3rd December, 2019


Many argue that Santa Claus is in contravention of Article 4 of the General Data Protection Regulation (EU) 2016/679 when it is said that he’s making a list, checking it twice, to find out who’s naughty or nice. Actually – we thik he’s not. The list is made out of those who consented to last year’s delivery and those who have asked for one this year, he’s checking it to make sure there aren’t those who opted out still on the list. We can also argue that the data from last year was kept for a reasonable time too 😊     

Although we’ve made huge leaps in raising awareness about the GDPR and its implications, there are still various misconceptions going around.

For Christmas, you got a jumper which makes you look twice your actual size.  The shop assistant refuses to exchange it as she doesn’t know who the original purchaser was and cannot obtain their consent:

Giggle all you want, but this was actually a major concern at one point. But don’t fret, consumer rights are in no way affected by data protection legislation – at least, not in a negative way.  So please, change that jumper before the sale season begins and you’ll be stuck with it, and don’t let scaremongering get to you.

Your ill aunt might sue you for a data breach if you ask the parish priest to request churchgoers to offer prayers to her at Christmas time:

Health information is sensitive data, yes.  But we have to take a realistic view on the rights given under the GDPR – they’re meant to protect privacy, not hinder freedom.  Therefore, jurisprudence from around the EU has shown that if the data subject would have reasonably been expected to have wanted the processing of their data by the processor in question, there’s probably no violation.

And why wouldn’t Auntie Lina not want her fellow churchgoers to pray for her to get better? Obviously there’s no need to give details to what’s keeping her away from church.

Too many Christmas cards I gave no permission to these estranged relatives to send me their holiday wishes! Can I sue?

No. You can’t.  Just throw them away if they irk you so (or at the very least, recycle them).  Sending Christmas cards (or any other type of mail) to relatives or friends is in no way a breach of EU data privacy law.  Nor is it a breach for companies to do the same to persons on their contact list (especially when greetings arrive together with a hamper of mince pies and mulled wine, non?).

Issues only arise where seasonal greetings are manipulated into indirect (or even direct) forms of marketing.  In that case, you’d have to ensure that you obtained the contact details in a legitimate manner, and that the recipients have actively consented to receiving marketing material from you.

You cannot send a anyone in a Santa suit to deliver presents to your grandkids’ house:

Let’s be realistic. A home address is not sensitive data.  This has been confirmed time and time again by various data protection authorities around the EU.  Therefore, giving directions to someone’s house doesn’t constitute a data breach.  At the most, play it safe and leave out the recipient’s surname, ID number and date of birth on the gift-wrap – the first name will do, no?

Filming your child at their school Christmas Concert is illegal other parents will take legal action against you:

Limitedly correct.  The school (or whatever institution holding the play) may request that no photos or videos are taken to be certain that other children will be protected.  However, if you want to film your children simply to show the video at your nanna’s annual Christmas Party, there’s no problem with that.  However, if you intend to use the video (or photos too) from the concert for any kind of marketing or promotional purposes, then that’s where you may get into trouble with other parents.  Don’t say you weren’t warned.

Don’t get too caught up in the wild conspiracy theories you might hear over the extremities of data protection legislation.  Ultimately, the law is there to protect you, and not to maliciously impede on your freedoms.  The principles of legitimate interest and proportionality are fundamental in considering whether an action touching upon data rights actually constitutes an illegal action.

Other than that – Merry Christmas from us to you.  Rest easy.