GDPR Article 21 contains the conditions that need to be met before a data subject is able to successfully object to their data being processed.
It’s important to note that data subjects do not enjoy a blanket right to object to processing activities, with the right to object being limited to a specific set of scenarios.
Right to object
UK GDPR is largely similar to the EU GDPR excerpt, the only difference is shown below:
Right to object
5. In the context of the use of information society services, the data subject may exercise his or her right to object by automated means using technical specifications, notwithstanding domestic law made before IP completion day implementing Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
Individuals are able to object to their data being processed on three key ground:
GDPR relies heavily on a data subject establishing a ‘legitimate interest’ prior to objecting to their data being processed. This needs to include some or all of the below:
Organisations need to document a list of requirements that governs when and how information is to be provided to PII principals, including:
Organisations need to provide ‘clear and accessible’ information that establishes who the PII controller is, and how it’s processed.
All information should be provided error-free, written in language that is easily understood (e.g. as jargon-free as possible) and conveyed in a common format (see ISO 27701 clause 7.3.2).
In this section we talk about GDPR Articles 21 (1), 21 (2), 21 (3), 21 (5) and 21 (6)
Laws vary from region to region, but as a rule, jurisdictions generally provide individuals with the right to raise an objection as to how their PII is collected and processed.
Organisations should:
GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
---|---|---|
EU GDPR Article 21 (4) | ISO 27701 7.3.2 | None |
EU GDPR Article 21 (4) | ISO 27701 7.3.3 | ISO 27701 7.3.2 |
EU GDPR Article 21 (1), 21 (2), 21 (3), 21 (5) and 21 (6) | ISO 27701 7.3.5 | None |
We’re here to help when you need it. If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to GDPR, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
If the worst happens, you’ll be ready. We make it easy to plan and communicate your breach workflow, and document and learn from every incident.
Find out more by booking a 30 minute hands on demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo