Data Privacy

GDPR Article 21: Right to Object to Processing

GDPR Article 21 gives data subjects the absolute right to object to direct marketing and a qualified right to object to processing under legitimate interests or public task.

TD
Dr. Thiébaut Devergranne
May 10, 20266 min read

In one sentence. GDPR Article 21 grants two distinct rights to object: an absolute right to object to direct marketing (Article 21(2)) — controller must stop immediately and unconditionally — and a qualified right to object to processing based on legitimate interests or public task (Article 21(1)) — controller must stop unless they can demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms.

Article 21 is the most-exercised data subject right after access. The marketing opt-out is unconditional — there is no “balancing test” to defeat it. The general objection requires the controller to do real work: a documented assessment showing why their interests override.

For related rights: right of access (Article 15), right to erasure (Article 17), right to restriction (Article 18). For the legitimate interest framework Article 21 interacts with, GDPR legitimate interest guide.

Key takeaways

  • Article 21(1): qualified right to object — applies to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)).
  • Article 21(2): absolute right to object to direct marketing — no balancing test.
  • Article 21(6): qualified right to object to scientific/historical research processing.
  • The controller must inform the data subject of the right at the latest at first communication (Article 21(4)).
  • For online services, an automated mechanism (e.g., one-click unsubscribe) must be available (Article 21(5)).

1. Article 21(1) — qualified right to object

Applies to processing based on:

  • Legitimate interests (Article 6(1)(f))
  • Public task / official authority (Article 6(1)(e))

The data subject can object on grounds relating to their particular situation. The controller must stop processing unless they can demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms — OR the processing is for legal claims.

This is a balancing test in reverse: the burden of proof shifts to the controller. Where in the original lawful basis assessment the controller demonstrated their interest doesn’t override the data subject’s rights, here the controller must show their interest does override after specific facts presented by the data subject.

2. Article 21(2) — absolute right to object to marketing

Direct marketing objection is unconditional:

  • No balancing test
  • No exceptions
  • Controller must stop immediately
  • Includes profiling related to direct marketing

This is the lex specialis that makes the email “unsubscribe” link mandatory. Failure to honor it is the most-sanctioned Article 21 violation.

What “direct marketing” includes:

  • Email marketing
  • SMS marketing
  • Postal direct mail
  • Phone marketing (cold calling)
  • In-app push notifications for promotional content
  • Behavioral advertising profiling

What it doesn’t include:

  • Transactional emails (order confirmation, shipping)
  • Service notices (security alerts, account changes)
  • Legitimate non-marketing communications

3. Article 21(3-6) — additional provisions

Paragraph Provision
(3) Once objected to direct marketing, processing for that purpose must stop
(4) Right to object must be explicitly brought to the attention of the data subject at the latest at first communication, presented separately from any other information
(5) In the context of online services (information society services), data subjects may exercise the right via automated means using technical specifications
(6) Right to object to scientific/historical research processing — qualified, may be limited if processing is necessary for a public interest task

4. The “automated means” requirement (Article 21(5))

For online services, the data subject must be able to object via automated mechanisms. In practice:

  • One-click unsubscribe link in every marketing email
  • Cookie preference center accessible from footer
  • Account-level opt-out toggle for behavioral profiling

Manual processes (email request, postal mail) do not satisfy Article 21(5) for online services.

5. Direct marketing objection in practice

Compliant unsubscribe flow

  1. User clicks unsubscribe link in any marketing email
  2. Confirmation: “You have been unsubscribed from [list]” — no second confirmation step required
  3. Suppression effective within 24 hours
  4. Suppression respects all marketing channels (not just the one used)

Non-compliant patterns (sanctioned by CNIL)

  • Multi-step unsubscribe (3+ clicks)
  • Login required to unsubscribe
  • “Are you sure?” page that resubmits subscription
  • Unsubscribe only from one list while keeping others
  • Unsubscribe takes 30 days to take effect
  • Re-subscription on next account login

Suppression vs deletion

A suppression list is not deletion — it preserves the email/phone in a “do not contact” list to prevent re-onboarding through other lead sources. Article 21(2) requires both: stop the marketing AND ensure no re-marketing.

6. The general objection workflow (Article 21(1))

  1. Reception — log timestamp
  2. Identity verification — proportionate
  3. Acknowledge — within 5 working days (best practice)
  4. Suspend processing immediately — pending review
  5. Conduct re-balancing assessment:
    • Document the data subject’s particular situation
    • Document the controller’s interest
    • Document why the controller’s interest overrides (if it does) — or doesn’t
  6. Decision — communicated within 30 days (Article 12(3))
  7. If objection upheld — processing stops permanently for this data subject
  8. If objection rejected — provide motivated reasons + complaint pathway to CNIL

7. Common Article 21 violations

Failure Frequency in CNIL sanctions
Unsubscribe link missing or broken High
Multi-step unsubscribe High
Unsubscribe doesn’t suppress across channels Medium
General objection ignored or auto-rejected Medium
No automated mechanism for online services Medium
Right to object not mentioned in privacy notice Medium

8. Sanctions

Notable cases:

  • TIM SpA (Garante, 2020): €27.8M including failure to honor objections
  • Hertz France (CNIL, 2024): €40K — multi-step unsubscribe
  • Spartoo (CNIL, 2020): €250K — multiple data subject right failures including objections
  • Many SMB sanctions €5K-€50K for broken unsubscribe links

Article 83(5)(b) places Article 21 violations at the top tier — up to €20M or 4% of global turnover.

9. Tooling

Legiscope handles the data subject objection workflow with automatic suppression-list propagation across marketing tools (Mailchimp, Brevo, etc.) and audit trail.

For related deep-dives: right of access GDPR, GDPR Article 18 restriction, GDPR legitimate interest, opt-in opt-out guide.

Conclusion

Article 21’s two regimes are often conflated. Direct marketing objection is unconditional — there’s nothing to assess, just stop. General objection requires real work — a re-balancing assessment specific to the data subject’s situation. Implement the unsubscribe correctly and you eliminate 80% of Article 21 risk.

FAQ

What is the right to object under GDPR Article 21?

Two rights: (1) absolute right to object to direct marketing — controller must stop immediately, no balancing test; (2) qualified right to object to processing based on legitimate interests or public task — controller must stop unless they can demonstrate compelling legitimate grounds that override the data subject’s interests.

For online direct marketing, yes. Article 21(5) requires automated means to exercise the objection, and the unsubscribe link is the standard implementation. It must be visible in every marketing email and effective within 24 hours.

Can I require login to unsubscribe?

No. The CNIL has sanctioned this pattern. Unsubscribe must be one-click and not require authentication.

Withdrawal of consent (Article 7(3)) applies when consent was the lawful basis. Objection (Article 21) applies when legitimate interests, public task, or direct marketing was the basis. Both require the controller to stop processing, but the procedural requirements differ slightly.

How fast must I honor a marketing objection?

Effective within 24 hours per the CNIL’s enforcement practice. Article 12(3) gives 30 days for the formal response, but for direct marketing the actual suppression must be near-immediate.

Legiscope automates this for you

Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.

Start free trial
TD
Written by
Dr. Thiébaut Devergranne
Fondateur de Legiscope et expert RGPD

Docteur en droit de l'Université Panthéon-Assas (Paris II), 23 ans d'expérience en droit du numérique et conformité RGPD. Ancien conseiller de l'administration du Premier ministre sur la mise en œuvre du RGPD. Thiébaut est le fondateur de Legiscope, plateforme de conformité RGPD automatisée par l'IA.

View full author profile →

More on GDPR

Continue reading

Articles connexes

GDPR Article 18
Data Privacy

GDPR Article 18: Right to Restriction of Processing

right to data portability gdpr
Data Privacy

Right to Data Portability: GDPR Art. 20

BCR vs SCC
Data Privacy

BCR vs SCC vs DPF: Choosing the Right GDPR Transfer Mechanism

gdpr compliance software
Data Privacy

Best GDPR Compliance Software for SMEs (2026)

consent management platform
Data Privacy

Consent Management Platforms Compared (2026)

cookie audit gdpr
Data Privacy

Cookie Audit: How to Map Your Website's Cookies

cookie banner compliance
Data Privacy

Cookie Banner Compliance: What Actually Meets the Law

cookie consent gdpr
Data Privacy

Cookie Consent Under GDPR and ePrivacy: Complete Guide