§ GDPR · Article 21

GDPR Article 21: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 21 · All obligations · GDPR
At a glance
Article 21 of the GDPR imposes 5 obligations on controller. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 21

Obligation 1
The controller shall no longer process personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Regulation (EU) 2016/679, Article 21, Article 21
Obligated entity
controller
Action required
cease processing
Deadline
Penalty
Exemptions
compelling legitimate grounds overriding data subject interests or legal claims
Obligation 2
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Regulation (EU) 2016/679, Article 21, Article 21
Obligated entity
controller
Action required
cease processing
Deadline
Penalty
Obligation 3
At the latest at the time of the first communication with the data subject, the right to object shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. Regulation (EU) 2016/679, Article 21, Article 21
Obligated entity
controller
Action required
inform
Deadline
at the latest at the time of the first communication
Penalty
Obligation 4
In the context of the use of information society services, the data subject may exercise his or her right to object by automated means using technical specifications. Regulation (EU) 2016/679, Article 21, Article 21
Obligated entity
controller
Sector scope
information society services
Action required
enable automated objection
Deadline
Penalty
Obligation 5
The data subject shall have the right to object to processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Regulation (EU) 2016/679, Article 21, Article 21
Obligated entity
controller
Sector scope
scientific or historical research purposes or statistical purposes
Action required
cease processing
Deadline
Penalty
Exemptions
processing necessary for the performance of a task carried out for reasons of public interest
§ Frequently asked

Questions about Article 21

Who must comply with Article 21 of the GDPR? +
controller.
What does Article 21 of the GDPR require? +
cease processing inform enable automated objection
What is the compliance deadline for GDPR Article 21? +
at the latest at the time of the first communication
Need a cross-border briefing on GDPR Article 21?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles