The fifth blogpost in our series on GDPR rights is about the objection right. See here for the first blogpost on your right to be informed, the second on the access right, the third on the correction right, and the fourth on the deletion right.
There is already a right to object in current UK data protection law (the right to prevent processing), but it is set out a little differently to the GDPR right. In both current law and GDPR there are two aspects to this right:
- The right to object to direct marketing.
- The right to object to other processing of your information.
Objecting to marketing
The right to object to marketing is a straightforward right that always applies. This means you can say ‘no thanks’ at any time to stop getting marketing from an organisation. All e-mail marketing should have an unsubscribe link in it (or other method to say no thanks). Organisations should tell you how and make it easy to stop getting marketing. GDPR adds to your right by including any profiling that has been carried out in relation to sending you marketing.
Objecting to other processing
The right to object to other processing is more complicated and only applies in certain circumstances. Under current UK data protection law, you can prevent processing of your personal information if that processing is causing, or could cause, you substantial and unwarranted damage or distress. However, this right doesn’t apply if you gave your consent to the processing, if it’s necessary to deliver the product / service, if it’s a legal obligation or if it’s in your vital interests (life or death scenarios).
Under GDPR, there are similar restrictions on when the right applies, but there is no threshold of damage or distress. So you can object to processing where the lawful basis is ‘legitimate interests’ or ‘public interest’ or where the processing is for scientific / historical research purposes. (However, for research, the right doesn’t apply if the research necessary for a task that is being carried out for reasons of public interest.)
When does the right not apply?
An organisation does not have to stop processing your personal information if:
- they can demonstrate compelling legitimate grounds for the processing, which overrides your objection; or
- the processing is to establish, exercise or defend legal claims.
- You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it.
The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances.
The organisation also has to be able to verify your identity before taking action as a result of your request.
Fees and timescales
Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request.
Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.
What is Yoti doing?
For marketing: Yoti only has your e-mail addresses for marketing purposes if you gave it to us because you wanted to hear from us. If you want to unsubscribe from e-mail marketing, use the unsubscribe link in the e-mail.
For other processing: most of the personal information processing we do in relation to our app, products and services is necessary to deliver the app, products and services. For biometric data processing as part of the app’s security, we ask for your consent, which you can withdraw in settings at any time. Therefore, for app users, the only processing we do on the basis of ‘legitimate interests’ and so that this right applies to, is our metrics to understand how our app is being used. We de-identify and aggregate that data so we have no way to connect it to an actual user.
What other obligations do organisations have?
As part of our other products and services (Dashboard, if you visit our office) we may have contact details from you as part of setting up accounts or signing in. The right to object applies to this information but we have justifiable business reasons for keeping it.
You can contact our Data Protection Officer on firstname.lastname@example.org.