The future General Data Protection Regulation (“GDPR”) is good news for individuals – because they will be given additional and more powerful rights.
This blog entry will focus on your right to object to processing of your personal data, including when and where to file a complaint.
An existing but strengthened right
The existing right to object is located in the current Data Protection Directive, art. 14. An equivalent provision is imposed in the future regulation with the modification that the right is strengthened concerning individuals.
According to the directive, you can only object to processing of your personal data by a company or authority if you can prove that compelling legitimate grounds exist that entail that your personal data should not be processed. A compelling legitimate ground could be the case of an individual who, due to harassment/stalking from an ex-husband/wife, does not want his/her name published in various public registers on the internet.
According to the GDPR, it is only required to prove that grounds exist that entail that your personal data should not be processed. The requirement regarding “compelling” and “legitimate” grounds has thus been omitted which will make it easier to exercise your right to object. However, companies and authorities that have access to your personal data will still be able to process it, if they in turn have “compelling” and “legitimate” grounds to continue the processing. The balance has tipped towards making the situation easier for the individual so to speak.
Please note that if you have given your consent to the processing of your personal data, you can withdraw your consent instead of objecting.
To object or withdraw your consent, simply contact the company that is processing your personal data and provide your reason for objecting or announce that you withdraw your consent.
A new absolute right
As an entirely new feature the GDPR introduces an absolute right to object to the processing of personal data for direct marketing purposes by companies or authorities. This means that if you receive marketing material, addressed to you by e-mail, postal service or otherwise, based on personal data that has been collected about you, you will now be able to contact the company that sends out the marketing material and ask them to stop, regardless of the reason. The company must ensure that you can object without incurring any costs and that the processing stops immediately. The situation could arise if you, in an online questionnaire, have indicated that you prefer alternative medicine over conventional medicine and subsequently receive marketing material offering alternative medicine.
More extensive responsibility for the companies
The future stronger rights of the individuals imply more obligations for companies and authorities that process personal data.
The companies and authorities are obliged to explicitly inform of the right to object already when approaching the data subject for the first time regarding collection of personal data. The information must be clear and separate from other information. This means that all e-mails related to marketing must contain a clearly indicated link giving you the possibility to opt out of further processing of your personal data for direct marketing purposes. The current general practice of inserting a link at the very bottom of an e-mail in fine print is probably not enough to meet the requirement in the GDPR.
(I would like to thank my Bird & Bird colleagues, student assistant Mathias Bartholdy, junior associate Amalie Langebæk and associate Kamilla Pierdola Mondrup, for assisting with this blog entry.)