Children everywhere are devastated this year after discovering Santa Claus is to be investigated by the ICO for being in breach of the GDPR. An anonymous complaint noted Mr Claus has been making a list of children’s names and addresses and ‘checking it twice’. He had also expressed an intention to find out who had been ‘naughty and nice’.
While this suggests Santa is compliant in taking steps to ensure the accuracy of his data, the anonymous complainer was concerned about the level of monitoring he would be undertaking to assess naughty and nice levels.
The use of personal data for monitoring purposes is regulated carefully under data protection laws, and it is notable that Santa has not previously issued privacy notices informing people of the personal data he holds. However, he remains insistent that his practices have been publicly known since at least 1934.
A statement from a North Pole spokeself highlighted that Santa requires information in order to perform his function as a deliverer of gifts, and that in any event the millions of letters he receives from children every year amount to a contract which he must fulfil and makes processing of their data necessary. It now appears many children are indicating their data must be processed as Santa’s ability to deliver presents is “in their vital interests”.
Questions also arise over the storage and security of the data of billions of children. While Santa’s methods are shrouded in secrecy, frequent depictions of a lengthy paper list in the insecure environment of his sleigh have given the ICO cause for concern.
The investigation is expected to take some time, and the outcome remains to be seen.
Concerned that the GDPR will ruin your Christmas? It appears that a number of people have Christmas related concerns about the impact of GDPR. Can you film your child’s nativity play? Do you need consent to send Christmas cards? The ICO has published a myth-busting blog with answers to these questions and more – read it here.