How to Demonstrate Compliance With GDPR Article 21

GDPR Compliance Software

Book a demo

cultural,mix,of,young,people,working,in,a,company

GDPR Article 21 contains the conditions that need to be met before a data subject is able to successfully object to their data being processed.

It’s important to note that data subjects do not enjoy a blanket right to object to processing activities, with the right to object being limited to a specific set of scenarios.

GDPR Article 21 Legal Text

EU GDPR Version

Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

UK GDPR Version

UK GDPR is largely similar to the EU GDPR excerpt, the only difference is shown below:

Right to object

5. In the context of the use of information society services, the data subject may exercise his or her right to object by automated means using technical specifications, notwithstanding domestic law made before IP completion day implementing Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.

Technical Commentary

Individuals are able to object to their data being processed on three key ground:

  1. a ‘legitimate interest’ or task in the public interest (see below) is not identified;

  2. direct marketing purposes;

  3. historical or statistical purposes (unless in the public interest).

‘Legitimate Interests’

GDPR relies heavily on a data subject establishing a ‘legitimate interest’ prior to objecting to their data being processed. This needs to include some or all of the below:

  • scenarios relating to their own personal situation;
  • compelling legitimate grounds;
  • actions in pursuit of a legal claim;
  • data profiling (a form of processing that evaluates certain personal aspects relating to a natural person, based off associated data, without definitive data to rely on);
  • exercising their right to restrict processing, or erasure.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 7.3.2 and EU GDPR Article 21 (4)

Determining Information for PII Principals

Organisations need to document a list of requirements that governs when and how information is to be provided to PII principals, including:

  • the purpose of the PII that’s to be collected and used;
  • how to get in touch with the data controller;
  • the circumstances in which the PII was obtained;
  • any prevailing contractual and/or statutory requirements;
  • how individuals are able to remove consent;
  • how PII is transferred from one source to another;
  • how data subjects are able to log a complaint;
  • the organisation’s internal decision-making process;
  • when data is to be deleted (retention periods).

ISO 27701 Clause 7.3.3 and EU GDPR Article 21 (4)

Providing Information to PII Principals

Organisations need to provide ‘clear and accessible’ information that establishes who the PII controller is, and how it’s processed.

All information should be provided error-free, written in language that is easily understood (e.g. as jargon-free as possible) and conveyed in a common format (see ISO 27701 clause 7.3.2).

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

ISO 27701 Clause 7.3.5 and EU GDPR Article 21

In this section we talk about GDPR Articles 21 (1), 21 (2), 21 (3), 21 (5) and 21 (6)

Providing Mechanism to Object to PII Processing

Laws vary from region to region, but as a rule, jurisdictions generally provide individuals with the right to raise an objection as to how their PII is collected and processed.

Organisations should:

  • document and adhere to any legal or regulatory requirements that are related to the specific objections raised;
  • distribute easily-understood information on how individuals are able to object, and on what grounds.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 21 (4)ISO 27701 7.3.2None
EU GDPR Article 21 (4)ISO 27701 7.3.3ISO 27701 7.3.2
EU GDPR Article 21 (1), 21 (2), 21 (3), 21 (5) and 21 (6)ISO 27701 7.3.5None

How ISMS.online Helps

We’re here to help when you need it. If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to GDPR, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

If the worst happens, you’ll be ready. We make it easy to plan and communicate your breach workflow, and document and learn from every incident.

Find out more by booking a 30 minute hands on demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Streamline your workflow with our new Jira integration! Learn more here.