Lexicon > Right to object

IT Glossary

Right to object

The right to object to the processing of personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:

Under the right to object to processing, the data subject may request the controller, at any time and for reasons relating to his or her particular situation, to stop processing personal data concerning him or her for a specific purpose.

However, this right is strictly limited to data processing with a legal basis:

  • The performance of a mission of public interest or in the exercise of public authority vested in the controller;
  • Legitimate interests pursued by the data controller or a third party.

When data are processed for the purpose of canvassing, regardless of the legal basis for the processing, the data subject has the right to object at any time without having to provide reasons related to his or her particular situation.

In any case, when exercising his or her right, the person concerned is not required to provide any evidence of his or her particular situation.

Indeed, the onus is on the data controller to justify that there are legitimate and compelling reasons for the processing which override the interests and rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.


Provision should be made to facilitate the exercise by the data subject of his or her rights under this Regulation, including the means of requesting and, where appropriate, obtaining free of charge, inter alia, access to and rectification or erasure of personal data and the exercise of a right of objection. The controller should also provide the means to make requests electronically, especially when personal data are processed electronically. The controller should be obliged to respond to requests from the data subject as soon as possible and at the latest within one month and to give reasons for not responding to such requests.

Recital 59 of the GDPR

Point of jurisprudence

The Belgian supervisory authority considers that “The deletion of personal data also constitutes processing within the meaning of the GDPR. Since the complainant explicitly objects to the deletion of the fan page and, by definition, to the deletion of the personal data on this fan page.”

Data Protection Authority, January 12, 2021, No. 02/2021

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.