Is Santa in violation of GDPR?

11th December 2018

GDPR has been one of the haunting acronyms of 2018. Striking fear into the hearts of marketers with mailing lists, and pleasing normal people to no end when they stopped getting emails from that shoe shop they used that one time.

But spare a thought for poor Santa. Who has been operating in the same manner for hundreds of years. Is he in violation of GDPR? I for one, would argue he is not. And (unlike at work’s Christmas night out) – I’m going to explain why.

GDPR is built on six components, of which, only one need apply when processing personal data.

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

So, based on those six components – does Santa have any rights to collect our information?

The six building blocks of GDPR


You have to tell the person/organisation (Santa in this case) that its OK for them to have your data.
Now, seeing as we are of course all writing letters to Santa, I feel this counts as us consenting. There’s nothing forcing us to write the letters and its clear what the letters are for.


Basically, if Santa needs to use certain bits of information to fulfil a contract they have with you.
I feel, that our letter writing forms a contract with Santa. We request presents based on us meeting certain criteria (naughty or nice).

Legal obligation

If Santa has a legal obligation to perform their duties. Doesn’t really apply to Santa. This legal obligation doesn’t include contractual obligations either so Santa’s out of luck there.

Vital interests

Again, doesn’t quite apply to Santa because it’s not life or death if the presents get delivered (unless there’s an under 8-year-old in your house).

Public task

Starting to sound a little more like Santa! The ICO states “processing is necessary for you to perform a task in the public interest”. Now, I believe that by Santa spreading cheer and making people happy by leaving presents that their task is in the public interest. Big tick for Santa!

Legitimate interests

Bit of a catch-all this one I feel. 
“The processing is necessary for your legitimate interests”. So basically, Santa needs to be able to prove that they need your personal data. Many businesses have used this as a reason to keep holding onto people’s personal data so I don’t see why Santa can’t too.
Santa is of course collecting data for the naughty or nice list.

Sounds good… too good

Not enough for you eh? You must love GDPR.

There’s an awful lot of supporting evidence that Santa isn’t in violation of GDPR. In fact, it’s pretty transparent that Santa is collecting your information and is keeping them up to date. And, is putting in the effort to ensure they’re accurate (which is more than a lot of companies can say).

You better watch out

You better not cry

Better not pout 

I’m telling you why

Santa Claus is coming to town

Direct from Santa HQ – North Pole

So it is clear, Santa is operating in your area.

He’s making a list

Checking it twice

Gonna find out who’s naughty or nice

Santa Claus is coming to town

Direct from Santa HQ – North Pole

You have been informed that he is creating a list of people who are naughty or nice. And that effort is being made to ensure its accuracy. As Christmas does come but once a year, you are also assured that it will be updated each year.

What about the EU representative?

You are correct! GDPR requires Santa to have an EU based representative for people to be able to contact. Thankfully, Santa has reps in just about every shopping and garden centre in the country so they’re covered on that front.

Hmm… Ok then

I hereby declare that Santa is not in violation of GDPR and so can continue operating as they have done before.

Santa's GDPR checklist.

Consent - tick
Contract - tick
legal obligation - cross
vital interests - cross
public task - tick 
legitimate interests - tick
Merry Christmas