As we continue to unpack what rights the data subject has, we can sleep easy at night knowing we can object to our information being processed. The subject should have the right to object from someone else using their data because, according to GDPR, their data belongs to them. It wouldn’t make much sense if I took your bitcoin and sold it to make money for myself (theft???), and the same applies to your data. Your data is inherently yours and you should be the one who can decide it should be processed (within the boundaries of what you’ve consented to). The same right applies to instances where automated decision-making is implemented at an organization covered by GDPR. If the data subject’s information is used in the auto decision-making process, they have a right to know. The data subject has the right not to be the subject of the decision based solely on automated processing unless other criteria are met. Let’s unpack Articles 21 and 22 a little more below.

Article 21 – Right to Object

1. The data subject shall have the right to object, on grounds related to their situation, at any time to processing of personal data concering him or her which is based on points (e) or (f) in Article 6. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject for the establishment, exercise, or defence of legal claims.
2. Where personal data are used in the direct marketing process, the data subject has the right to object at any time.
3. Where the data subject objects to processing of their data for direct marketing pruposes, the personal data shall no longer be processed.
4. The rights referred to in paragraphs 1 and 2 shall be explicitly brought to the data subject clearly and separately from any other information during the first communication with the data subject.
5. The subject shall exercise his or her right to object by automated means using technical specifications and within the context of information society services and notwithstanding Directive 2002/58/EC.
6. Where personal data are processed for scientific or historical research purposes o statistical purposes, the data subject shall have the right to object to processing of personal data concering him or her, unless the processing is carried out for reasons of public interest.

Article 22 – Automated Individual Decision-Making Including Profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significant aspects of him or her.
2. The first paragraph shall not apply if:
   1. The decision is necessary for entering into a contract between a data controler and a data subject.
   2. The decision is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
   3. The decision is based on the data subject’s explicit consent.
3. In cases referred to in points (a) and (c) in paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests (including the right to obtain human intervention and express his or her point of view).
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9, unless points (a) or (g) apply from that article and suitable safeguards are in place.

How does this apply to me and you?

Both articles reveal what we, the data subjects, can do regarding our right to be informed and object to processing. Any time a company plans to use your data, it must inform you of the purpose of the processing and for how long it will be done. Once we know what is being done with our data, we can decide if we want to object to that processing or not. This freedom extends to our knowledge of if our data is used in an automated decision-making process. The decision-making process, of course, must be a decision made about us and produce legal effects, or in other words, decisions regarding if we’re lawbreakers or not unless there is explicit consent for this process from the data subject. This, however, would be appropriate if we, the data subjects, provide explicit consent that we’re ok with the automated decision-making or it’s done in the interest of public safety.

So in short, we have the right to object to the processing of our data and we may also be exempt from automated decision-making that would legally affect us.

RED RAYMONDTON

I thought the examples with Harvey and Ross were getting old, so I decided to think of a new one…

Imagine, The Berlin Company (BC) has decided to collect the data of several individuals who operate in the professional services industry. Each individual has their own private practice domiciled in the Union and the BC is subject to GDPR. One individual named Red Raymondton, is aware of the agreement with the BC and provided appropriate consent to the processing. The collection process includes demographic data about each company, financial information, and any litigation against the company, ongoing and completed. The purpose of the processing is to help the BC identify trends between types of services, litigation, and effects on financial performance, or “market research” in other words. Red knows that at any point, he can submit his objection to the processing. The purpose wasn’t related to historical research, public interest, or scientific research, so he can opt out if he chooses.

If the BC was using this research process to make automated decisions about each individual for legal purposes, this would go against what article 22 dictates unless Red decided to explicitly consent to the automated decision-making process. It’s all about the data subject’s consent and the controller’s transparency for an agreement to be valid.

And in all cases, suitable safeguards should always be in place to protect the data subject’s rights and freedoms, as well as their security, confidentiality, integrity, and privacy.

In the next GDPR letter, we’ll look at the last right of a data subject in the early articles… Restrictions of data subject rights.

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.