Understanding the Right to Object Under UK GDPR (Article 21)
Companies today rely on data to drive decision-making, marketing, and operational efficiency. But under the UK General Data Protection Regulation (UK GDPR), individuals have the right to object to how their data is processed — particularly where it’s used for direct marketing or based on legitimate interests. This right, defined in Article 21, is critical to balancing data use and individual privacy.
🚫 What Is the Right to Object?
The right to object allows a data subject to challenge and request a stop to the processing of their personal data. It applies in several specific situations, including when processing is based on:
- Legitimate interests of the company or a third party
- Public interest or official authority
- Direct marketing (including profiling related to marketing)
Importantly, if a person objects to direct marketing, the processing must stop immediately. For other types, companies can continue only if they demonstrate compelling legitimate grounds that override the individual’s interests or rights.
🏢 What Does This Mean for Companies?
Businesses that rely on data for outreach, profiling, or behavioural analysis must build processes to:
- Clearly inform individuals of their right to object at the point of data collection
- Make it easy for individuals to submit objections (e.g. via email, privacy portal)
- Log and respond to objections within one month
- Review whether processing can continue under a balancing test
📊 Real-World Example
A professional services firm uses behavioural profiling to target potential B2B clients based on their browsing history and job roles. If a prospect objects to this use of data, the company must review the legal basis (likely legitimate interest) and either stop processing or justify continuation through documented assessment.
🔍 Common Misconceptions
Many companies assume the right to object only applies to marketing. While that’s the clearest use case, Article 21 covers a broader range of business activity, including internal analytics and non-marketing profiling based on legitimate interest.
💡 Tip:
Include a clear “right to object” statement in your privacy notices and marketing emails. Avoid burying it in legal jargon — transparency builds trust and reduces complaints.
