Article 21 of the GDPR entitles data subjects to the 'right to object':
"The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her..."
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task.
- direct marketing.
- processing for purposes of scientific/historical research and statistics.
The 'right to object' requires you as a data controller to allow your subjects the ability to prevent further processing. If you are relying on 'processing based on legitimate interests' as your lawful basis for processing information, this right gives individuals a way to block any additional processing, especially when relating to marketing communications. What this right boils down to is allowing students to manage their consent preferences and allowing them to opt out of data processing activities.
Main Things to Know
- You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse.
- You must deal with an objection to processing for direct marketing without undue delay and free of charge.
- You must inform individuals of their right to object. This information must be presented clearly and separately from any other information.
What you could do to be compliant:
The process of managing this can differ depending on how you manage consent and how you trigger the messages to your audience. Below you can see a possible approach to managing this. This approach assumes that you are using a contact field to store consent options.
1. Create a form that will manage the objection requests. See an example of such a form here (please manually copy the link and paste into the address bar): https://app-eu.geckoform.com/public/#/modern/FOEU02b4xOduYCay?field1489=Email%7CPost%7CSMS&full_name=Adrian%7CBinzaru&email_address=adrian%40geckoengage.com
2. You must include a link to this form at the bottom of your emails or in other types of comms that would permit this. When you include the link to the form, make sure you pre-fill the fields on the form with the name, email and the current consent options. If you are not familiar with the pre-populating functionality please read this article and watch this video. In the example form, we have hidden the name and email fields in order to prevent the student updating their details and creating a duplicate contact record instead of amending their communication preferences on the existing contact.
3. You may also wish to add a workflow that will inform the student of the changes applied.
Objection handling with Gecko Protect:
The new Gecko Protect add-on offers a dedicated feature for managing consent within a dedicated Contact Portal. With Gecko Protect, you can generate a unique and secure URL within your outbound communications that will direct students to their Contact Portal. Students are able to confirm their identity via email or SMS and edit consent preferences via the portal. Here's an example of what the contact portal page will look like for a student:
Gecko Protect users can create and manage consent fields within settings:
Any changes made by students are logged in a dedicated area in settings:
When creating templates or campaigns in Gecko, you will be able to specify which consent fields should be checked:
Lastly, the form builder will support a brand new dedicated field to manage advanced consent options:
Any questions? Feel free to start a live chat with a member of our support team or explore the rest of our academy at your leisure.