What does control A.1.3.6 require?
The organisation shall provide a mechanism for PII principals to object to the processing of their PII.
This control sits within the Obligations to PII principals objective (A.1.3). The right to object is distinct from consent withdrawal (covered in A.1.3.5 Modify or Withdraw Consent). Consent withdrawal applies only where consent is the lawful basis. The right to object applies more broadly, including where processing is based on legitimate interests or the performance of a task in the public interest.
What does the implementation guidance say?
Annex B (section B.1.3.6) provides guidance on implementing an effective objection mechanism:
- Proactive notification — The right to object should be brought to the PII principal’s attention at the time of first communication, not buried in general privacy information
- Clear presentation — The right must be presented clearly and separately from other information, so it is not overlooked
- Direct marketing — Where the objection relates to direct marketing, it should always be honoured without exception. There is no balancing test for direct marketing objections
- Other processing — For objections to processing based on legitimate interests or public interest, the organisation may continue processing only if it can demonstrate compelling legitimate grounds that override the interests of the PII principal
- Assessment process — Organisations should have a documented process for assessing objections, including who makes the decision and what factors are considered
- See also A.1.3.3: Determining Information for PII Principals for related requirements
- See also A.1.3.7: Access, Correction or Erasure for related requirements
How does this map to GDPR?
Control A.1.3.6 maps extensively to GDPR Article 21:
- Article 21(1) — Right to object to processing based on public interest or legitimate interests, including profiling based on those grounds
- Article 21(2) — Right to object to processing for direct marketing purposes
- Article 21(3) — Obligation to cease processing upon objection to direct marketing
- Article 21(4) — The right to object must be explicitly brought to attention and presented clearly and separately
- Article 21(5) — In the context of information society services, objection may be exercised by automated means
- Article 21(6) — Right to object to processing for scientific, historical research or statistical purposes
- Article 13(2)(b) and 14(2)(c) — The right to object must be communicated as part of transparency information
How does this relate to ISO 29100 privacy principles?
This control supports the Consent and choice principle from ISO 29100. While the right to object goes beyond consent in the strict legal sense, it is fundamentally about ensuring PII principals retain meaningful choice over how their data is used. The principle recognises that individuals should have ongoing agency, not just at the point of initial collection.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.1.3.6, auditors will typically look for:
- Objection mechanism — A documented, accessible mechanism for PII principals to lodge objections (online form, email address, or in-app option)
- Proactive communication — Evidence that the right to object is communicated at the point of first communication, presented clearly and separately
- Direct marketing procedures — Specific procedures for handling direct marketing objections, with evidence of immediate compliance
- Assessment framework — A documented process for evaluating objections to processing based on legitimate interests, including the balancing test criteria
- Decision records — Records of objection decisions, including the reasoning where an objection was not upheld
- Staff training — Evidence that staff handling objections understand the different rules for direct marketing vs other processing
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.5 Modify or withdraw consent | Related but distinct: consent withdrawal applies to consent-based processing; objection applies to legitimate interests and public interest |
| A.1.3.4 Providing information to PII principals | The right to object must be prominently communicated as part of the information provided |
| A.1.3.10 Handling requests | Objections are a category of PII principal request that must be handled per documented procedures |
| A.1.2.3 Identify lawful basis | The lawful basis determines whether the objection triggers an absolute right (direct marketing) or a balancing test |
| A.1.3.8 Obligations to inform third parties | If an objection is upheld, third parties who received the PII must be notified |
| A.1.3.2 Obligations to PII principals | The right to object is one of the obligations to be identified and documented |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was part of Clause 7.3.5 (Providing mechanism to object to PII processing). The 2025 edition retains the core requirement under A.1.3.6 with guidance in B.1.3.6. The emphasis on presenting the right clearly and separately from other information, and the absolute nature of direct marketing objections, remain the defining features of this control. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for managing processing objections?
ISMS.online gives you the tools to handle processing objections systematically and compliantly:
- Objection intake portal — Provide PII principals with a dedicated, easy to find mechanism for lodging objections, separate from general enquiries
- Automated routing — Direct marketing objections are flagged for immediate action, while legitimate interest objections are routed to the appropriate decision-maker
- Balancing test framework — Structured templates for conducting and documenting the legitimate interests balancing test when assessing non-marketing objections
- Decision audit trail — Record every objection, the assessment process and the outcome, with timestamps and responsible parties for complete accountability
- Third-party notification triggers — When an objection is upheld, automatically flag the need to notify third parties who received the PII, linking to your A.1.3.8 Inform Third Parties procedures
FAQs
What is the difference between objecting and withdrawing consent?
Consent withdrawal (A.1.3.5 Modify or Withdraw Consent) applies only where consent is the lawful basis for processing. The right to object (A.1.3.6) applies where processing is based on legitimate interests or public interest. For direct marketing, the right to object is absolute regardless of lawful basis. In practice, organisations need both mechanisms: a consent withdrawal process for consent-based processing and an objection process for other lawful bases.
Can you ever refuse an objection?
For direct marketing, no. An objection to direct marketing processing must always be honoured without exception. For processing based on legitimate interests or public interest, you can continue processing if you can demonstrate compelling legitimate grounds that override the interests, rights and freedoms of the PII principal, or if the processing is necessary for the establishment, exercise or defence of legal claims. The burden of proof is on the organisation, and the decision must be documented.
How should the right to object be communicated “separately”?
The guidance and GDPR Article 21(4) require that the right to object is explicitly brought to the PII principal’s attention and presented clearly and separately from any other information. In practice, this means it should not be buried in the middle of a lengthy privacy notice. It should have its own heading, its own section, or its own communication. At the point of first contact, it should be stated directly rather than referenced through a link to general terms.
