Right to Object
Plain English Translation
Data subjects have the right to object to the processing of their personal data and must be notified and given the opportunity to object whenever the declared purpose or scope of processing changes. No decision with significant legal effects on a data subject may be made based solely on automated processing unless explicit consent has been obtained. Organizations must have a mechanism for receiving, logging, and acting on objections.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Include functional 'unsubscribe' links in all marketing emails that automatically update a suppression list.
- Provide a dedicated privacy email address for users to submit objections to data processing.
Required Actions (scaleup)
- Implement a digital preference center where users can granularly toggle permissions for marketing, profiling, and analytics.
- Centralize a suppression list that syncs across all marketing automation tools and customer relationship management (CRM) systems.
Required Actions (enterprise)
- Integrate Consent Management Platforms (CMP) deeply with Identity and Access Management (IAM) to enforce processing objections at the database querying level.
- Automate the suspension of algorithmic profiling and decision-making pipelines for users who have flagged an automated processing objection.
The right to object allows a data subject to halt or prevent the processing of their personal data, especially concerning direct marketing, profiling, or when there are changes to the original processing terms.
A data subject can object at any time, particularly when data is being used for direct marketing, automated processing, or when the organization amends the initially declared processing purposes.
Organizations must immediately honor the objection and cease processing the individual's personal data for direct marketing campaigns, updating suppression lists without requiring further justification.
Yes, data subjects have the right to object to decisions made solely on automated processing or profiling that produce legal effects or significantly affect them, unless prior consent was explicitly given.
The privacy notice must explicitly inform the data subject of the existence of their right to object and provide clear, simple instructions on how to exercise this right.
Yes, but only if an exemption applies, such as if the processing is required pursuant to a subpoena, is necessary for the performance of a contract, or is a strict legal obligation.
They maintain a centralized Data Subject Request Log that tracks the receipt of the objection, the identity verification process, the evaluation outcome, and the technical steps taken to halt processing. WatchDog Security's Compliance Center can support this by linking objection tickets, evidence records, responsible owners, and control status in one compliance workflow.
Withdrawing consent specifically revokes permission previously granted for processing, while the right to object can also apply to processing based on legitimate interests or automated profiling.
The NPC expects organizations to provide simple, easily accessible mechanisms for objections and to act upon them promptly without imposing undue burdens or fees on the data subject.
Organizations build compliant workflows by implementing preference centers, training support staff on Data Privacy Act rights, and tightly integrating consent management tools with backend databases.
Right to object requests often fail when they are handled informally across email, support tickets, and marketing tools. WatchDog Security's Compliance Center can help centralize request logs, assign review tasks, track evidence of suppression, and show whether the organization has a repeatable process for RA 10173 data subject rights.
Privacy notices need to clearly explain when individuals can object to processing, direct marketing, or automated decision-making. WatchDog Security's Policy Management can help maintain approved privacy notice versions, route updates for review, and retain evidence that policy changes were controlled.
"The data subject shall be notified and given an opportunity to object or withhold consent to processing in case of changes or any amendment to the information supplied or declared to the data subject... unless the change refers to processing of personal data in the following cases: 1. The personal data is needed pursuant to a subpoena; 2. When the collection and processing are for obvious purposes... 3. When the information is being collected and processed as a result of a legal obligation."
"No decision with legal effects concerning the data subject shall be made solely on the basis of automated processing, unless data subject consents."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Team | Initial publication |

