Artikkel 21
Right to object

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 21 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 21 keyboard_arrow_up

(65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Vis direktivets fortaletekst relatert til art. 21 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 21 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

GDPR

According to Article 21 of the Regulation, the right to object may be exercised on grounds relating to the data subject’s particular situation and for processing based on:

- Article 6 (1), e), i.e., “the processing is necessary to the performance of a task in the public interest or in the exercise of the official authority vested in the controller”;

- Article 6 (1), f), i.e., when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

It should be noted in extremis that these assumptions included the profiling done on these grounds.

In other words, the right to object, as it was initially provided for in the Directive, can be invoked in both cases of lawfulness of processing covered and not, for example, when the processing is based on the data subject’s consent. While the Directive to the Member States provides at least the application of the right to object in these two cases of processing, the Regulation seems opposed to the extension of the scope of the right to object any further, as provided for in some national laws under the Directive.

This restriction seems to be partially compensated by the possibility to withdraw the consent to processing at any time, which will require the controller to refuse to continue the processing, knowing that the withdrawal of consent does not question the lawfulness of the processing prior to the withdrawal (Art. 7 (3)).

Furthermore, the controller may refuse to implement the right to object of the data subject when establishing the existence of compelling and legitimate grounds justifying the processing, which take priority over the data subject’s interests or rights and freedoms, or for the recognition, exercise or defence of a legal right.

The Regulation also provides that the data subject may object at any time the processing of their personal data for marketing purposes, including profiling done for this purpose (Art. 21 § 2). 

The existence of these rights to object must be brought to the knowledge of the data subject, clearly and separately from any other information, at the time of the first communication with the data subject at the latest. The notification can be made by automated means as part of an offer of the use of an information society service and notwithstanding the Directive 2002/58/EC.

Finally, the controller may refuse to proceed with the right to object of the data subject when the data are processed for historical, statistical or scientific purposes in the meaning of Article 89, if he or she can demonstrate that the processing is necessary for the performance of a task of public interest.

Direktivet

The right to object by the person concerned by a processing of personal data was already provided by Article 14 of the Directive. Such right allowed any person to object to the processing of his or her data, by referring to "compelling legitimate grounds relating to his particular situation", at least when the processing was necessary for the performance of a public controller (Article 7 (e)) or when the processing was based on the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed (Article 7 (f)). In addition, this right allowed anyone to object to the processing of his data for marketing purposes, regardless of the basis for processing.

Utfordringer

According to the Belgian Commission for the Protection of Privacy in its opinion 10/2014 of 5 February 2014, the wording of Article 21 of the second draft Regulation led to the "unacceptable risk of the controllers continuously invoking their legitimate interest in order to object to the right to object exercised by the subject data".

It is doubtlessly true that the ability left to the controller to refuse to comply with the right to object of the data subject entrusting him the task to make a balance between its legitimate interests and those of the data subject will not be easy to exercise. The data subject has however more effective remedies in case of unjustified refusal and the controller is also at risk receiving sanctions from the supervisory authority.

Forordning
1e 2e

Art. 21

1.   The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2.   Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3.   Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4.   At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5.   In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6.   Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

1. forslag close

Art. 19

1.           The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

2.           Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.

3.           Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned.

2. forslag close

Art. 19

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on points (...) (e) or (f) of Article 6(1), the first sentence of Article 6(4) in conjunction with point (e) of Article 6(1) or the second sentence of Article 6(4).

The controller shall no longer process the personal data (...) unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, (...) rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

1a. (...)

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object (...) at any time to the processing of personal data concerning him or her for such marketing. At the latest at the time of the first communication with the data subject, this right shall be explicitly brought to the attention of the data subject (...) and shall be presented clearly and separately from any other information.

2a. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

2aa. Where personal data are processed for historical, statistical or scientific purposes the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

3. (...)

4. (...)

Direktiv close

Art. 14

Member States shall grant the data subject the right:

(a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;

(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.

Member States shall take the necessary measures to ensure that data subjects are aware of the existence of the right referred to in the first subparagraph of (b).

Art. 21

Rett til å protestere

  • 1. Den registrerte skal til enhver tid, av grunner knyttet til vedkommendes særlige situasjon, ha rett til å protestere mot behandling av personopplysninger om vedkommende, og som har grunnlag i artikkel 6 nr. 1 bokstav e) eller f), herunder profilering med grunnlag i nevnte bestemmelser. Den behandlingsansvarlige skal ikke lenger behandle personopplysningene, med mindre vedkommende kan påvise at det foreligger tvingende berettigede grunner for behandlingen som går foran den registrertes interesser, rettigheter og friheter, eller for å fastsette, gjøre gjeldende eller forsvare rettskrav.

  • 2. Dersom personopplysninger behandles med henblikk på direkte markedsføring, skal den registrerte til enhver tid ha rett til å protestere mot behandling av personopplysninger som angår vedkommende, til slik markedsføring, herunder profilering i den grad dette er knyttet til direkte markedsføring.

  • 3. Dersom den registrerte protesterer mot behandling med henblikk på direkte markedsføring, skal personopplysningene ikke lenger behandles for slike formål.

  • 4. Senest på tidspunktet for den første kommunikasjonen med den registrerte skal vedkommende uttrykkelig gjøres oppmerksom på rettigheten nevnt i nr. 1 og 2, og informasjon om nevnte rettighet skal framlegges på en klar måte og atskilt fra annen informasjon.

  • 5. I forbindelse med bruk av informasjonssamfunnstjenester og uten hensyn til direktiv 2002/58/EF kan den registrerte utøve sin rett til å protestere ved hjelp av automatiserte midler ved bruk av tekniske spesifikasjoner.

  • 6. Dersom personopplysninger behandles for formål knyttet til vitenskapelig eller historisk forskning eller for statistiske formål i henhold til artikkel 89 nr. 1, har den registrerte, av grunner knyttet til vedkommendes særlige situasjon, rett til å protestere mot behandling av personopplysninger om vedkommende, med mindre behandlingen er nødvendig for å utføre en oppgave i allmennhetens interesse.

Gamle loven close

Til nr. 1: 

Pol. § 21 Informasjonsplikt ved bruk av personprofiler

Når noen henvender seg til eller treffer avgjørelser som retter seg mot den registrerte på grunnlag av personprofiler som er ment å beskrive atferd, preferanser, evner eller behov, f eks som ledd i markedsføringsvirksomhet, skal den behandlingsansvarlige informere den registrerte om

a) hvem som er behandlingsansvarlig,

b) hvilke opplysningstyper som er anvendt, og

c) hvor opplysningene er hentet fra.

Pol. § 22 Rett til informasjon om automatiserte avgjørelser

Hvis en avgjørelse har rettslig eller annen vesentlig betydning for den registrerte og fullt ut er basert på automatisk behandling av personopplysninger, kan den registrerte som avgjørelsen retter seg mot, kreve at den behandlingsansvarlige gjør rede for regelinnholdet i datamaskinprogrammene som ligger til grunn for avgjørelsen.

Til nr. 2 og 3: 

Mfl. § 15 Begrensninger i bruk av visse kommunikasjonsmetoder

I næringsvirksomhet er det forbudt, uten mottakerens forutgående samtykke, å rette markedsføringshenvendelser til fysiske personer ved elektroniske kommunikasjonsmetoder som tillater individuell kommunikasjon, som for eksempel elektronisk post, telefaks eller automatisert oppringningssystem (talemaskin).

Krav om forhåndssamtykke etter første ledd gjelder likevel ikke for markedsføring der den fysiske personen kontaktes muntlig ved telefon.

Krav om forhåndssamtykke etter første ledd gjelder heller ikke markedsføring ved elektronisk post i eksisterende kundeforhold der den næringsdrivende avtaleparten har mottatt kundens elektroniske adresse i forbindelse med salg. Markedsføringen kan bare gjelde den næringsdrivendes egne varer, tjenester eller andre ytelser tilsvarende dem som kundeforholdet bygger på. Når den elektroniske adressen samles inn, og eventuelt ved hver enkelt senere markedsføringshenvendelse, skal kunden enkelt og gebyrfritt gis anledning til å reservere seg mot slike henvendelser.

Med elektronisk post menes i denne bestemmelse enhver henvendelse i form av tekst, tale, lyd eller bilde som sendes via et elektronisk kommunikasjonsnett, og som kan lagres i nettet eller i mottakerens terminalutstyr inntil mottakeren henter den. Herunder omfattes tekst- og multimediemeldinger til mobiltelefon.

Ehandelslovens bestemmelser, herunder § 9 om elektronisk markedsføring, gjelder i tillegg til bestemmelsen her.

Se også mfl. § 12, 13 og 14.  

Til nr. 4:

Pol. § 24 Hvordan informasjonen skal gis

Informasjonen kan kreves skriftlig hos den behandlingsansvarlige eller hos dennes databehandler som nevnt i § 15. Før det gis innsyn i opplysninger om en registrert, kan den behandlingsansvarlige kreve at den registrerte leverer en skriftlig og undertegnet begjæring.

close