Article 21 GDPR: Difference between revisions

Revision as of 11:07, 16 May 2023

← Article 21 - Right to object →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 21 - Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Relevant Recitals

Recital 69: Right to Object

Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

Recital 70: Right to Object to Direct Marketing

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

Commentary

Article 21 ensures the data subject's right to object. In Paragraph 1, a general right to object is provided against the processing of personal data that may be lawful based on a permissible balancing of interests under Article 6(1)(f) or (e) GDPR. Paragraphs 2 and 3 establish a specific and unconditional right to object in the case of data processing for direct marketing purposes. Paragraph 4 reiterates the obligation on the data controller to inform about the existence of the right to object at the time of the first communication with the data subject. In the context of using information society services, Paragraph 5 enables the exercise of the right to object through automated procedures using technical specifications. Lastly, Paragraph 6 grants an additional specific right to object to data processing for research or statistical purposes.

(1) Right to object

Article 21(1) GDPR grants data subjects the right to object, on grounds relating to their particular situation, to processing based on a legitimate interest (Article 6(1)(f) GDPR), or that is necessary for a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR). Controllers may refuse this objection where they demonstrate compelling legitimate grounds for the processing activity which overrides the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of claims.

Shall have the right to object

Once an objection has been submitted in accordance with Article 21(1) and is accompanied by appropriate justification, the data controller is obligated to cease processing the data.^[1]

The right to object requires a request from the data subject. There are no specific provisions, therefore the general rules of Article 12 GDPR apply, adapted to the specific case where appropriate. The controller must communicate in a clear, understandable, and easily accessible manner the actions taken in response to the request (Article 12(1) GDPR), and facilitate the entire process (Article 12(2) GDPR). The response must be provided promptly, within one month of the request, and no later than three months if the time extension under Article 12(3) applies.

The request does not require any specific form and can be submitted in written, oral, or electronic form. Scholars note that there is no need to assign a specific "title" to the request; it can be implied, for example, when the contractual relationship between the parties is terminated.^[2] However, the request must at least contain the reasons for the data subject's objection and the prevailing interest believed to be violated.^[3] This requirement should not be interpreted too restrictively for the data subject, considering the obligation to facilitate the request under Article 12(2) GDPR. In this regard, if the data subject's request is not clear, the controller may seek clarification and strive for a swift resolution of the dispute.

On grounds relating to his or her particular situation

Most commentators view this phrase as a clear threshold. Data subjects will not be able to exercise their right to object to processing under Article 21(1) GDPR, unless they assert specific reasons which pertain to their individual situation.^[4] These reasons can be of a legal, economic, ethical, social, societal, or family nature.^[5] It is not clear exactly how a data subject’s reasons will be assessed. Herbst argues, in line with the Hamburg Regional Court,^[6] that their objection must be justified by something “atypical”, which can be assumed to have previously been unknown to the controller, and which it could therefore not take into account in its overall assessment under Article 6(1)(f) GDPR.

For example, it would not be sufficient for a data subject to merely indicate that they do not want the processing to occur.^[7] Instead, they might have to assert a threat to their life, property, or the like.^[8] In contrast, others argue that the threshold should not be interpreted too strictly.^[9] This view might be supported by a judgement of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.^[10] Another less common view is that rather than acting as a prerequisite for the exercise of the right to object, the phrase “relating to his or her particular situation” simply indicates that the data subject should have the right to affirm their specific interests in their personal data not being processed, which the controller may consider in its weighing of interests.

The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, this right is limited to the circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below. ^[11]

To processing of personal data concerning him or her

The wording of Article 21(1) does not explicitly define the scope of an objection. However, the wording does not exclude the possibility that the data subject may object to specific forms of processing (e.g., transmission) or the processing of certain data, rather than objecting to the entire processing. The mention of profiling in Article 21(1)(a) also supports this possibility, as profiling is a distinct form of processing that can coexist with other forms of processing. If the data subject objects solely to the profiling (which should be possible according to Article 21(1)(a) GDPR), other forms of processing can still be carried out. Therefore, the data subject has the option to object to the entire processing or only to specific parts of it.^[12]

Based on Article 6(1)(e) or Article 6(1)(f)

The right to object is limited to cases where personal data processing is based on Article 6(1)(e) ("processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller") or Article 6(1)(f) GDPR ("processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"). Consequently, the right to object applies to cases where the controller has initially considered the prevalence of their defended interest, specifically, the public interest in the case of Article 6(1)(e) and the controller's legitimate interest in the case of Article 6(1)(f). In other words, there is a balancing of interests carried out by the controller at the core of the processing. This also explains why the right to object does not apply to other legal bases. For example, consent can be revoked at any time. Revocation does not need to be "explained" and does not require an assessment by the controller. In the case of processing based on a contract, objecting would be inconsistent as it goes against the contractual interest of the data subject. For instance, if a data subject purchases a product and then objects to the use of their address for delivery, it would be a case of "venire contra factum proprium." Lastly, in the case of processing based on a legal obligation, it is assumed that the legislator has already conducted the balancing of interests and has mandated the legitimacy of the processing by law. In this case, the legislative decision takes precedence over the data subject's subjective right.^[13]

Including profiling based on Article 6(1)(f) or (e)

Article 21(1) GDPR specifies that data subjects can object to processing based on Article 6(1)(e) and (f) GDPR, “including profiling based on those provisions.” Profiling is defined in Article 4(4) GDPR as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. Because all types of processing based on Article 6(1)(e) or (f) GDPR are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.^[14] However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.^[15]

The controller shall no longer process personal data

Restriction of processing and right to erasure

Pursuant to Article 18(1)(d) GDPR, once a data subject has objected to processing under Article 21(1) GDPR, the controller must restrict the relevant processing activity until it is certain that it is based on compelling legitimate grounds that override the data subject’s rights and freedoms. Article 18(2) GDPR states that during this time, the processing may only be: (i) based on the data subject’s consent; (ii) for the exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest in the EU or a member state. Where a data subject’s right to object is valid, they may also request the controller to erase the relevant personal data under Article 17(1)(c) GDPR “without undue delay”.

Unless demonstrates compelling legitimate grounds

Under Directive 95/46/EC, data subjects were required to demonstrate "compelling legitimate grounds" in order to exercise their right to object to processing by a controller. The GDPR reverses this burden of proof in the data subject’s favour by requiring controllers to demonstrate "compelling legitimate grounds" for the relevant processing activity.^[16] The right to object was therefore strengthened under the GDPR.^[17] The GDPR does not elaborate on what constitutes a "compelling" legitimate ground. However, the WP29 suggested in its ‘Guidelines on Automated Individual Decision-Making’ that processing may be based on a compelling legitimate ground where, instead of merely furthering the controller’s business interests, it is “beneficial for society at large (or the wider community)” (e.g. “profiling to predict the spread of a contagious disease)”.^[18] According to Zanfir-Fortuna, "compelling" means that the legitimate interest must be “overwhelming” and override the data subject’s interests “in a strong, significant way.”^[19] Additionally, Herbst notes that there can be no alternative ways to satisfy the controller’s interest.^[20] This interest will be considered compelling if it is recognised by EU law (whether expressly or tacitly)^[21] or is within the remaining scope for regulation by national law. This includes the interests and purposes outlined in Article 23(1)(a) to (j) GDPR (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In any case, the threshold is certainly higher than the overriding legitimate interest that a controller must demonstrate under Article 6(1)(f) GDPR, as any processing based on Article 6(1)(f) GDPR would otherwise be essentially immune to objection.^[22] For example, the District Court of Amsterdam held that when refusing a data subject’s right to object under Article 21(1) GDPR, it is insufficient for a bank to refer in general terms to its legal obligation to participate in a credit registration system.^[23]

Pursuit of Legal Claims

A controller may also refuse a request to object where it is pursuing a legal claim. This likely covers both in and out of court proceedings,^[24] and will apply where the exercise of the claim is either already taking place, or is imminent.^[25]

(2) Direct Marketing

Article 21(2) GDPR gives data subjects the absolute right to object to the processing of their personal data for direct marketing purposes. Unlike under Article 21(1) GDPR, this processing can be based on any legal ground and there is no need for a balancing of interests by the controller, who cannot refuse the objection based on compelling legitimate grounds.

Whilst "direct marketing" is not defined in the GDPR, its meaning can be derived from other EU and national laws. It is characterised by the singling out of a specific data subject, whom the controller addresses directly (e.g. via telephone, fax, email, SMS, or post) with the aim of promoting the sale of goods or the provision of services.^[26] Communications for non-commercial purposes will be covered.

The extent to which online targeted advertising may be classified as "direct marketing" is not entirely clear. Some commentators argue it would likely qualify as such.The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, this right is limited to the circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below. ^[27] However, sophisticated online targeted advertising techniques do single-out and specifically target individual users across the internet to promote goods or services, and in this way appear to satisfy direct marketing’s key characteristics.

(3) Stopping Direct Marketing Processing

Where a data subject objects to processing under Article 21(2) GDPR, all processing of their data for direct marketing purposes must stop. Processing of the personal data for other lawful purposes remains unaffected.^[28] That said, the relationship between Article 21(3) GDPR and Article 17 GDPR on the right to erasure must be considered. Although controllers can in principle continue to process the relevant personal data for purposes other than direct marketing, in practice they may also be required to delete the data under Article 17(1)(b) GDPR, making any further processing impossible. Zanfir-Fortuna highlights that a controller could conceivably argue that personal data only needs to be erased from a specific database kept for direct marketing purposes, and that it can continue to process it for other purposes elsewhere.^[29] Some DPAs also recommend keeping certain personal data on the individual who has objected to processing, so that the controller can make sure that it definitely does not market to them again.^[30]

(4) Information on the Right to Object

The obligation to inform data subjects of their right to object to processing stems from Articles 13(2)(b) and 14(2)(c) GDPR. However, Article 21(4) GDPR specifies that the right to object under Article 21(1) and 21(2) GDPR (i.e. the right to object against processing based on a legitimate interest, necessary for a task in the public interest, and for public marketing, respectively) must be communicated to the data subject explicitly, clearly, separately from other information, and at the latest at the time of the first communication. For example, the French DPA has stated that information on the right to object should be provided in a distinct paragraph or pictogram.^[31] Any indirect or implied reference to the right of objection will not satisfy Article 21(4) GDPR.^[32] The notification under Article 21(4) GDPR must be made at the time of the first marketing communication, and not necessarily at the time that the data is first processed. However, if data is collected directly from the data subject, Article 13(2)(b) GDPR requires that the data subject will be informed of their right to object at the point that the data is collected from them.^[33]

(5) Modalities to Exercise the Right to Object

Notwithstanding Directive 2002/58/EC, when using information society services (‘ISS’) data subjects may exercise their right to object under Article 21 GDPR by automated means using technical specifications.

Article 4(25) GDPR refers to the definition of information ISS provided in Article 1(1)(b) of Directive 2015/1535, which states that ISS are: “services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The same article clarifies that "at a distance" means the service is provided without the parties being simultaneously present, "by electronic means" means the service is initially sent and received at its destination by means of electronic equipment for the processing and storage of data, and "at the individual request of a recipient of services" means that the service is provided through the transmission of data on individual request. Article 21 GDPR therefore always applies to services offered in an online environment.

Organisations can satisfy Article 21(5) GDPR by, inter alia, enabling a do-not-track function of the data subject’s browser,^[34] including an "opt-out" link in a direct marketing email, or by providing a Wi-Fi network that could detect a do-not-track signal from mobile phone users in a monitored area.^[35]

(6) Processing for Scientific or Historical Research Purposes

Lastly, Article 21(6) GDPR gives users the right to object to processing for scientific or historical research purposes, or statistical purposes, on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out in the public interest. Controllers are therefore exempt from such an objection where processing is based on the first sentence of Article 6(1)(e) GDPR, but not the second sentence (i.e. where processing is necessary for the performance of a task in the exercise of official authority vested in the controller).

In contrast to the right to object under Article 21(1) GDPR, where controllers process data necessary for the performance of a task carried out in the public interests, they do not need to demonstrate "compelling legitimate grounds" in order to refuse an objection to processing. As such, the threshold for refusing an objection is lower.

The extent to which a controller would still need to carry out a balancing exercise of the importance of their task in the public interest and the objection in the interests of the data subject is not clear. Unlike Article 21(1) GDPR, Article 21(6) GDPR does not explicitly provide for this (note the lack of the word "override"). However, Munz argue that the need for a balancing of interests naturally stems from the principle of proportionality in Article 52(2) of the Charter of Fundamental Rights of the EU, and that Article 21(6) GDPR should be interpreted in light of this.^[36] According to Martini, the word "unless" in Article 21(6) GDPR implies that the burden of proof for rejecting an objection lies with the controller, meaning that the data subject’s interest should take precedence in case of doubt.^[37]

Notably, unlike with Article 21(1) and (2) GDPR, the right to object under Article 21(6) GDPR does not need to explicitly be brought to the attention of the data subject under Article 21(4) GDPR. This may be attributable to the fact that data from a large number of data subjects are often processed during processing for research and statistical purposes, with the effect that satisfying Article 21(4) GDPR would likely be impractical or involve a "disproportionate effort” per Article 14(5) GDPR. Controllers are nonetheless still obligated to notify data subjects of their right to object under Article 12(2)(b) GDPR.

Decisions

→ You can find all related decisions in Category:Article 21 GDPR

References

↑ Article 21(1) GDPR, second sentence: "The controller shall no longer process the personal data".
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).
↑ This is a necessary requirement; otherwise, the controller would not be able to perform the underlying interest balancing, except in the case of paragraphs 2 and 3, where such balancing is not required.
↑ See, e.g. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition); Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 8 (C.H. Beck 2018, 2nd Edition).
↑ Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition).
↑ LG Hamburg, 23 July 2020, 334 O 161/19 (available here).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).
↑ Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 9 (C.H. Beck 2018, 2nd Edition).
↑ Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2019, 3rd Edition); Forgó, in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (C.H. Beck 2021, 39th Edition).
↑ LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available here).
↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 17 (C.H. Beck 2020, 3rd edition).
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).
↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 516 (Oxford University Press 2020), citing Hustinx, in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017).
↑ WP29, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 18 (available here).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).
↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 36 (C.H. Beck 2021, 3rd Edition).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).
↑ Rb. Amsterdam, 22 April 2021, C/13/693399 / HA RK 20-337 (available here).
↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 28 (C.H. Beck 2018, 2nd Edition).
↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 48 (C.H. Beck 2021, 3rd Edition) citing Article 2(a) Directive 2006/114/EC and Article 13(1) Directive 2002/58/EC; Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 45-46 (C.H. Beck 2018, 2nd Edition).
↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 48b (C.H. Beck 2021, 3rd Edition).
↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).
↑ CNIL, 17 October 2018, Dispositifs de mesure d’audience et de frequentation dans ses espaces accessibles au public: la CNIL rappelled les regles (available here).
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 56 (C.H. Beck 2018, 2nd Edition).
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 58 (C.H. Beck 2018, 2nd Edition).
↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 148 (C.H. Beck, Hart, Nomos 2018).
↑ Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 519 (Oxford University Press 2020).
↑ Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 62 (C.H. Beck 2019, 3rd Edition).
↑ Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 60 (C.H. Beck 2021, 3rd Edition).

[1] Article 21(1) GDPR, second sentence: "The controller shall no longer process the personal data".

[2] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).

[3] This is a necessary requirement; otherwise, the controller would not be able to perform the underlying interest balancing, except in the case of paragraphs 2 and 3, where such balancing is not required.

[4] See, e.g. Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition); Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 8 (C.H. Beck 2018, 2nd Edition).

[5] Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition).

[6] LG Hamburg, 23 July 2020, 334 O 161/19 (available here).

[7] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).

[8] Schulz, in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 9 (C.H. Beck 2018, 2nd Edition).

[9] Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2019, 3rd Edition); Forgó, in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (C.H. Beck 2021, 39th Edition).

[10] LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available here).

[11] Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).

[12] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 17 (C.H. Beck 2020, 3rd edition).

[13] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).

[14] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).

[15] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).

[16] Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).

[17] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 516 (Oxford University Press 2020), citing Hustinx, in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017).

[18] WP29, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 18 (available here).

[19] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).

[20] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).

[21] Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 36 (C.H. Beck 2021, 3rd Edition).

[22] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).

[23] Rb. Amsterdam, 22 April 2021, C/13/693399 / HA RK 20-337 (available here).

[24] Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).

[25] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 28 (C.H. Beck 2018, 2nd Edition).

[26] Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 48 (C.H. Beck 2021, 3rd Edition) citing Article 2(a) Directive 2006/114/EC and Article 13(1) Directive 2002/58/EC; Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin numbers 45-46 (C.H. Beck 2018, 2nd Edition).

[27] Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 48b (C.H. Beck 2021, 3rd Edition).

[28] Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).

[29] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).

[30] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 518 (Oxford University Press 2020).

[31] CNIL, 17 October 2018, Dispositifs de mesure d’audience et de frequentation dans ses espaces accessibles au public: la CNIL rappelled les regles (available here).

[32] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 56 (C.H. Beck 2018, 2nd Edition).

[33] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 58 (C.H. Beck 2018, 2nd Edition).

[34] Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 148 (C.H. Beck, Hart, Nomos 2018).

[35] Zanfir-Fortuna, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 519 (Oxford University Press 2020).

[36] Munz, in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 62 (C.H. Beck 2019, 3rd Edition).

[37] Martini, in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 60 (C.H. Beck 2021, 3rd Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

@@ Line 203: / Line 203: @@
 ==Commentary==
-The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, this right is limited to the circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below.
+Article 21 ensures the data subject's right to object. In Paragraph 1, a general right to object is provided against the processing of personal data that may be lawful based on a permissible balancing of interests under Article 6(1)(f) or (e) GDPR. Paragraphs 2 and 3 establish a specific and unconditional right to object in the case of data processing for direct marketing purposes. Paragraph 4 reiterates the obligation on the data controller to inform about the existence of the right to object at the time of the first communication with the data subject. In the context of using information society services, Paragraph 5 enables the exercise of the right to object through automated procedures using technical specifications. Lastly, Paragraph 6 grants an additional specific right to object to data processing for research or statistical purposes.
-===(1) Legitimate Interest or Task in the Public Interest===
+===(1) Right to object===
 Article 21(1) GDPR grants data subjects the right to object, on grounds relating to their particular situation, to processing based on a legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), or that is necessary for a task carried out in the public interest or in the exercise of official authority ([[Article 6 GDPR|Article 6(1)(e) GDPR]]). Controllers may refuse this objection where they demonstrate compelling legitimate grounds for the processing activity which overrides the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of claims.
-====Relating to His or Her Particular Situation====
+==== Shall have the right to object ====
+Once an objection has been submitted in accordance with Article 21(1) and is accompanied by appropriate justification, the data controller is obligated to cease processing the data.<ref>Article 21(1) GDPR, second sentence: "''The controller shall no longer process the personal data''".</ref>
+The right to object requires a request from the data subject. There are no specific provisions, therefore the general rules of Article 12 GDPR apply, adapted to the specific case where appropriate. The controller must communicate in a clear, understandable, and easily accessible manner the actions taken in response to the request (Article 12(1) GDPR), and facilitate the entire process (Article 12(2) GDPR). The response must be provided promptly, within one month of the request, and no later than three months if the time extension under Article 12(3) applies.
+The request does not require any specific form and can be submitted in written, oral, or electronic form. Scholars note that there is no need to assign a specific "title" to the request; it can be implied, for example, when the contractual relationship between the parties is terminated.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).</ref> However, the request must at least contain the reasons for the data subject's objection and the prevailing interest believed to be violated.<ref>This is a necessary requirement; otherwise, the controller would not be able to perform the underlying interest balancing, except in the case of paragraphs 2 and 3, where such balancing is not required.</ref> This requirement should not be interpreted too restrictively for the data subject, considering the obligation to facilitate the request under Article 12(2) GDPR. In this regard, if the data subject's request is not clear, the controller may seek clarification and strive for a swift resolution of the dispute.
+====On grounds relating to his or her particular situation====
 Most commentators view this phrase as a clear threshold. Data subjects will not be able to exercise their right to object to processing under Article 21(1) GDPR, unless they assert specific reasons which pertain to their individual situation.<ref>See, e.g. ''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition); ''Schulz'', in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 8 (C.H. Beck 2018, 2nd Edition).</ref> These reasons can be of a legal, economic, ethical, social, societal, or family nature.<ref>''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 13 (C.H. Beck 2019, 3rd Edition).</ref> It is not clear exactly how a data subject’s reasons will be assessed. ''Herbst'' argues, in line with the Hamburg Regional Court,<ref>LG Hamburg, 23 July 2020, 334 O 161/19 (available [https://www.landesrecht-hamburg.de/bsha/document/JURE200015390 here]).</ref> that their objection must be justified by something “''atypical''”, which can be assumed to have previously been unknown to the controller, and which it could therefore not take into account in its overall assessment under [[Article 6 GDPR|Article 6(1)(f) GDPR]].
-For example, it would not be sufficient for a data subject to merely indicate that they do not want the processing to occur.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).</ref> Instead, they might have to assert a threat to their life, property, or the like.<ref>''Schulz'', in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 9 (C.H. Beck 2018, 2nd Edition).</ref> In contrast, others argue that the threshold should not be interpreted too strictly.<ref>''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2019, 3rd Edition); ''Forgó'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (C.H. Beck 2021, 39th Edition).</ref> This view might be supported by a judgement of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.<ref>LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available [https://www.rv.hessenrecht.hessen.de/bshe/document/LARE190005832 here]).</ref>
+For example, it would not be sufficient for a data subject to merely indicate that they do not want the processing to occur.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2020, 3rd Edition).</ref> Instead, they might have to assert a threat to their life, property, or the like.<ref>''Schulz'', in Gola, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 9 (C.H. Beck 2018, 2nd Edition).</ref> In contrast, others argue that the threshold should not be interpreted too strictly.<ref>''Munz'', in Taeger, Gabel, DSGVO BDSG, Article 21 GDPR, margin number 15 (C.H. Beck 2019, 3rd Edition); ''Forgó'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 21 GDPR, margin number 8 (C.H. Beck 2021, 39th Edition).</ref> This view might be supported by a judgement of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.<ref>LG Frankfurt a. M., 20 December 2018, 2/5 O 151/18, (available [https://www.rv.hessenrecht.hessen.de/bshe/document/LARE190005832 here]).</ref> Another less common view is that rather than acting as a prerequisite for the exercise of the right to object, the phrase “''relating to his or her particular situation''” simply indicates that the data subject should have the right to affirm their specific interests in their personal data not being processed, which the controller may consider in its weighing of interests.
-Another less common view is that rather than acting as a prerequisite for the exercise of the right to object, the phrase “''relating to his or her particular situation''” simply indicates that the data subject should have the right to affirm their specific interests in their personal data not being processed, which the controller may consider in its weighing of interests.<span lang="EN-GB">The GDPR does not grant data subjects a general
+The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, this right is limited to the circumstances outlined in Article 21(1) to (6) GDPR, as discussed further below. <ref>''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).</ref>
-right to object to the processing of their personal data. Rather, this right is
-limited to the circumstances outlined in Article 21(1) to (6) GDPR, as
-discussed further below. </span><ref>''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).</ref>
-====Compelling Legitimate Grounds====
+==== To processing of personal data concerning him or her ====
+The wording of Article 21(1) does not explicitly define the scope of an objection. However, the wording does not exclude the possibility that the data subject may object to specific forms of processing (e.g., transmission) or the processing of certain data, rather than objecting to the entire processing. The mention of profiling in Article 21(1)(a) also supports this possibility, as profiling is a distinct form of processing that can coexist with other forms of processing. If the data subject objects solely to the profiling (which should be possible according to Article 21(1)(a) GDPR), other forms of processing can still be carried out. Therefore, the data subject has the option to object to the entire processing or only to specific parts of it.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 17 (C.H. Beck 2020, 3rd edition).</ref>
+==== Based on Article 6(1)(e) or Article 6(1)(f) ====
+The right to object is limited to cases where personal data processing is based on Article 6(1)(e) ("''processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller''") or Article 6(1)(f) GDPR ("''processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child''"). Consequently, the right to object applies to cases where the controller has initially considered the prevalence of their defended interest, specifically, the public interest in the case of Article 6(1)(e) and the controller's legitimate interest in the case of Article 6(1)(f). In other words, there is a balancing of interests carried out by the controller at the core of the processing. This also explains why the right to object does not apply to other legal bases. For example, consent can be revoked at any time. Revocation does not need to be "explained" and does not require an assessment by the controller. In the case of processing based on a contract, objecting would be inconsistent as it goes against the contractual interest of the data subject. For instance, if a data subject purchases a product and then objects to the use of their address for delivery, it would be a case of "venire contra factum proprium." Lastly, in the case of processing based on a legal obligation, it is assumed that the legislator has already conducted the balancing of interests and has mandated the legitimacy of the processing by law. In this case, the legislative decision takes precedence over the data subject's subjective right.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 14 (C.H. Beck 2018, 2nd edition).</ref>
+==== Including profiling based on Article 6(1)(f) or (e) ====
+Article 21(1) GDPR specifies that data subjects can object to processing based on [[Article 6 GDPR|Article 6(1)(e) and (f) GDPR]], “''including profiling based on those provisions''.” Profiling is defined in [[Article 4 GDPR|Article 4(4) GDPR]] as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. Because all types of processing based on [[Article 6 GDPR|Article 6(1)(e) or (f) GDPR]] are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).</ref> However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).</ref>
+==== The controller shall no longer process personal data ====
+====Restriction of processing and right to erasure====
+Pursuant to [[Article 18 GDPR|Article 18(1)(d) GDPR]], once a data subject has objected to processing under Article 21(1) GDPR, the controller must restrict the relevant processing activity until it is certain that it is based on compelling legitimate grounds that override the data subject’s rights and freedoms. [[Article 18 GDPR|Article 18(2) GDPR]] states that during this time, the processing may only be: (i) based on the data subject’s consent; (ii) for the exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest in the EU or a member state.  Where a data subject’s right to object is valid, they may also request the controller to erase the relevant personal data under [[Article 17 GDPR|Article 17(1)(c) GDPR]] “''without undue delay''”.
+====Unless demonstrates compelling legitimate grounds====
 Under Directive 95/46/EC, data subjects were required to demonstrate "''compelling legitimate grounds''" in order to exercise their right to object to processing by a controller. The GDPR reverses this burden of proof in the data subject’s favour by requiring controllers to demonstrate "''compelling legitimate grounds''" for the relevant processing activity.<ref>''Schrey'', in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 147 (C.H. Beck, Hart, Nomos 2018).</ref> The right to object was therefore strengthened under the GDPR.<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 516 (Oxford University Press 2020), citing ''Hustinx'', in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017).</ref> The GDPR does not elaborate on what constitutes a "''compelling''" legitimate ground. However, the WP29 suggested in its ‘Guidelines on Automated Individual Decision-Making’ that processing may be based on a compelling legitimate ground where, instead of merely furthering the controller’s business interests, it is “''beneficial for society at large (or the wider community)''” (e.g. “''profiling to predict the spread of a contagious disease)''”.<ref>WP29, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, 17/EN WP251 rev.01, 6 February 2018, p. 18 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49826 here]).</ref> According to ''Zanfir-Fortuna'', "''compelling''" means that the legitimate interest must be “''overwhelming''” and override the data subject’s interests “''in a strong, significant way.''”<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).</ref> Additionally, ''Herbst'' notes that there can be no alternative ways to satisfy the controller’s interest.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 21 (C.H. Beck 2020, 3rd Edition).</ref> This interest will be considered compelling if it is recognised by EU law (whether expressly or tacitly)<ref>''Martini'', in Paul, Pauly, DS-GVO BDSG, Article 21 GPDR, margin number 36 (C.H. Beck 2021, 3rd Edition).</ref> or is within the remaining scope for regulation by national law. This includes the interests and purposes outlined in [[Article 23 GDPR|Article 23(1)(a) to (j) GDPR]] (e.g. national and public security) as well as Recital 73 GDPR (e.g. protection of human life). In any case, the threshold is certainly higher than the overriding legitimate interest that a controller must demonstrate under [[Article 6 GDPR|Article 6(1)(f) GDPR]], as any processing based on [[Article 6 GDPR|Article 6(1)(f) GDPR]] would otherwise be essentially immune to objection.<ref>''Zanfir-Fortuna,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 21 GDPR, p. 517 (Oxford University Press 2020).</ref> For example, the District Court of Amsterdam held that when refusing a data subject’s right to object under Article 21(1) GDPR, it is insufficient for a bank to refer in general terms to its legal obligation to participate in a credit registration system.<ref>Rb. Amsterdam, 22 April 2021, C/13/693399 / HA RK 20-337 (available [https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:3161 here]).</ref>
@@ Line 224: / Line 242: @@
 A controller may also refuse a request to object where it is pursuing a legal claim. This likely covers both in and out of court proceedings,<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 23 (C.H. Beck 2020, 3rd Edition).</ref> and will apply where the exercise of the claim is either already taking place, or is imminent.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21 GDPR, margin number 28 (C.H. Beck 2018, 2nd Edition).
 </ref>
-====Including Profiling====
-Article 21(1) GDPR specifies that data subjects can object to processing based on [[Article 6 GDPR|Article 6(1)(e) and (f) GDPR]], “including profiling based on those provisions.” Profiling is defined in [[Article 4 GDPR|Article 4(4) GDPR]] as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
-Because all types of processing based on [[Article 6 GDPR|Article 6(1)(e) or (f) GDPR]] are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).</ref> However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.) (accessed 6 August 2021).</ref>
-====Restriction of Processing and Right to Erasure====
-Pursuant to [[Article 18 GDPR|Article 18(1)(d) GDPR]], once a data subject has objected to processing under Article 21(1) GDPR, the controller must restrict the relevant processing activity until it is certain that it is based on compelling legitimate grounds that override the data subject’s rights and freedoms. [[Article 18 GDPR|Article 18(2) GDPR]] states that during this time, the processing may only be: (i) based on the data subject’s consent; (ii) for the exercise or defence of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest in the EU or a member state.  Where a data subject’s right to object is valid, they may also request the controller to erase the relevant personal data under [[Article 17 GDPR|Article 17(1)(c) GDPR]] “''without undue delay''”.
 ===(2) Direct Marketing===