Know your rights. The right to object to the use of your data

Direct marketing can be very intrusive, and you can say no to it, as you have the right to object to the processing of your personal data. Let's explore when and how you can exercise your right to object to the processing of your data under Article 21 of the GDPR and several privacy laws in the USA*.

What it is

The right to object to the processing of your data means you have the power to tell an organization or business to stop using your personal data at any time. Processing, in this context, includes any way your data is used—be it obtaining, recording, or storing it. However, it's crucial to note that the right to object has specific conditions. Organizations may not stop processing your data if they have valid and legitimate reasons.

First, let's see when you can exercise this right. You can object to processing when your data is being used:

• by an official authority for a legal purpose or in the public interest. A task carried out in the public interest
• for scientific or historical research, or statistical purposes
• for direct marketing purposes

Only the the right to object to direct marketing is absolute, meaning organizations must comply without exceptions.

However, in other cases, the organization can legally refuse your request. Common exemptions exist in law enforcement, police, national security, or taxation.

The circumstances in which they may not comply include:

• Your request is excessive or manifestly unfounded
• They can prove they have compelling, legitimate grounds
• Your data is for the performance of a public task, or on the basis of a legitimate interest
• The processing is necessary for the establishment, exercise, or defense of legal claims (e.g., in a legal dispute)
• Your data is used for statistical, scientific, or historical researc purposes

In each case, the organization must demonstrate that their legitimate grounds override yours.

Example stories

Story 1: Direct Marketing, Absolute Right

Maria purchased two tickets to see her favorite band play live through an online ticketing company. However, shortly after the purchase, her inbox was flooded with advertisements for concerts and events that didn't interest her at all. She informed the online ticketing service that she didn't want to receive any more advertising material. The company should respect her right to object to direct marketing. Soon after, the flood of unwanted emails should stop, and Maria shouldn't be charged for exercising her absolute right against direct marketing.

Story 2: Research for Public Interest Reasons – request denied

Mike recently underwent treatment at a hospital for an illness. The blood tests conducted during the treatment revealed that Mike had a virus that was prevalent during that time of the year. When Mike requests the hospital to delete their data and records, the hospital refuses. In this case, the data and information from him and other patients are essential for measuring the impact of the virus in the community. The hospital must demonstrate that retaining this data is necessary for public interest reasons, even if an individual requests its removal.

How to object to data processing

If you want to let an organization know that you're not comfortable with how they're handling your data, here's what to do:

1. Reach out to the organization directly. You can do this via email, a physical letter, an online form on their website, or by using a pre-written email through Bitdefender Digital Identity Protection. The key is to have a written record of your request.

2. Explain Your Reasons: Clearly state why you believe the organization should stop using your data in a particular way. Provide specific reasons based on your situation. The stronger your grounds (e.g., if the processing is causing reputation damage, distress, or financial loss), the better your chance of your request being successful.

3. Include Key Details in Your Request: In your objection request, make sure to include:

o    Your name and any relevant account username or details that can help the organization identify you efficiently.

o    The date of your request so the organization knows the deadline for compliance.

o    Clearly articulate the reasons for your objection and specify which processing operations you want to stop if there are several.

4. For Direct Marketing: If your objection is related to direct marketing, you don't need to provide detailed justifications. Express your desire to object to processing your data for this purpose.

5. Request Confirmation: Ask the organization to confirm receipt of your request. Also, request information on when they plan to stop processing your data.

The goal is to make your objection clear, providing enough information for the organization to understand and address your concerns promptly.

If you want a super easy way to handle your data issues, check out Bitdefender Digital Identity Protection. It shows you all the online accounts you have ever opened using Outlook or Gmail email addresses and offers ready-to-go emails to ask the organizations to either give back or delete your info. With Digital Identity Protection, you won't have to spend time crafting emails or searching for contact details, making the process efficient. On top, in case any organization holding your data suffers from a data breach, you'll receive an alert and actionable advice about what to do next.

What to expect after sending a request to stop processing of data

Once the organization receives your request, it has one month to respond. This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.

Unless you are objecting to direct marketing, the controller may choose to refuse your request. If they do this, they must explain their reasons and their compelling legitimate grounds applicable to your particular case. If they write a generic, blanket response, you are entitled to file a complaint with a data protection authority in your country.

* Right to object to processing USA: You have the right to opt out of receiving commercial (advertising) emails under CAN-SPAM and not receiving certain types of calls to residential or mobile telephone numbers without express consent under the TCPA.

California's Shine the Light Act requires companies that share personal information for the recipient's direct marketing purposes to either provide an opt-out or make certain disclosures to you of what information is shared and with whom. Recent state privacy laws, including the CPRA, Virginia CDPA, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Privacy Act, provide you with the right to opt out of processing your personal information for targeted advertising.

Sources: European Commission, noyb.eu, Data Protection Laws and Regulations USA 2023