There is a provision in the General Data Protection Regulation (GDPR) that allows data subjects to object to certain ways their data is used. But what exactly does this right to object mean and what are the uses that data subjects object to? What can companies do when a data subject sends an objection?
Article 21 of the GDPR details the information about the right to object. Starting May 25, 2018, businesses should be prepared to deal with any objections they receive from data subjects. This must be included in their updated policies and procedures.
According to the GDPR, data subjects can object to certain types of data processing and the company should honor the subject’s rights and not continue processing their personal data. The situations wherein data subjects can legitimately object include the following:
- Direct marketing
- Personal data processing for statistical for use in historical or scientific research
- Personal data processing needed for serving the public interest
- The exercising of official authority invested in you
- Objections to data processing related to yours or a third party’s legitimate interest
- Objections to data processing based on their own beliefs and situations
Businesses must inform individuals about their GDPR right to object at the first instance of contact. They should be told about this right to object to the processing of their data as this is the lawful basis of the business to process their personal data. Individuals should also be told about this right whenever data is being processed to fulfill public tasks, legitimate interests, for research or statistical reasons.
Data subjects can make known their objections verbally or in writing. Although objections will not be always valid, people definitely have the right to stop the use of their personal data for direct marketing.
How Should Companies Respond to Objections from Data Subjects
All GDPR covered companies should have policies and procedures for handling objections received from data subjects. A company official must be given the responsibility to check the received objections from data subjects and determine if they are valid.
When a data subject wants to exercise his GDPR right to object, he must give a specific reason for objecting to the processing of his data besides direct marketing. Not all objections will be acted upon, but each will be carefully considered. Evaluating and dealing with objections should be prompt since companies are only given one calendar month to do this.
If the objection is because of using personal data for direct marketing, the company must stop personal data processing immediately. But it doesn’t mean that the person’s data must be deleted. It simply must not be included in any future direct marketing. If an objection is found to be valid, the company must stop any personal data processing for the reason stated in the objection.
One example of invalid objection is when a company collects data to process legal claims. In that case, the objection may be overridden. If the objection is related to research, public safety, public health or any public interest, the objection may be overridden.
A company must keep a record of all objections received and the corresponding action taken. There’s no charge on the data subject when resolving an objection. However, in cases where the objections are excessive or unfounded, the company may charge a fee for processing the request or simply refuse to respond to the request.