Does unsubscribing from a newsletter count as an objection?

Yes. Clicking an unsubscribe link is exercising the right to object to direct marketing under Article 21(2). You must stop sending marketing emails to that person immediately. This is the most common form of objection in practice.

What if I process data for multiple purposes?

An objection applies to the specific purpose the person objects to. If you process their data for marketing and for contract performance, an objection to marketing means you stop the marketing but can continue processing for contract performance. Evaluate each purpose separately.

Do I need to delete data after an objection?

Not necessarily. An objection means you must stop the specific processing the person objected to. You may still retain the data if you have another legal basis for keeping it - for example, a legal retention obligation or ongoing contract. However, if there is no other purpose, you should also erase the data.

Can I ask the person why they are objecting?

For direct marketing, no - the right is absolute and no reason is needed. For legitimate interest objections, the person should describe their particular situation, but you cannot require a detailed justification. Even a brief reason is sufficient to trigger the balancing test.

Right to Object: When and How Customers Can Say Stop | GDPR

A customer objects to how you process their data. Depending on the type of objection, you may have to stop immediately or you may be able to refuse. This article explains the two types of objection, when each applies, and what to do step by step.

Two very different types of objection

The right to object under Article 21 GDPR covers two situations that work very differently in practice. Getting them mixed up is one of the most common mistakes businesses make.

Type 1: Direct marketing objection (Article 21(2)) This is an absolute right. When someone objects to direct marketing, you must stop. No exceptions, no balancing test, no discussion. This includes profiling related to direct marketing.

Type 2: Legitimate interest objection (Article 21(1)) This is not absolute. When someone objects to processing based on legitimate interest (or public interest), you can continue processing if you demonstrate compelling legitimate grounds that override the interests of the data subject. This requires a balancing test.

Knowing which type you are dealing with is the first thing to determine.

Step 1: Register the objection

As with any data subject request, log it immediately:

Who is objecting
When you received the objection (the one-month deadline starts now)
Through which channel it came in
What they object to - which processing activity or purpose

description

Template: Request Register

Keep track of every request in a register: who, when, what was asked, and how it was handled.

View the template arrow_forward

Step 2: Determine the type of objection

Ask yourself: is the person objecting to direct marketing, or to another type of processing?

Signs of a direct marketing objection:

“Stop sending me emails”
“Unsubscribe me from your newsletter”
“I don’t want promotional messages anymore”
Clicking an unsubscribe link

Signs of a legitimate interest objection:

“Stop recording me on CCTV”
“Stop monitoring my work activities”
“I don’t want you to share my data with partners for fraud analysis”
“Stop processing my data for [specific purpose other than marketing]”

If you are unsure, ask the person to clarify which processing activity they object to. But do not use this as a delay tactic.

Step 3A: Handle a direct marketing objection

If the objection is about direct marketing, the process is straightforward:

Stop immediately. Remove the person from all marketing lists. This includes email, postal mail, SMS, phone calls, and targeted advertising.
No balancing test needed. You cannot argue that your marketing interests override their objection.
Confirm. Inform the person that their objection has been processed and they will no longer receive marketing communications.
Profiling too. If you use profiling to target marketing (segmentation, personalised offers), stop that profiling for this person as well.
Keep a suppression list. Add the person to a suppression list so they are excluded from future campaigns. This is not the same as deleting their data - you need to remember not to contact them.

The deadline is immediate, but in practice you should confirm within one month.

Step 3B: Handle a legitimate interest objection

If the objection is about processing based on legitimate interest, the process requires more work:

Pause processing if possible. While you assess the objection, consider pausing the processing activity if feasible. This is not strictly required, but it shows good faith.
Conduct a balancing test. Weigh your legitimate interest against the person’s interests, rights, and freedoms. Consider:
- How important is this processing for your business?
- What is the impact on the person?
- Are there less intrusive alternatives?
- Did the person provide specific reasons related to their situation?
Document your decision. Write down your reasoning, whether you accept or refuse the objection.
Inform the person. Communicate your decision with a clear explanation.

You can refuse the objection only if you demonstrate compelling legitimate grounds that override the data subject’s interests. “We always do it this way” is not a compelling ground.

Comparing the two types

	Direct marketing (Art. 21(2))	Legitimate interest (Art. 21(1))
Trigger	Person objects to marketing	Person objects to processing based on legitimate interest
Can you refuse?	No, never	Yes, if you have compelling grounds
Balancing test needed?	No	Yes
Response deadline	Immediately (confirm within one month)	Within one month
What to do	Stop all marketing to this person	Conduct balancing test, then decide
Reason required from the person?	No	They should describe their particular situation

Common scenarios

Scenario 1: Customer objects to email marketing

Type: Direct marketing (absolute right) Action: Remove from all marketing lists immediately. Add to suppression list. Confirm.

Scenario 2: Customer objects to CCTV in your shop

Type: Legitimate interest objection Action: Conduct a balancing test. Security interests may override, but consider whether the person has a specific reason (e.g. they are a domestic abuse victim and fear being located). Document your decision.

Scenario 3: Employee objects to workplace monitoring

Type: Legitimate interest objection Action: Conduct a balancing test. Consider the necessity of the monitoring, whether less intrusive alternatives exist, and the employee’s specific situation. In many cases, broad monitoring will be difficult to justify.

Scenario 4: Customer objects to profiling for personalised pricing

Type: Legitimate interest objection (if based on legitimate interest) or direct marketing (if the pricing is part of a marketing strategy) Action: Determine the legal basis first, then follow the appropriate process.

What happens after a successful objection

Once an objection is accepted:

Stop the processing that the person objected to
Do not delete automatically. You may still need to retain the data for other purposes (contract performance, legal obligations, defence of legal claims)
Document what processing was stopped and when
Check downstream. If you shared the data with processors or other controllers for the objected purpose, inform them of the objection

Step 4: Document everything

Record your full handling of the objection: when received, what type, what decision was made, the reasoning, and when the person was informed. This is your evidence if the data subject files a complaint with the supervisory authority.

auto_awesome Be prepared for objections

GDPRWise helps you set up processes for handling data subject objections and keeps a register of all received requests.

Start your free scan

Right to Object: When Customers Say Stop