Article 21 GDPR
Legal Text
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Relevant Recitals
Commentary on Article 21
The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, data subjects may object in certain prescribed circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below.
(1) Legitimate Interest or Task in the Public Interest
Article 21(1) GDPR grants data subjects the right to object, on grounds relating to their particular situation, to processing based on a legitimate interest (Article 6(1)(f) GDPR), or that is necessary for a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR). Controllers may refuse this objection where they demonstrate compelling legitimate grounds for the processing activity which overrides the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of claims.
Relating to His or Her Particular Situation
Most commentators view this phrase as a clear threshold: data subjects will not be able to exercise a right to object to processing under Article 21(1) GDPR, unless they assert specific reasons which pertain to their individual situation.[1] These reasons can include special situations of legal, economic, ethical, social, societal, or family nature.[2] It is not clear how exactly a data subject’s reasons will be weighed up and judged. Herbst argues, in line with the Hamburg Regional Court,[3] that the objection must be justified by something “atypical”, which can be assumed to have previously been unknown to the controller, and which it could therefore not take into account in its overall assessment under Article 6(1)(f) GDPR. It would not be sufficient, for example, for a data subject to merely indicate that he does not want the processing to occur.[4] Instead, a data subject may have to assert a threat to life, property, or the like.[5] In contrast, others argue that the threshold should not be interpreted too strictly,[6] and refer to, for example, the judgment of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.[7]
Another less common view is that rather than acting as a prerequisite for the exercise of the right to object under Article 21(1) GDPR, the phrase “relating to his or her particular situation” simply indicates that the data subject should have the right to emphasise their specific interests in their personal data not being processed, which the controller may consider in its weighing of interests.[8]
Compelling Legitimate Grounds
Under Directive 95/46/EC, data subjects were required to demonstrate "compelling legitimate grounds" in order to exercise their right to object to processing by a controller. The GDPR reverses this burden of proof in the data subject’s favour, and instead requires controllers to demonstrate "compelling legitimate grounds" for the relevant processing activity.[9] In this way, the right to object under the GDPR is stronger than with its precursor.[10]
The GDPR does not elaborate on what constitutes a "compelling" legitimate ground. However, the WP29 provides an indication in its "Guidelines on Automated Individual Decision-Making," stating that processing may be based on a compelling legitimate ground where, instead of merely furthering the controller’s business interests, it is “beneficial for society at large (or the wider community)” for example “profiling to predict the spread of a contagious disease.”[11] For Zanfir-Fortuna, "compelling" means that the legitimate interest must be “overwhelming”, and override the interests of the data subject “in a strong, significant way.” Herbst notes that it must not be possible to satisfy the controllers interest in any other way than through the objected data processing, and that any interest will certainly be compelling if it is recognised by Union law (be that express or tacit),[12] or, within the remaining scope for regulation, by national law, including for example the interests and purposes outlined in Article 23(1)(a) to (j) GDPR (such as national and public security) as well as Recital 73 GDPR (such as the protection of human life).[13] In any case, the threshold is certainly higher than the overriding legitimate interest that a controller must demonstrate under Article 6(1)(f) GDPR, otherwise, any processing based on Article 6(1)(f) GDPR would essentially be immune to objection.[14] By way of example, the District Court of Amsterdam found that, when refusing a data subject’s right to object under Article 21(1) GDPR, it is insufficient for a bank to refer in general terms to its legal obligation to participate in a credit registration system.[15]
Pursue of Legal Claims
A controller may also refuse a request to object where it is pursuing a legal claim. This likely covers both in and out of court proceedings,[16] and will apply where the exercise of the claim is either already taking place, or is imminent.[17]
Including Profiling
Article 21(1) GDPR specifies that data subjects can object to processing based on Article 6(1)(e) and (f) GDPR, “including profiling based on those provisions.” Profiling is defined in Article 4(4) GDPR as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
Because all types of processing based on Article 6(1)(e) or (f) GDPR are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.[18] However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.[19]
Kamann and Braun note that in practice, profiling covered by Article 21(1) GDPR will most often be for business purposes, including by credit agencies, credit check providers, and advertising agencies. This is because profiling is not often “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6(1)(e) GDPR), and cases where profiling is based on consent are not relevant for Article 21(1) GDPR.[20]
Restriction of Processing and Right to Erasure
Pursuant to Article 18(1)(d) GDPR, once a data subject has objected to processing under Article 21(1) GDPR, the controller must restrict the relevant processing activity, pending the verification of whether the processing is based on compelling legitimate grounds that override the data subject’s rights and freedoms. Article 18(2) GDPR states that processing during this time may only be: based on the data subject’s consent; for the exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or, for reasons of important public interest in the Union or a member state.
Where a data subject’s right to object is successful, a controller may also be obliged to erase the relevant personal data under Article 17(1)(c) GDPR “without undue delay”, should the data subject request this.
(2) Direct Marketing
Article 21(2) GDPR gives data subjects the absolute right to object to the processing of their personal data for direct marketing purposes. Unlike under Article 21(1) GDPR, this processing can be based on any legal ground, and there is no need for a balancing of interests by the controller, who cannot refuse the objection based on compelling legitimate grounds.
"Direct marketing" is not defined in the GDPR, however its meaning can be derived from other Union and national laws. It is characterised by the singling out of a specific data subject, whom the controller addresses directly, for example via telephone, fax, email, SMS, or post, with the aim of promoting the sale of goods or the provision of services.[21] Communications for non-commercial purposes will not be covered.[22]
The extent to which online targeted advertising may be classified as "direct marketing" is not entirely clear. Some commentators argue it would likely not qualify.[23] However, sophisticated online targeted advertising techniques do single-out and specifically target individual users across the internet to promote goods or services, and in this way appear to satisfy direct marketing’s key characteristics.
Recital 70 GDPR requires the right to object to direct marketing must be facilitated free of charge.
(3) Stopping Direct Marketing Processing
Where a data subject objects to processing under Article 21(2) GDPR, all processing of their data for direct marketing purposes must stop. Processing of the personal data for other lawful purposes, however, remains unaffected.[24]
That said, the relationship between Article 21(3) GDPR and Article 17 GDPR on the right to deletion must be considered. Although controllers can in principle continue to process the relevant personal data for purposes other than direct marketing, in practice they may also be required to delete the data under Article 17(1)(b) GDPR, making any further processing impossible.
Zanfir-Fortuna highlights that a controller could conceivably argue that the personal data only needs to be erased from a specific database kept for direct marketing purposes, and that it can continue to process the personal data elsewhere for other purposes.[25]
There are also some DPA’s which recommend keeping certain personal data on the individual who has objected to processing, so that the controller can make sure that they definitely do not market to that individual again.[26]
(4) Information on the Right to Object
The obligation to inform data subjects of their right to object to processing stems from Articles 13(2)(b) and 14(2)(c) GDPR. However, Article 21(4) specifies that the right to object under Article 21(1) and 21(2) GDPR (i.e. the right to object against processing based on a legitimate interest/ processing necessary for a task in the public interest, and processing for public marketing, respectively) must be: explicitly brought to the attention of the data subject, clearly and separately from other information, and at the latest at the time of the first communication. The French DPA has stated, for example, that information on the right to object should thus be made in a distinct paragraph or pictogram.[27] Any indirect or implied reference to the right of objection will not satisfy Article 21(4) GDPR.[28] The notification under Article 21(4) GDPR must be made at the time of the first marketing communication, and not necessarily at the time that the data is first processed. However, if data is collected directly from the data subject, Article 13(2)(b) GDPR requires that the data subject be informed of their right to object at the point that the data is collected from them.[29]
(5) Modalities to Exercise the Right to Object
Notwithstanding Directive 2002/58/EC (the "e-Privacy Directive") data subject may exercise their right to object under Article 21 GDPR by automated means using technical specifications, in the context of information society services (‘ISS’).
Article 4(25) GDPR refers to the definition of information ISS provided in Article 1(1)(b) of Directive 2015/1535, which states that ISS are: “services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The same article clarifies that "at a distance" means the service is provided without the parties being simultaneously present, "by electronic means" means the service is initially sent and received at its destination by means of electronic equipment for the processing and storage of data, and "at the individual request of a recipient of services" means that the service is provided through the transmission of data on individual request. Services offered in an online environment are therefore always covered.
Organisations can satisfy Article 21(5) GDPR by, for example: enabling a do-not-track function of the data subject’s browser;[30] including an "opt-out" link in a direct marketing email; or by providing a Wi-Fi network that could detect a do-not-track signal from mobile phone users in a monitored area.[31]
(6) Processing for Scientific or Historical Research Purposes
Lastly, Article 21(6) GDPR gives users the right to object to processing for scientific or historical research purposes, or statistical purposes, based on their particular situation, unless the processing is necessary for the performance of a task carried out in the public interest. Controllers are therefore exempt from such an objection where processing is based on the first sentence of Article 6(1)(e) GDPR, but not the second sentence (i.e. where processing is necessary for the performance of a task in the exercise of official authority vested in the controller).
In contrast to the right to object under Article 21(1) GDPR, where controllers process data necessary for the performance of a task carried out in the public interests, they do not need to demonstrate "compelling legitimate grounds" in order to refuse an objection to processing. The threshold for refusing an objection is thus lower.
It is not clear the extent to which a controller would still need to carry out a balancing exercise of the importance of their task in the public interest and the objection in the interests of the data subject. Unlike Article 21(1) GDPR, Article 21(6) GDPR does not explicitly provide for this (note the lack of the word "override").[32] However, commentators argue that the need for a weighing up of interests naturally stems from the principle of proportionality in Article 52(2) of the Charter on Fundamental Rights of the EU, and that Article 21(6) GDPR should be interpreted in light of this.[33] According to Martini, the word "unless" in Article 21(6) GDPR demonstrates that the burden of proof for rejecting an objection lies with the controller, meaning that, in case of doubt, the data subject’s interest should take precedence.[34]
Notably, unlike with Article 21(1) and (2) GDPR, the right to object under Article 21(6) GDPR does not need to explicitly be brought to the attention of the data subject under Article 21(4) GDPR. This may be attributable to the fact that data from a large number of data subject are often processed during processing for research and statistical purposes, meaning satisfying Article 21(4) GDPR would likely be impractical or involve "disproportionate effort", in line with Article 14(5) GDPR.[35] Controllers here still have the obligation to notify the data subject of their right to object under Article 12(2)(b) GDPR.
Decisions
→ You can find all related decisions in Category:Article 21 GDPR
References
- ↑ See, e.g. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.) (accessed 6 August 2021); Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 8-10 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.) (accessed 6 August 2021).
- ↑ LG Hamburg, 23 July 2020, 334 O 161/19 (available here https://www.landesrecht-hamburg.de/bsha/document/JURE200015390).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
- ↑ Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 8-10 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed) (accessed 6 August 2021); Forgó, in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (Beck 2021, 36 ed.) (accessed 6 August 2021).
- ↑ LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available here https://www.rv.hessenrecht.hessen.de/bshe/document/LARE190005832).
- ↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.).
- ↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 516 (Oxford University Press 2020), citing Hustinx, in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017).
- ↑ WP29, Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679, 6 February 2018, p. 19.
- ↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin numbers 33-38 (Beck 2021, 3rd ed.) (accessed 6 August 2021).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 517 (Oxford University Press 2020).
- ↑ Rb. Amsterdam, 22 April 2021, C/13/693399 / HA RK 20-337 (available here https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:3161).
- ↑ Herbst, in Kühling, Buchner, GDPR DS-GVO, Article 21 GDPR, margin numbers 18-25 (Beck 2020, 3rd ed.) (accessed 6 August 2021); Recital 111 GDPR.
- ↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 29 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
- ↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 29 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin numbers 48-50a (Beck 2021, 3rd ed.) (accessed 6 August 2021), citing Article 2(a) Directive 2006/114/EC and Article 13(1) Directive 2002/58/EC; Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 29 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin numbers 48-50a (Beck 2021, 3rd ed.) (accessed 6 August 2021), citing Article 2(a) Directive 2006/114/EC and Article 13(1) Directive 2002/58/EC; Kamann, Braun, in Ehmann, Selmayr Datenschutz-Grundverordnung, Article 21 GDPR, margin number 46 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ See, e.g. Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin numbers 48-50a (Beck 2021, 3rd ed.) (accessed 6 August 2021).
- ↑ Schrey in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 517 (Oxford University Press 2020).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 517 (Oxford University Press 2020).
- ↑ CNIL, 17 October 2018, Dispositifs de mesure d’audience et de frequentation dans ses espaces accessibles au public: la CNIL rappelled les regles (available here https://www.cnil.fr/fr/dispositifs-de-mesure-daudience-et-de-frequentation-dans-des-espaces-accessibles-au-public-la-cnil).
- ↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 56-60 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 56-60 (Beck 2018, 2nd ed.) (accessed 6 August 2021).
- ↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.).
- ↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 517 (Oxford University Press 2020).
- ↑ Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin numbers 59-63 (Beck 2019, 3rd ed.) (accessed 6 August 2021).
- ↑ See, e.g. Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 59-63 (Beck 2019, 3rd ed.).
- ↑ Martini in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin numbers 48-50a (Beck 2021, 3rd ed.) (accessed 6 August 2021).
- ↑ Kamann, Braun, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 56-60 (Beck 2018, 2nd ed.) (accessed 6 August 2021).