What is the right to object?
You have the right to object to organisations processing your personal data at any time. ‘Processing’ refers to any use of personal data (other than for personal reasons) and includes obtaining, recording and storing the data. This means that you can stop or prevent an organisation from using your data. However, the right to object only applies in specific circumstances and organisations may not be required to stop processing your data if they have strong and legitimate reasons for doing so.
An objection may be made in relation to all of the personal data an organisation holds about you or only certain pieces of information.
When can I object to my data being processed?
The right to object depends on the organisation’s purpose and lawful grounds for processing. Generally, you can only object if your data is being used for:
-
direct marketing purposes
-
statistical purposes
-
scientific or historical research
-
tasks carried out that are in the public interest
-
the exercise of official authority
-
the organisation’s legitimate interest
You can object to your data being used at any time.
For more information, see the Information Commissioner's Office’s (ICO’s) guidance on when the right to object applies.
Objecting to direct marketing
The right to object to the use of your personal data for direct marketing purposes is absolute. This means that if you object to the use of your data, the organisation cannot refuse your objection and must stop using your data for direct marketing purposes (eg it can’t continue using your data to sell or promote things to you).
However, if you object to the use of your data for direct marketing, this doesn’t automatically mean that the organisation needs to erase your data. Often, organisations will place you on their ‘suppression list’. This is a list of people who have objected to their data being used for direct marketing purposes. This allows organisations to check against any new direct marketing lists that they may buy at a later date, to ensure that they don’t use your data for direct marketing after you have objected to it.
Objecting to other purposes
The right to object to the use of your personal data for purposes other than direct marketing is generally more restricted. Usually, an organisation can continue to process your personal data despite your objections if:
-
the processing is necessary for the performance of a task carried out for reasons of public interest, in the case of data processing for the purposes of statistics or scientific or historical research
-
it can prove that it has compelling legitimate grounds that override your interests, rights and freedoms, in the case of data processing based on legitimate interests, on the performance of a task in the public interest or the exercise of official authority
If you object to the use of your data for purposes other than direct marketing, the data controller (ie the person who says how and why personal data is processed) will need to carry out a balancing exercise to determine whether they will be able to continue processing your personal data (eg using a Legitimate interest assessment).
How can I object to my data being processed?
To exercise your right to object, contact the organisation directly, explaining why you believe it should stop using your data.
Objections can be made verbally or in writing. However, it is recommended that they are made in writing in order to have a written record. If you make a verbal request, you should follow up in writing explaining your concern, giving evidence and stating your desired solution.
Consider using the ICO’s template letter to make an objection.
What will an organisation do after receiving my objection?
When an organisation receives your objection to the processing of your personal data, it needs to determine whether it is required to comply with this request. If your objection relates to an organisation’s processing of data for direct marketing it must stop this processing.
If your objection is successful, the organisation must stop (or not begin) processing your personal data for the purpose you objected to. It may, however, be able to continue (or start) processing your data for other purposes.
Can an organisation refuse to comply with my objection?
Organisations cannot refuse to comply with an objection for direct marketing purposes. However, organisations can refuse to comply with your objection if:
-
they have a strong reason to continue processing your data that overrides your objection (for data uses other than for direct marketing)
-
an exemption applies
-
they believe that it is ‘manifestly unfounded or excessive’ (eg the request was made to harass or disrupt the organisation). For more information on what this means, see the ICO’s guidance on manifestly unfounded and excessive requests
If the latter applies, organisations can request a reasonable fee or even refuse to deal with the objection.
Regardless of the outcome, the organisation should inform you of the result of your objection. If your objection is unsuccessful (ie the organisation decides that it does not need to stop processing your data), it should explain its reasoning for this.
How long does an organisation have to respond to my request?
Generally, organisations have one month to respond to your objection. In certain circumstances, this can be extended by another 2 months. For example, because the organisation requires proof of ID before handling your request.
If an organisation needs an extension, it needs to let you know and provide an explanation within one month.
For more information, read Data protection requests.
Can an organisation charge a fee for my request?
Generally, data requests should be dealt with and provided free of charge. However, organisations may be able to charge a fee in certain, limited circumstances, including where requests are found to be manifestly unfounded or excessive. For more information, read Data protection requests.
What happens if an organisation doesn’t respond to my request or the response is unsatisfactory?
If an organisation doesn’t respond to your objection or you are dissatisfied with the response, you should contact the organisation. If, after contacting the organisation, you do not receive a response or remain dissatisfied, you can complain directly to the ICO. You may also be able to seek enforcement through the courts. For more information, read Data protection requests.
Ask a lawyer if you have any questions about the right to object. Read Data protection and privacy to find out more about your data protection rights as an individual.
If you are a business or other organisation and want to find out more about how to handle objections to the use of personal data, read Data protection requests. For more general information about data protection, read Data protection for businesses.