|“He’s making a list, he’s checking it twice, he’s gonna find out who’s naughty and nice, Santa Claus is in breach of the GDPR.”
You may have seen this on social media. It is clearly the most important GDPR issue of the year. Let’s see if it is correct or whether Santa is acting lawfully under the new law.
Santa’s list will contain personal data and he will be processing that data in dealing with the delivery of our presents. The processing is probably taking place in Lapland which is within the EU, but even if it is happening further afield, the processing will still fall within the scope of the GDPR if the data that is being processed is the personal data of EU citizens.
Does he have a lawful basis for the processing?
Some of us will have written letters to Santa about the presents we would like. That may set up a contract and make the processing lawful in the context of fulfilling that contract. And the content of the letter may well constitute the sort of affirmative consent that will make the processing lawful.
In any event, it seems likely that legitimate interest will provide the lawful basis for processing. We all anticipate, even hope, that he will process our personal data for the purpose of bringing our presents. This is, of course, one of his primary, well-known and accepted functions. And there is a pre-existing relationship and a history of such processing in previous years.
He must, of course, comply with the data processing principles – and he does appear to be doing that. He keeps the data current and up to date – he manages to get our presents to us even if we move address. And he stops bringing presents for those who have sadly passed away during the year.
We can conclude that Santa Claus is not acting in breach of the GDPR. We are delighted to be able to bring this news. A very happy Christmas to all our readers.