed during processing for research and statistical purposes, with the effect that satisfying Article 21(4) GDPR would likely be impractical or involve a "disproportionate effort” pursuant to Article 14(5) GDPR. Controllers are nonetheless still obligated to notify data subjects of their right to object under Article 12(2)(b) GDPR.

Decisions

→ You can find all related decisions in Category:Article 21 GDPR

References

  1. Article 21(1) GDPR, second sentence: "The controller shall no longer process the personal data".
  2. Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).
  3. Datatilsynet (Norwey) - 20/02319-8 (available here)
  4. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).
  5. This is a necessary requirement; otherwise, the controller would not be able to perform the underlying interest balancing, except in the case of paragraphs 2 and 3, where such balancing is not required.
  6. See, e.g. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition); Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 8 (C.H. Beck 2018, 2nd Edition).
  7. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition).
  8. LG Hamburg, 23 July 2020, 334 O 161/19 (available here).
  9. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).
  10. Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 9 (C.H. Beck 2018, 2nd Edition).
  11. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2019, 3rd Edition); Forgó, in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (C.H. Beck 2021, 39th Edition).
  12. LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available here).
  13. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 71 (available here).
  14. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 17 (C.H. Beck 2020, 3rd edition).
  15. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).
  16. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd edition).
  17. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
  18. What occurs immediatly, if the data subjecct so requests, is the restriction of the processing under Article 18(1)(d) GDPR. Once a data subject has objected to processing under Article 21(1) GDPR, the controller must restrict the relevant processing activity until it is certain that it is based on compelling legitimate grounds that override the data subject’s rights and freedoms. Article 18(2) GDPR states that during this time, the processing may only be: (i) based on the data subject’s consent; (ii) for the exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest in the EU or a member state.
  19. Where a data subject’s right to object is valid, the data must be deleted under Article 17(1)(c) GDPRwithout undue delay”.
  20. This notification is crucial. In theory, if the objection is successful, the data controller is not only required to cease processing but also to delete the personal data used, in accordance with Article 17(1)(c) of the GDPR. However, the data subject may have an interest in not having the data deleted and instead preferring its restriction, as provided for in Article 18(1)(b) of the GDPR. Without such notification, this possibility of restriction would be practically impossible.
  21. Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 15 (C.H. Beck 2022, 3rd edition).
  22. Under Directive 95/46/EC, data subjects were required to demonstrate "compelling legitimate grounds" in order to exercise their right to object to processing by a controller. The GDPR reverses this burden of proof in the data subject’s favour by requiring controllers to demonstrate "compelling legitimate grounds" if they intend to continue the processing activities. See, Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018). The right to object was therefore strengthened under the GDPR. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 516 (Oxford University Press 2020), citing Hustinx, in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017).
  23. EDPB, 'Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR', 8 October 2024 (Version 1), margin number 72 (available here).
  24. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 24 (Beck 2020, 3rd edition). Along the same lines seems to go Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).
  25. Martini, in Paal, Pauly, DS-GVO, Article 21, margin numbers 40-42 (C.H. Beck 2021, 3rd Edition).
  26. WP29, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 18 (available here).
  27. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).
  28. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).
  29. Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 36 (C.H. Beck 2021, 3rd Edition).
  30. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).
  31. Rb. Amsterdam, 22 April 2021, C/13/693399 / HA RK 20-337 (available here).
  32. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 28 (C.H. Beck 2018, 2nd Edition).
  33. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
  34. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (Beck 2020, 3rd edition).
  35. It is a situation very similar to data processing based on consent, where revocation does not need to be justified and it halts any processing activities. In fact, some authors argue that if direct marketing is based on consent, any objection, although theoretically incorrect, has the effect of revoking consent. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 51 (C.H. Beck 2018, 2nd Edition).
  36. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 27 (Beck 2020, 3rd edition).
  37. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 47-48 (C.H. Beck 2018, 2nd Edition).
  38. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 26 (Beck 2020, 3rd edition).
  39. Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 48 (C.H. Beck 2021, 3rd Edition) citing Article 2(a) Directive 2006/114/EC and Article 13(1) Directive 2002/58/EC; Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 45-46 (C.H. Beck 2018, 2nd Edition).
  40. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 26 (Beck 2020, 3rd edition).
  41. CJEU, Case 102/20, StWL Städtische Werke Lauf a.d. Pegnitz GmbH, 25 November 2021, margin numbers 39 and 45 (available here).
  42. Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).
  43. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).
  44. Some DPAs also recommend keeping certain personal data on the individual who has objected to processing, so that the controller can make sure that it definitely does not market to them again. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).
  45. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 32a (Beck 2020, 3rd edition).
  46. CNIL, 17 October 2018, Dispositifs de mesure d’audience et de frequentation dans ses espaces accessibles au public: la CNIL rappelled les regles (available here).
  47. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 56 (C.H. Beck 2018, 2nd Edition).
  48. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 58 (C.H. Beck 2018, 2nd Edition).
  49. Article 4(25) GDPR refers to the definition of information ISS provided in Article 1(1)(b) of Directive 2015/1535, which states that ISS are: “services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The same article clarifies that "at a distance" means the service is provided without the parties being simultaneously present, "by electronic means" means the service is initially sent and received at its destination by means of electronic equipment for the processing and storage of data, and "at the individual request of a recipient of services" means that the service is provided through the transmission of data on individual request. Article 21 GDPR therefore always applies to services offered in an online environment.
  50. Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 148 (C.H. Beck, Hart, Nomos 2018).
  51. Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 519 (Oxford University Press 2020).
  52. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 45 (Beck 2020, 3rd edition).
  53. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 62 (C.H. Beck 2019, 3rd Edition).
  54. Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 60 (C.H. Beck 2021, 3rd Edition).