GDPR has been one of the haunting acronyms of 2018. Striking fear into the hearts of marketers with mailing lists, and pleasing normal people to no end when they stopped getting emails from that shoe shop they used that one time.
But spare a thought for poor Santa. Who has been operating in the same manner for hundreds of years. Is he in violation of GDPR? I for one, would argue he is not. And (unlike at work’s Christmas night out) – I’m going to explain why.
GDPR is built on six components, of which, only one need apply when processing personal data.
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
So, based on those six components – does Santa have any rights to collect our information?
The six building blocks of GDPR
Consent
You have to tell the person/organisation (Santa in this case) that its OK for them to have your data.
Now, seeing as we are of course all writing letters to Santa, I feel this counts as us consenting. There’s nothing forcing us to write the letters and its clear what the letters are for.
Contact
Basically, if Santa needs to use certain bits of information to fulfil a contract they have with you.
I feel, that our letter writing forms a contract with Santa. We request presents based on us meeting certain criteria (naughty or nice).
Legal obligation
If Santa has a legal obligation to perform their duties. Doesn’t really apply to Santa. This l
Vital int erests
Again, doesn’t quite apply to Santa because it’s not life or death if the presents get delivered (unless there’s an under 8-year-old in your house).
Public task
Starting to sound a little more like Santa! The ICO states “processing is necessary for you to perform a task in the public interest”. Now, I believe that by Santa spreading cheer and making people happy by leaving presents that their task is in the public interest. Big tick for Santa!
Legitimate interests
Bit of a catch-all this one I feel.
“The processing is necessary for your legitimate interests”. So basically, Santa needs to be able to prove that they need your personal data. Many businesses have used this as a reason to keep holding onto people’s personal data so I don’t see why Santa can’t too.
Santa is of course collecting data for the naughty or nice list.
Sounds good… too good
Not enough for you eh? You must love GDPR.
There’s an awful lot of supporting evidence that Santa isn’t in violation of GDPR. In fact, it’s pretty transparent that Santa is collecting your information and is keeping them up to date. And, is putting in the effort to ensure they’re accurate (which is more than a lot of companies can say).
You better watch out
You better not cry
Better not pout
I’m telling you why
Santa Claus is coming to town
Direct from Santa HQ – North Pole
So it is clear, Santa is operating in your area.
He’s making a list
Checking it twice
Gonna find out who’s naughty or nice
Santa Claus is coming to town
Direct from Santa HQ – North Pole
You have been informed that he is creating a list of people who are naughty or nice. And that effort is being made to ensure its accuracy. As Christmas does come but once a year, you are also assured that it will be updated each year.
What about the EU representative?
You are correct! GDPR requires Santa to have an EU based representative for people to be able to contact. Thankfully, Santa has reps in just about every shopping and garden centre in the country so they’re covered on that front.
Hmm… Ok then
I hereby declare that Santa is not in violation of GDPR and so can continue operating as they have done before.
