Skip to content
AuditFront
Art.21 GDPR

GDPR Art.21: Right to Object

What This Control Requires

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

In Plain Language

If you're processing someone's data under legitimate interests or public interest, they can say "stop" - and you'll need a very good reason to keep going. That's the right to object in a nutshell. The individual needs to cite grounds relating to their particular situation, and you can push back if you can demonstrate compelling legitimate grounds that override their interests. But "compelling" is a high bar - higher than the standard legitimate interest balancing test you did initially. For direct marketing, it's even simpler: the right is absolute. No balancing test, no exceptions. When someone says stop, you stop. This covers all direct marketing processing, including any profiling connected to it. You must make this right clearly visible at the point of first communication and in every subsequent marketing message. In practice, this means your organisation needs robust opt-out mechanisms, the ability to separate data used for marketing from data used for other purposes, and a documented process for assessing non-marketing objections. Getting this wrong - especially on the marketing side - is one of the most common triggers for complaints and enforcement action.

How to Implement

Make it easy for people to object. For direct marketing, include working unsubscribe links in every communication, provide opt-out options in account settings, and accept preferences through multiple channels (web, email, phone, post). For objections to legitimate interest or public interest processing, provide a clear contact point and a straightforward process. Build a proper assessment procedure for non-marketing objections. When someone objects to processing under legitimate interests or public interest, you need a documented evaluation that weighs your grounds against their particular situation and the impact on their rights. Remember, the bar is "compelling" legitimate grounds - not just "reasonable" ones. If you can't clear that bar, you stop processing. For marketing objections, speed matters. Configure your systems to process opt-outs in real time or as close to it as possible. Maintain suppression lists that prevent objecting individuals from being included in future campaigns across all channels. Test your suppression mechanisms regularly - a broken unsubscribe link is a regulator's favourite low-hanging fruit. Make sure your privacy notices and marketing communications clearly explain the right to object. For marketing, this needs to be presented prominently and separately from other information - not buried in paragraph 47 of your privacy policy. It must appear at the latest by the first communication and in every subsequent one. Train your customer-facing staff to recognise objections even when people don't quote Article 21 by name. "Stop using my data," "take me off your list," or "I don't want you processing my information" are all valid objections. Straightforward marketing opt-outs should be processed immediately. Complex objections that need a balancing assessment should be escalated with clear timelines.

Evidence Your Auditor Will Request

  • Documented procedure for handling right to object requests, including assessment framework
  • Evidence of opt-out mechanisms in marketing communications (unsubscribe links, preference centres)
  • Suppression list management procedures and evidence of regular testing
  • Records of objections received, assessments conducted, and outcomes
  • Privacy notices and marketing communications demonstrating clear information about the right to object

Common Mistakes

  • Unsubscribe mechanisms that do not work or take an unreasonable time to take effect
  • Continuing to send marketing communications after a data subject has objected
  • No formal assessment process for objections to processing based on legitimate interests
  • Right to object not clearly communicated in privacy notices or marketing communications
  • Staff not trained to recognise informal objections as valid exercises of the right

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

Is the right to object absolute?
Only for direct marketing - there it's unconditional, no questions asked. For processing based on legitimate interests or public interest, it's qualified. You can continue if you demonstrate compelling legitimate grounds that override the individual's interests. But "compelling" sets a deliberately high bar, well above the standard legitimate interest balancing test.
How quickly must we stop processing after an objection?
For marketing, aim for real-time or within 24-48 hours at most. For other types of processing, you should pause while you carry out the balancing assessment unless there's an immediate compelling reason to continue. The overall response deadline is one month under Article 12, but don't use that as an excuse to delay actioning a straightforward marketing opt-out.
Can someone object to processing but still use our service?
Often, yes. If someone objects to direct marketing but their account runs on a contractual basis, the service continues - you just stop the marketing. It gets more complicated if they object to processing that's essential for delivering the service. In that case, you may need to explain that the service can't operate without it, but you still have to respect the objection itself.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment