Shoosmiths LLP
  November 29, 2023 - Milton Keynes, England

Santa Claus is coming to town, but is he GDPR compliant?
  by Shoosmiths LLP

'He’s making a list, he’s checking it twice, he’s gonna find out who’s naughty or nice’...but is Santa doing so in compliance with the GDPR?

As the first Christmas trees and advent calendars go up in stores and homes across the UK, our thoughts may turn towards the joys – and pressures – of the festive season. But a look at some of the activities of one of its most famous icons may help anyone who deals with personal data to understand some data protection basics.

So, is Santa subject to the main data protection law in the UK and Europe, the General Data Protection Regulation (GDPR)? And if so, what would good data protection compliance look like?  

We know that Santa collects personal data such as names, addresses, present preferences, and information to determine if someone has been naughty or nice. It’s possible that this information is just in his head, in which case data protection law can’t apply. But we suspect that Santa is either keeping a digital record, or at least a structured filing system (a big book). If so, he’ll have to read on. 

Santa will be a data ‘controller’ over the personal data he collects. This is because he decides ‘the purposes and means’ (the why and how) of personal data processing. He collects personal data directly from individuals and via surveillance operations for the purpose of allocating, making and delivering presents on Christmas Eve without being seen by data subjects. 

Pole position 

Even though Santa is established in the North Pole (and only the North Pole as far as anyone is aware), he offers his goods and services to individuals based in the UK and EEA. Furthermore, as the song goes “he knows when you're awake, he knows if you've been bad or good”, so we would probably conclude that Santa monitors the behaviour of individuals in the UK and EEA. Whilst Santa’s delivery of presents to the world at large arguably may not meet the relevant geographic ‘targeting’ requirements when offering goods and services, he would come squarely under the monitoring limb of the ‘territorial scope’ tests in Article 3(2) GDPR and will have to comply with its provisions resulting from a level of identity-linked behavioural monitoring that the world of Adtech could only dream of! 

Since he’s established as a data controller subject to GDPR, Santa should:

With these measures in place Santa can happily board the sleigh and set off for his annual madcap dash round the world. We wish him, and you, a happy (and GDPR-compliant) Christmas!  




Read full article at: https://www.shoosmiths.com/insights/articles/santa-claus-is-coming-to-town-but-is-he-gdpr-compliant