GDPR Article 21 Explained + 5 Examples

Dec 11, 2025

The General Data Protection Regulation grants individuals a wide range of rights to control how their personal data is used, shared, and processed. One of the most powerful rights under the GDPR is the right to object, outlined in Article 21. Unlike other rights that apply only in certain circumstances, the right to object can stop specific types of processing instantly—especially when the processing is based on legitimate interests, public interest tasks, profiling, or direct marketing.

Understanding Article 21 is essential for both organizations and individuals. For businesses, non-compliance can result in complaints, reputational damage, and regulatory penalties. For individuals, this article empowers them to stop unwanted data use with a single written request.

What GDPR Article 21 Covers

GDPR Article 21 is divided into several paragraphs, each addressing a different type of processing and the rights individuals have to object. The article can be summarized into three key areas:

1. Right to Object to Processing Based on Legitimate Interests or Public Interest Tasks

If an organization processes personal data on the basis of:

  • legitimate interests, or
  • performance of a task carried out in the public interest,

the individual has the right to object at any time. After the objection, the organization must stop processing the data unless it can demonstrate compelling legitimate grounds that override the individual’s rights, or if the processing is needed to establish, exercise, or defend legal claims.

2. Absolute Right to Object to Direct Marketing

When personal data is used for direct marketing purposes, including profiling linked to direct marketing, the individual has an absolute, unconditional right to object.
Once the objection is received, the organization must stop all direct marketing activities immediately, with no balancing test allowed.

3. Right to Object to Processing for Scientific, Historical, or Statistical Research

Individuals may also object to processing for research or statistical purposes unless the processing is necessary for tasks carried out in the public interest.

4. Obligation for Controllers to Inform Individuals of Their Right to Object

Organizations must clearly and separately inform individuals, at the time of first communication, that they have a right to object.
This notice must be:

  • clear,
  • easily understandable,
  • and distinct from other information.

When Article 21 Applies

Article 21 does not allow individuals to object to all forms of processing. Instead, it applies only when certain legal bases or purposes are involved.

Situations Where It Applies

  • The data is processed under legitimate interests.
  • The data is processed for public interest tasks.
  • The data is used for direct marketing or profiling.
  • The data is used for non-essential research or statistical analysis.

Situations Where It Does Not Apply

The right to object does not apply when the processing is:

  • required by law,
  • necessary to fulfill a contract,
  • based on consent (though consent can be withdrawn),
  • needed to protect someone’s vital interests.

Because of these limitations, organizations must carefully assess their legal basis for processing and prepare a process to respond to objections.

How Individuals Can Exercise the Right to Object

A request to object does not require a specific form. It can be made:

  • verbally,
  • in writing,
  • through email,
  • or through any method the controller makes available.

Organizations must:

  • respond without undue delay,
  • typically within one month,
  • and either stop the processing or explain why it cannot be stopped in cases where a balancing test applies.

If the controller rejects the objection, the individual has the right to complain to a supervisory authority.

5 Examples of GDPR Article 21 in Practice

To illustrate how Article 21 works in real-world scenarios, the following five examples cover different industries and processing purposes.

Example 1: Objecting to Processing Based on Legitimate Interests (Retail Company)

A large retail company collects personal data such as purchasing history, location information, and browsing behavior to recommend products using a legitimate interest basis. A customer notices that the company constantly uses their past purchases to show personalized suggestions that feel intrusive.

The customer sends an email indicating that they object to the processing of their personal data for personalized recommendations.

Under Article 21, the company must stop all personalized recommendation processing unless it can demonstrate compelling reasons that override the customer’s interests. In this case, personalized suggestions are not necessary for legal compliance or the fulfillment of a contract. Therefore, the company must stop processing this customer’s data for this purpose.

It may still process the data for other purposes, such as fulfilling orders, preventing fraud, or maintaining financial records, but all legitimate-interest-based personalization must cease.

Example 2: Objecting to Direct Marketing (Absolute Right)

A telecommunications company uses customer data to send promotional offers by email and SMS. A customer receives frequent commercial messages and objects in writing to the use of their data for direct marketing.

In this situation, the organization must immediately stop:

  • all direct marketing to this person,
  • all profiling done for direct marketing purposes,
  • sending any future promotional emails or SMS messages.

Article 21 provides an unconditional right: the company cannot weigh its business needs against the individual’s objection. It must comply immediately and confirm to the customer that marketing communication has been disabled.

Additionally, the company should maintain a suppression list to ensure it does not contact the individual again by mistake.

Example 3: Objecting to Profiling Based on Legitimate Interests (Insurance Company)

An insurance company uses automated profiling to assess the likelihood that a customer will renew their contract. This profiling uses browsing behavior on the insurer’s website, demographic details, and historical purchase data. The insurer justifies this with “legitimate interests.”

A customer believes this type of profiling is intrusive and objects to it under Article 21.

The insurer must stop the profiling unless it demonstrates:

  • compelling legitimate grounds,
  • that are stronger than the person’s privacy rights.

Since renewal-likelihood profiling is primarily for internal business optimization and not essential for legal compliance, the insurance company is unlikely to pass the balancing test.

Therefore, the insurer must stop profiling this customer. It may still process their data for:

  • issuing the policy,
  • fulfilling contractual obligations,
  • regulatory reporting.

However, profiling linked to renewal strategies must cease.

Example 4: Objecting to Data Processing in Scientific or Statistical Research (University Research Project)

A university conducts a long-term study that collects data on local residents’ mobility patterns using mobile phone location data from volunteers. One of the volunteers later becomes uncomfortable with how much movement detail the study reveals about their weekly routines. They decide to object to the processing of their data.

Under Article 21, the research team must evaluate whether the processing is truly necessary for a task carried out in the public interest.

If the study is purely academic and not mandated by law, the university must stop processing the volunteer’s data unless it can show that the data is essential, unique, and irreplaceable for the study’s societal purpose.

Most research projects allow participants to opt out. Therefore, in this example, the university would need to stop using the volunteer’s data going forward.

Example 5: Objecting to Processing for Workplace Monitoring (Employer Using Legitimate Interests)

An employer installs software that tracks employees' computer activity, including login times, application usage, and browsing behavior. The employer justifies the tracking under legitimate interests for productivity and security monitoring.

An employee objects to this processing because it feels excessive and invasive.

Under Article 21, the employer must consider whether it has compelling legitimate grounds for such detailed monitoring. Productivity tracking is generally not strong enough to override an employee’s privacy rights, especially when less intrusive options exist.

Therefore, the employer must reduce or stop the monitoring for that specific employee unless it can prove:

  • the monitoring is necessary for security or compliance,
  • and cannot be reasonably achieved by other means.

If the monitoring is essential for cybersecurity, the employer may justify retaining minimal tracking but must stop all non-essential behavioral analysis.

Common Mistakes Organizations Make Regarding Article 21

Organizations often misunderstand or misapply Article 21. The most common errors include:

Failing to Inform Individuals of the Right to Object

Article 21 requires clear, separate notification. Burying the information in long privacy policies is not acceptable.

Treating Direct Marketing Objections Like Regular Requests

Direct marketing objections require immediate cessation, without balancing interests.

Relying on Legitimate Interests Without Conducting a Proper Balancing Test

A legitimate interest assessment is essential and must be documented.

Misinterpreting Profiling Rules

Profiling used for marketing or business optimization is subject to objection unless the organization can demonstrate a compelling need.

Delaying Responses

The one-month response deadline must be respected even when objections are complicated.

Why Article 21 Matters

For individuals, Article 21 is a powerful tool for reclaiming control over personal data uses that feel invasive, unnecessary, or excessive. It helps protect privacy in a world of increasingly automated and behavioral data processing.

For organizations, understanding Article 21 is critical for GDPR compliance. A well-designed objection-handling process reduces regulatory risk, builds trust, and demonstrates respect for user autonomy. Transparent communication, clear legal bases, and careful assessments help organizations manage objections effectively and lawfully.

Conclusion

GDPR Article 21 grants individuals the right to object to processing based on legitimate interests, public interest tasks, profiling, and—most importantly—direct marketing. While some objections require a balancing test, direct marketing objections must be honored immediately.

By understanding how Article 21 works and applying it correctly, organizations can build trust, reduce compliance risks, and ensure that personal data is handled responsibly. The five examples above illustrate how the right to object applies across different sectors and scenarios, helping both individuals and businesses navigate this crucial aspect of GDPR.