The right to object allows each person concerned by a processing operation to object to the use of their data by an organisation.
The organisation only has the option of refusing to exercise this right if it can demonstrate compelling legitimate grounds for continuing to process the data.
The data controller must then define what these interests are and how they take precedence over the interests or rights and freedoms of the data subject.
This is a new feature since the adoption of the GDPR entails a reversal of the burden of proof. Previously, the right to object required the data subject to prove a legitimate reason.
Now it is up to the data controller, when faced with a request to object, to demonstrate that there are legitimate and compelling grounds.
But how are these legitimate and compelling grounds to be assessed?
Assessing whether an interest is legitimate presupposes :
- first of all that it is manifestly lawful in the eyes of the law; and
- the interest in question must also be not too vague or hypothetical, but set out in sufficiently clear terms
- it must be real and present.
The treatment must also be imperative, which means that it must be strictly necessary, or even indispensable.
However, no general rule can be laid down and it is necessary for the data controller to assess each exercise of the right to object on a case-by-case basis, and to be able to argue the refusal precisely in the event of a question from the competent supervisory authority or the individual concerned.
For example, compelling reasons may include processing relating to and necessary for the performance of a contract or the recovery of a debt.
Finally, when personal data is processed for canvassing purposes, the data subject has the right to object at any time to the processing of data concerning him or her for these purposes without the data controller being able to oppose this on compelling and legitimate grounds.