GDPR Article 21: Right to Object – Implementation & Compliance
Article 21 of the GDPR gives data subjects the right to object to processing based on your legitimate interests or public task. Your organization must have a clear process to receive, evaluate, and respond to objections—and cease processing unless you can prove compelling grounds override their rights. This control is non-negotiable for direct marketing and a critical trust mechanism for data subjects.
What this means
The right to object is a core data subject right under GDPR Article 21. Data subjects can object to processing based on legitimate interests or public tasks at any time. When an objection is received, you must stop processing their data unless you can demonstrate that compelling legitimate grounds for processing override their interests, or the processing is necessary for legal claims. For direct marketing specifically, you must always honor objections—no exceptions. This right applies regardless of how the data subject exercises it (email, web form, phone, in-person).
How to comply
- 1.Establish a documented process to receive objections through multiple channels (email, web form, customer portal, phone)
- 2.Create a standardized response template that acknowledges receipt within 72 hours
- 3.Implement a triage workflow: classify objections as direct marketing vs. other legitimate interest processing
- 4.For direct marketing: cease all processing immediately upon receipt
- 5.For other processing: conduct a balancing test to determine if compelling legitimate grounds override the objection
- 6.Document your decision-making rationale for each objection, including the balancing assessment
- 7.Execute cessation of processing (or document the grounds for continuing) within 30 days
- 8.Notify the data subject of your decision and their appeal rights
- 9.Maintain a register of all objections received, decisions, and actions taken
- 10.Train staff handling customer communications on objection procedures and urgency
Evidence auditors look for
- Documented right-to-object request process (email policy, web form, intake form)
- Acknowledgment letters sent to data subjects confirming receipt of objections
- Objection register showing received date, objection type, classification, decision date, and action
- Balancing test documentation showing legitimate interest vs. data subject rights assessment
- Evidence of processing cessation: deletion confirmation, unsubscribe confirmation, or database records
- Direct marketing opt-out records or suppression list updates
- Decision letters explaining why processing continues (if applicable) and appeal mechanism
- Staff training records on objection handling procedures
- System logs showing removal from marketing lists or processing halts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates objection intake, triage, and tracking—flagging direct marketing objections for immediate action and storing balancing test documentation to prove compliance during audits.
See how GRCWatch handles this control automatically
Start free trial