Right to object
In certain situations, the data subject has the right to object to the processing of his or her personal data, that is, request the controller not to process it at all.
If the data is processed for the performance of a task carried out for reasons of public interest, in the exercise of official authority or for the purposes of the compelling legitimate interests pursued by the controller or a third party, the data subject has the right to object to the processing on grounds relating to his or her particular situation.
In such cases, the processing must be stopped unless
- the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or
- the processing is necessary for the establishment, exercise or defence of legal claims.
If the personal data is processed for direct marketing, the data subject has the right to object to the processing without any specific grounds, after which the data may no longer be processed for purposes of direct marketing.
If the personal data is processed for scientific or historical research purposes or statistical purposes, the data subject may object to the processing on grounds relating to his or her particular situation, in which case the processing must be stopped. The right to object does not apply, however, if the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject must be clearly informed of his or her right to object, and the right must be presented separately from any other information.
In information-society services, data subjects must be able to exercise their right to object automatically, by using the technical features of the service.
How quickly is the controller required to react to the data subject’s request?
The right to object must be fulfilled without delay.
The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request. If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.
If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.
Is it possible to charge a fee from the data subject?
As a rule, the exercise of rights is free of charge.
If the data subject’s requests are manifestly unfounded or excessive, the controller can either refuse the request or charge a reasonable fee for fulfilling it.
Requests can be considered manifestly unfounded or excessive particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.
The administrative costs of supplying the information or messages or carrying out the requested measure must be taken into account when determining the amount of possible fee.
Can the request be refused?
If the right to object is exercised with regard to processing for the purposes of direct marketing, the controller cannot refuse to fulfil the right. There is no room for discretion in fulfilling the request, since the objection does not have to be justified. If the right is not fulfilled despite the data subject's request, the data subject can refer the matter to the Data Protection Ombudsman.
In the other cases described above, the controller evaluates whether or not the right can be fulfilled. If the controller finds that the conditions are not met, it is entitled to refuse the request, and the data subject can then refer the matter to the Data Protection Ombudsman.
If the data subject’s requests are manifestly unfounded or excessive, the controller can either refuse the request or charge a reasonable fee for fulfilling it. The controller bears the burden of demonstrating the unfounded or excessive nature of the request.
If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the Data Protection Ombudsman and the availability of judicial remedies.
In addition, it is possible to derogate from the right to access data under certain conditions in connection with carrying out scientific or historical research or preparing statistics.
Further information about derogaring from the rights of data subjects
Confirming the identity of the data subject
The controller must be able to confirm the identity of the data subject exercising his or her data protection rights. If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.
The GDPR does not provide for the methods of confirming the data subject’s identity. Many controllers already have suitable procedures in place. For example, the controller may have verified the data subject's identity before entering into the agreement or obtaining consent for the processing. This personal data can then be used to confirm the data subject's identity also in connection with fulfilling the rights of the data subject.
If the controller requests additional information for confirming the data subject’s identity, this may not cause unreasonable demands or the collection of personal data that is not relevant or necessary.
If the controller is unable to identify the data subject, it must notify him or her of this if viable.
If the controller refuses the data subject’s request due to not being able to identify the data subject, it must demonstrate that it is unable to confirm the identity of the data subject.
If the data subject cannot be identified, he or she cannot exercise the right
- of access to data
- to rectification of data
- to erasure of data
- to restrict the processing of data or
- to data portability.
The data subject can provide additional information for the purposes of identification, however.
When is confirming the data subject's identity not necessary?
Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.
If the personal data that permit the identification of the data subject is not necessary for the purpose of processing, the GDPR does not obligate controllers to keep, obtain or process such additional data solely for the purpose of compliance with the GDPR.
GDPR: Articles 12 and 21 (EUR-Lex)