Article 21 of the GDPR allows an individual to object to processing personal information for marketing or non-service related purposes.[24] This means the data controller must allow an individual the right to stop or prevent controller from processing their personal data.
There are some instances where this objection does not apply. For example, if:
1. Legal or official authority is being carried out
2. "Legitimate interest", where the organisation needs to process data in order to provide the data subject with a service they signed up for
3. A task being carried out for public interest.
2 is the key here. Make an entire ML model that generates a website layout based on the request, claim its core business logic, oh and btw, it just happens to load advertisements from companies based on this contextual data, but that contextual data has nothing to do with the user. Look, we don't store any advertising cookies or session data, don't request any either, and here is our model. Investigate it as much as you want, and we don't have the training data anymore because we delete that.
There are some instances where this objection does not apply. For example, if:
1. Legal or official authority is being carried out 2. "Legitimate interest", where the organisation needs to process data in order to provide the data subject with a service they signed up for 3. A task being carried out for public interest.
2 is the key here. Make an entire ML model that generates a website layout based on the request, claim its core business logic, oh and btw, it just happens to load advertisements from companies based on this contextual data, but that contextual data has nothing to do with the user. Look, we don't store any advertising cookies or session data, don't request any either, and here is our model. Investigate it as much as you want, and we don't have the training data anymore because we delete that.