Important Blogs

Article 2 of the EU Artificial Intelligence Act

Article 21 of EU GDPR: Right to Object

Article 21 of the EU General Data Protection Regulation (GDPR) grants individuals certain rights in relation to their personal data. Specifically, it focuses on the data subject's right to object to the processing of their personal data. We will delve into each subsection of Article 21, providing an explanation and example for each.

Article 21(1) of EU GDPR:
According to this subsection, individuals have the right to object to the processing of their personal data when it is carried out on the grounds of legitimate interests pursued by the data controller or a third party. The data controller must then halt processing unless compelling legitimate grounds for the processing override the interests, rights, and freedoms of the data subject.

Example: A marketing company is collecting and processing personal data for targeted advertisements. However, an individual objects to their data being used for advertising purposes due to privacy concerns. In such a case, the marketing company must stop processing the individual's personal data for advertising unless there are other legitimate grounds that justify continuing the processing

Article 21(2) of EU GDPR:
This subsection lays out the right to object to the processing of personal data for direct marketing purposes. When a data subject raises an objection, their personal data should no longer be used for direct marketing, including profiling.

Example: An online retailer regularly sends marketing emails to its customers to promote special offers. Though a customer initially provided consent for receiving these emails, they now want to opt-out. In this scenario, the retailer must respect the individual's objection and cease using their personal data for direct marketing emails.

Article 21(3) of EU GDPR:
Article 21(3) extends the right to object by providing individuals the opportunity to object to the processing of personal data for scientific, historical, or statistical research purposes. However, this right may be limited if the research serves purposes of public interest.

Example: A medical research institution collects and processes personal health data of patients for research purposes. A patient has concerns about their privacy and wants to object to the use of their personal data. In such a case, the institution must consider the objection but may still proceed with the research if it is in the public interest and complies with all necessary data protection safeguards.

Article 21(4) of EU GDPR:
This subsection addresses the data subject's right to object to the processing of their personal data for profiling purposes. Profiling refers to any form of automated processing that evaluates personal aspects to make decisions about individuals.

Example: A financial institution uses automated algorithms to analyze personal data of its customers for credit scoring purposes. An individual objects to their personal data being used in this manner. Consequently, the financial institution must respect the objection and cease using the individual's data for profiling unless there are other legal grounds for doing so.

Article 21(5) of EU GDPR:
Article 21(5) discusses the right to object to the processing of personal data for scientific or historical research purposes or statistics. If an individual objects, the controller must cease processing the individual's data unless such processing is necessary for the performance of a task carried out for reasons of public interest.

Example: A government agency conducts research on public health issues by processing personal data from various sources. However, an individual objects to their data being used for this research. The agency must consider the objection unless the research serves public interest and is necessary for that purpose.

Article 21(6) of EU GDPR:
The final subsection of Article 21 states that individuals have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect them.

Example: An e-commerce platform uses automated systems to analyze customers' personal preferences, browsing history, and purchase behavior to determine credit limits for installment payment options. If an individual feels negatively affected by such automated decisions, they have the right to object and request a human review of the decision.

Implementing the right to object in compliance with the GDPR involves ensuring individuals can easily exercise their rights, establishing clear processes for handling objections, and promptly addressing and respecting objections raised by data subjects. Organizations should have mechanisms in place to manage objections, provide clear information about objection rights to individuals, and regularly review their data processing activities to guarantee compliance with data protection regulations.

Please write us to implement compliances.