He’s making a list,  

“He’s checking it twice,

“He’s gonna find out who’s naughty or nice,  

“Santa Claus is in contravention of Article 4 of the General Data Protection Regulation (EU) 2016/679.”1

The festive joke may have raised a few laughs on the IC Ho Ho Ho (ICO – Information Commissioner’s Office) website and on social media, but it also raises some serious seasonal questions around GDPR.  There are still many myths and misconceptions surrounding the regulation and what is permitted around data protection.

So, before you put up the tree, work through your present list and start basting the turkey, take a look at our handy guide to busting the common myths and remaining GDPR compliant.

In general terms: ‘If it sounds too far-fetched to be true then it probably isn’t’.

‘Taking pictures and video of your children in their school Nativity play is not allowed’

This is a common misconception that is wheeled out every Christmas. This is a prime example of how incorrect interpretation of data protection laws are cited as gospel. If the photography or filming is purely used for personal purposes, then there is nothing in data protection laws past or present which prevents this. So, when headteachers all over the country tell parents that the images must only be used for personal use only, then just heed their warning and snap away.

‘Children cannot write public letters to Santa as they need permission from their parents’

A simple form including both the child’s letter and a parent’s signature is all that is needed. The key word here is ‘public’ – and this issue was flagged up last year when a German town threatened to ditch its traditional ceremony where children hang their Christmas wish lists on a tree in the market and blamed GDPR.The children in Roth, Bavaria, were said to be left heartbroken after council officials ruled they could no longer leave their public letters to Santa. 

‘Because you don’t have their express consent, you can’t contact parents to tell them what stall they’ll be running at the Christmas fayre’.

The PTA or the school have a legitimate interest in being able to contact parents and volunteers about the fayre. Basically, you do not always need consent to comply with GDPR. That is not the only lawful basis on which you can use someone’s personal information.

‘If you use guest registration on a website to buy Christmas gifts then it removes the right to return faulty goods’

Checking out your online basket as a guest has no negative effects in your rights under consumer protection legislation.

As for the Big Fella himself well… the naughty list and the right to be forgotten are covered by the requirements of GDPR. Let’s hope Santa Clause has a Data Protection Officer and good lawyers!

‘Schools and local MP’s who run Christmas card design competitions now face stricter guidelines.

No. They are simply asked to observe basic data protection principles including security and data minimisation which they should already be doing.

‘You need the recipients’ consent to send Christmas cards’

There is absolutely no need to panic about this myth as the GDPR does not ban Christmas cards. If you are sending Christmas cards to friends, family, neighbours etc you certainly don’t need their consent. Sending a card in a personal capacity will not be a breach of GDPR. Businesses are still able to send Christmas cards to their customers by post. However, corporate Christmas cards need a bit more care to make sure it does not contain direct marketing. For example, it was also feared that MPs who send out Christmas cards to constituents are also being caught by the rules because of the fear that they qualify as unwanted marketing under the rules.

The Institute for Chartered Accountants in England and Wales (ICA) even told its members last year that cards may only be sent with the recipient’s consent “if you can justify that you have a legitimate reason to do so”.2

Businesses need to co-ordinate their card-sending efforts, so that the same person does not receive the same card five times from different individuals.

Information relating to religious beliefs is ‘sensitive personal data’ requiring additional safeguards. Any decision to send or not to send cards to specific recipients based on assumptions or knowledge about those individuals’ religious beliefs needs to be handled with very great care.

And remember, if the corporate card is sent by email then it must comply with electronic marketing data protection rules. This means it has to adhere to the Privacy and Electronic Communication Regulation (PECR) rules on electronic marketing. It makes consent mandatory for any direct marketing by email. There is a limited exception for existing clients and prospects, but even in this case all direct marketing needs to offer an ‘unsubscribe’ option which is then respected for future communications.

GDPR Practitioner Megan Kane, at iCaaS GDPR Management says: “There’s a lot of Bah Humbug misconceptions around remaining compliant over the festive season. As long as businesses keep up their good practice and make sure they adhere to the GDPR regulations then there is no reason for them to be on the naughty list this year.

“Sending Christmas cards for example should be seen as no different from other marketing communications when they originate within a business to a business context.”

1https://ico.org.uk/about-the-ico/news-and-events/blog-sleigh-ing-the-christmas-gdpr-myths/

2https://globalpayrollassociation.com/blogs/gdpr/corporate-christmas-cards-at-risk-under-gdpr