Article 21 GDPR

← Article 21 - Right to object →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 21 - Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Relevant Recitals

Recital 69: Right to Object

Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

Recital 70: Right to Object to Direct Marketing

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

Commentary on Article 21

The GDPR does not grant data subjects a general right to object to the processing of their personal data. Rather, data subjects may object in certain prescribed circumstances outlined in 21(1) - (6) GDPR, as discussed further below.

(1) Legitimate interest or task in the public interest

Article 21(1) GDPR grants data subjects the right to object, on grounds relating to their particular situation, to processing based on a legitimate interest (Article 6(1)(f) GDPR), or that is necessary for a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR). Controllers may refuse this objection where they demonstrate compelling legitimate grounds for the processing activity which overrides the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of claims.

Relating to his or her particular situation

Most commentators view this phrase as a clear threshold: data subjects will not be able to exercise a right to object to processing under Article 21(1) GDPR, unless they assert specific reasons which pertain to their individual situation.^[1] These reasons can include special situations of legal, economic, ethical, social, societal, or family nature.^[2] It is not clear how exactly a data subject’s reasons will be weighed up and judged. Kühling and Buchner argue, in line with the Hamburg Regional Court,^[3] that the objection must be justified by something “atypical”, which can be assumed to have previously been unknown to the controller, and which it could therefore not take into account in its overall assessment under Article 6(1)(f) GDPR. It would not be sufficient, for example, for a data subject to merely indicate that he does not want the processing to occur.^[4] Instead, a data subject may have to assert a threat to life, property, or the like.^[5] In contrast, others argue that the threshold should not be interpreted too strictly,^[6] and refer to, for example, the judgment of the Frankfurt Regional Court, which deemed a plaintiff’s difficulties in looking for an apartment due to the disclosure of data about his debt to be sufficient.^[7]

Another less common view is that rather than acting as a prerequisite for the exercise of the right to object under Article 21(1), the phrase “relating to his or her personal situation” simply indicates that the data subject should have the right to emphasise their specific interests in their personal data not being processed, which the controller may consider in its weighing of interests.^[8]

Compelling legitimate grounds

Under Directive 95/46, data subjects were required to demonstrate ‘compelling legitimate grounds’ in order to exercise their right to object to processing by a controller. The GDPR reverses this burden of proof in the data subject’s favour, and instead requires controllers to demonstrate ‘compelling legitimate grounds’ for the relevant processing activity.^[9] In this way, the right to object under the GDPR is stronger than with its precursor.^[10]

The GDPR does not elaborate on what constitutes a ‘compelling’ legitimate ground. However, the WP29 provides an indication in its ‘Guidelines on Automated Individual Decision-Making,’ stating that processing may be based on a compelling legitimate ground where, instead of merely furthering the controller’s business interests, it is “beneficial for society at large (or the wider community)” for example “profiling to predict the spread of a contagious disease.”^[11] For Zanfir-Fortuna, ‘compelling’ means that the legitimate interest must be “overwhelming”, and override the interests of the data subject “in a strong, significant way.” Kühling and Buchner note that it must not be possible to satisfy the controllers interest in any other way than through the objected data processing, and that any interest will certainly be compelling if it is recognised by Union law (be that express or tacit),^[12] or, within the remaining scope for regulation, by national law, including for example the interests and purposes outlined in Article 23(1)(a) to (j) GDPR (such as national and public security) as well as Recital 73 GDPR (such as the protection of human life).^[13] In any case, the threshold is certainly higher than the overriding legitimate interest that a controller must demonstrate under Article 6(1)(f) GDPR, otherwise, any processing based on Article 6(1)(f) would essentially be immune to objection.^[14] By way of example, the District Court of Amsterdam found that, when refusing a data subject’s right to object under Article 21(1) GDPR, it is insufficient for a bank to refer in general terms to its legal obligation to participate in a credit registration system.^[15]

Pursue of Legal Claims

A controller may also refuse a request to object where it is pursuing a legal claim. This likely covers both in and out of court proceedings,^[16] and will apply where the exercise of the claim is either already taking place, or is imminent.^[17]

Including Profiling

Article 21(1) GDPR specifies that data subjects can object to processing based on Article 6(1)(e) and (f), “including profiling based on those provisions.” Profiling is defined in Article 4(4) GDPR as a form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.

Because all types of processing based on Article 6(1)(e) or (f) are clearly covered by Article 21(1) GDPR, mentioning profiling specifically is somewhat legally redundant.^[18] However, it can be seen to serve as more of a reminder, to the effect that the right of objection can apply especially with regard to profiling, which can be a problematic form of processing in the sense that sweeping and potentially incorrect conclusions are drawn about data subjects.^[19]

Kamann and Braun note that in practice, profiling covered by Article 21(1) GDPR will most often be for business purposes, including by credit agencies, credit check providers, and advertising agencies. This is because profiling is not often “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6(1)(e)), and cases where profiling is based on consent are not relevant for Article 21(1) GDPR.^[20]

Restriction of Processing and Right to Erasure

Pursuant to Article 18(1)(d) GDPR, once a data subject has objected to processing under Article 21(1), the controller must restrict the relevant processing activity, pending the verification of whether the processing is based on compelling legitimate grounds that override the data subject’s rights and freedoms. Article 18(2) states that processing during this time may only be: based on the data subject’s consent; for the exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or, for reasons of important public interest in the Union or a member state.

Where a data subject’s right to object is successful, a controller may also be obliged to erase the relevant personal data under Article 17(1)(c) “without undue delay”, should the data subject request this.

(2) Direct marketing

Article 21(2) GDPR gives data subjects the absolute right to object to the processing of their personal data for direct marketing purposes. Unlike under Article 21(1), this processing can be based on any legal ground, and there is no need for a balancing of interests by the controller, who cannot refuse the objection based on compelling legitimate grounds.

(3) Stopping direct marketing processing

When a data subject objects to the processing, all the processing for direct marketing purposes must stop.

(4) Information about the right to object

You can help us fill this section!

(5) The right to object to processing by automated means

You can help us fill this section!

(5) Processing for scientific or historical research purposes

You can help us fill this section!

Decisions

→ You can find all related decisions in Category:Article 21 GDPR

References

↑ See, e.g. Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.); Shulz in Gola, DS-GVO, DSGVO, Article 21 GDPR, margin numbers 8-10 (Beck 2018, 2nd ed.).
↑ Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.).
↑ LG Hamburg, judgment of 23.7.2020 - 334 O 161/19
↑ Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 15 (Beck 2020, 3rd ed.); See also Forgó in Wolff, Brink, BeckOK data protection law (Beck 2021, 36 ed.)
↑ [Shulz in Gola, DS-GVO, DSGVO, Article 21 GDPR, margin numbers 8-10 (Beck 2018, 2nd ed.)
↑ Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.; Forgó in Wolff, Brink, BeckOK data protection law (Beck 2021, 36 ed.).
↑ LG Frankfurt a. M., judgment of 20.12.2018 - 2/5 O 151/18, cited in Forgó in Wolff, Brink, BeckOK data protection law (Beck 2021, 36 ed.).
↑ Schrey in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.).
↑ Schrey in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.)
↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 516 (Oxford University Press 2020), citing Hustinx in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017)
↑ Article 29 Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, p. 19.
↑ Martini in Paul, Pally, DS-GVO BDSG, Article 21 GPDR, margin numbers 33-38 (Beck 2021, 3rd ed.).
↑ Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 15 (Beck 2020, 3rd ed.)
↑ Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 517 (Oxford University Press 2020).
↑ Rb. Amsterdam, judgment of 22.04.2021 - C/13/693399 / HA RK 20-337
↑ Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin numbers 18-25 (Beck 2020, 3rd ed.); Recital 111 GDPR.
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21, Margin number 29 (Beck 2018, 2nd ed.)
↑ Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.).
↑ Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.).
↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21, Margin number 29 (Beck 2018, 2nd ed.).

[1] See, e.g. Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.); Shulz in Gola, DS-GVO, DSGVO, Article 21 GDPR, margin numbers 8-10 (Beck 2018, 2nd ed.).

[2] Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.).

[3] LG Hamburg, judgment of 23.7.2020 - 334 O 161/19

[4] Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 15 (Beck 2020, 3rd ed.); See also Forgó in Wolff, Brink, BeckOK data protection law (Beck 2021, 36 ed.)

[5] [Shulz in Gola, DS-GVO, DSGVO, Article 21 GDPR, margin numbers 8-10 (Beck 2018, 2nd ed.)

[6] Munz in Taeger, Gabel, GDPR BDSG, Article 21 GDPR, margin numbers 13-16 (Beck 2019, 3rd ed.; Forgó in Wolff, Brink, BeckOK data protection law (Beck 2021, 36 ed.).

[7] LG Frankfurt a. M., judgment of 20.12.2018 - 2/5 O 151/18, cited in Forgó in Wolff, Brink, BeckOK data protection law (Beck 2021, 36 ed.).

[8] Schrey in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.).

[9] Schrey in Rücker, Kugler, New European General Data Protection Regulation, a practitioner's guide: Ensuring compliant corporate practice, p. 147 (Oxford University Press 2018, 5th ed.)

[10] Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 516 (Oxford University Press 2020), citing Hustinx in Cremona, New Technologies and EU Law, p. 123 (Oxford University Press 2017)

[11] Article 29 Working Party, ‘Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation 2016/679’, p. 19.

[12] Martini in Paul, Pally, DS-GVO BDSG, Article 21 GPDR, margin numbers 33-38 (Beck 2021, 3rd ed.).

[13] Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 15 (Beck 2020, 3rd ed.)

[14] Zanfir-Fortuna, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 21 GDPR, p. 517 (Oxford University Press 2020).

[15] Rb. Amsterdam, judgment of 22.04.2021 - C/13/693399 / HA RK 20-337

[16] Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin numbers 18-25 (Beck 2020, 3rd ed.); Recital 111 GDPR.

[17] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21, Margin number 29 (Beck 2018, 2nd ed.)

[18] Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.).

[19] Kühling, Buchner, GDPR BDSG, Article 21 GDPR, margin number 13 (Beck 2020, 3rd ed.).

[20] Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 21, Margin number 29 (Beck 2018, 2nd ed.).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]