Santa Claus & the General Data Protection Regulation (GDPR)

Santa needs YOU to help with GDPR (and WiFi)

The Problem

Problem Statement

Santa’s organisation is based in a North Pole but he has Data Subjects all over the world, including the European Union (EU), so he is subject to the GDPR — probably.

  • full name
  • date of birth (with calculated age)
  • gender
  • address at the time of 24th/25th December
  • whether said address has a viable chimney
  • calculated score on naughty-v-nice
  • metadata on score decision making (naughty/nice factors over the year)
  • personality traits (to establish toy preferences)
  • toy wishes (letters received, if any, with requests)
  • a list of existing toys
  • parental/guardian information (might even so far as to salary information to determine number of gifts etc)

Problem Scope

For simplicity, we will de-scope the privacy concerns stemming from actually visiting the property and entering it without being explicitly invited by an authorised person.

GDPR Compliance


These are in no way exhaustive and I am not a [privacy-specialist] lawyer. I would urge Santa to retain an appropriately capable and experienced GDPR professional and engage a privacy-specialist legal firm.

Bite-sized chunks

I’ll review Santa’s GDPR position based on the GDPR core requirements. This is summarily what he could be doing, or at least what I hope is in place, and this will take Santa through to being somewhat aligned with GDPR’s core principles under a proportionality banner.

What data is being held?

We’ve covered this above, I think Santa has a pretty good grasp on the information he has.

What are the conditions for processing?

Article 6 provides some core options:

  • (1)(a) — consent
    this cannot apply as Santa does not obtain consent from Data Subjects (or more likely, parents/guardians on their behalf)
  • (1)(b) — contract
    there is no exchange of promise for value
  • (1)(c) — legal obligation
    I get the feeling Santa isn’t doing this because someone is making him
  • (1)(d) — vital interests
    I’d argue the Data Subject wants a gift pretty vitally
  • (1)(e) — public interest task or vested authority
    I’d argue a bunch of happy kids would be in the public interest (the vested authority does not apply as the EU would not recognise it)
  • (1)(f) — legitimate interests
    as much as Santa as Data Controller wants to give gifts, the legitimate interests of the third parties (parent/guardian’s sanity) is likely more legitimate

Where the data is being held

Offshore through Amazon Web Services. WorkSpaces are used for GUI representation and running queries with Oracle RDS holding all of the data.

Who has access to the data?

Pretty much everyone in Santa’s organisation, on the basis that they are all goal/mission orientated — even Rudolf needs to know where to go.

Who is responsible for the data?

Santa is likely operating as a sole trader in this situation as he isn’t worried about sales taxes etc.

That the data is up to date and needs to be kept

Santa likely gets his data from governmental records (registering a birth workflows etc) — although I do suspect this is ‘extra legal’ due to lack of formal data sharing capabilities.

That processing information is conveyed

Article 13 does not apply (Santa doesn’t get data directly from Data Subjects) so Santa is very likely in contravention of Article 14 as to my knowledge there is no published or readily available privacy notice conveying processing information.

What security is in place to protect the data?

Santa’s organisation likely uses up to date macOS devices because Santa is still burning VC cash all these years later.

Data subject rights (Articles 12 to 23)

Santa tends to get more ‘request’ letters than anything else so he sees this as a Article 16 (‘Right to Rectification’) over Article 15 (‘Right of access’).

Summary & Recommendations

Santa’s GDPR compliance is summarily unclear and appears to pivot between possibly/probable compliance through to disrespect for Data Subject rights. Any accurate review is impossible without accurate accessible privacy notices and/or view of independently-audited internal risk assessments or privacy documentation.

  • engage in a proportional review from a high-level data protection/compliance perspective (starting with GDPR then into other requirements from other jurisdictions)
  • take a far more transparent approach by publishing a privacy notice
  • tell the hacking Elves to take it easy with this extra legal database activity stuff
  • include a brief leaflet with each delivery explaining where Data Subjects (or parents/guardians on behalf of) can go to view data, request it be updated and the contact details for where to send general data protection queries and complaints.
  • ensure the leaflet is printed on magic paper, so the complaints section dynamically conveys the Data Subject’s local data regulator and changes language and phrasing to ensure it is plain language (in the local language) to ensure it is understood.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store