December 2017 - Data Protection & Privacy | IT Law | EU Single Digital Market | Internet Governance | GDPR

Who’s Naughty Now? Can Santa’s Business Model Survive the GDPR?

Santa himself will not be able to avoid dealing with the forthcoming EU GDPR – even being based at the North Pole won’t change anything. Judith Ellis looks at what data processes Santa will need to change before next Christmas.

© maurusone | istockphoto.com

Not much longer now, and a jolly, somewhat rotund man in a red suit with a white beard will be visiting households all around the world. It’s a difficult job – cleaning up after the reindeers, drinking all that milk, and eating all those cookies

But Santa’s life is about to get a bit more complicated. That’s because Santa keeps lists – he collects and analyzes personal data of European citizens. And for the approx. 45 million customers he has alone in the EU, next year he will have to take especial care not to run afoul of the data protection authorities

Let’s just get this straight. Santa does not live in the EU. And he doesn’t charge for his services. But his job entails service provision for a large number of European citizens. As a result, he has access to sensitive personal data of these citizens, and this means that he will be subject to the new EU General Data Protection Regulation, which comes into effect in May 2018. 

What does Santa know about you?

Santa has the names and addresses of his customers. He knows their gender. He also knows what they asked for and what they got last year. This in itself would be enough for the European data protection authorities to prick up their ears. And seeing as he’s been in business so long, he also knows what their parents got in their day. 

But that’s not all: some of the information he knows is very sensitive, like how to get into the house or apartment if there isn’t a chimney. Not to mention the family beliefs. 

Added to that, he’s been monitoring the behavior of his charges all year, in order to put each one on either the naughty or the nice list. 

We can’t blame Santa – he’s been collecting information the same way for centuries. But that won’t be an excuse on 25th May 2018, when the EU General Data Protection Regulation comes into effect.

We can’t blame Santa – he’s been collecting information the same way for centuries. But that won’t be an excuse when the GDPR comes into effect.

So Santa will have his work cut out for him over the next six months, to make sure he doesn’t get a whopping fine.

Santa’s little helpers

From 25th May 2018, it won’t only be Santa himself who is subject to the new law and liable for all data he manages. All his little helpers – the ones who process the requests, organize the deliveries, help with the profiling and analysis – will also carry the can if there are any irregularities with the way the data is processed.

What does Santa have to do to comply with the EU GDPR?

dotmagazine spoke to Clarissa Benner, attorney and data protection specialist at the eco Association, to find out what Santa will need to ensure before he starts next year’s preparations. 

Customers must also be fully informed before they give consent.

  • What data can Santa keep?

    “In the first place, as set out in Art. 6 Para. 1 GDPR, Santa needs to make sure he has the consent of every ‘data subject’ on his lists for the processing of his or her data,” according to Benner.
    “The consent must be given freely and without any kind of coercion (no offer of a special gift for children who sign up, for example). The customers must also be fully informed before they give consent: who is responsible for the data processing (Santa must not hide his identity when he seeks consent), and what the specific purpose of the data processing is. Because there is a strong obligation to fully inform data subjects. If there is more than one purpose for the data processing, then the consent must specify all of them.”
    Added to this, Clarissa Benner warns that “Consent should also be in writing (bear in mind for future letters to Santa!), in order to comply with the need for proof as set out in Art. 7 Para. 1 GDPR.”

There exists an "obligation to erase personal data without undue delay [when] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed."

  • How long can he keep the data?

    “Here, a lot depends on the purpose for which the data subject has given Santa his or her personal data,” she continues.
    “1. If Santa has only been given permission for data processing for Christmas 2017, then he has no choice but to erase the data after the present giving. This is dealt with in Art. 17 Para. 1 GDPR: ‘the obligation to erase personal data without undue delay [when] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.’ ” 
    “2. However, if consent has been granted for data processing for Christmas 2017 and the following years, Santa does not need to delete the data, and can use them again in the following year. That is, unless the data subject decides he or she is too grown-up and cool to be visited by Santa anymore – then they can withdraw their consent and Santa will need to remove them from his database.”

  • How should the data be stored?

    “Santa must not under any circumstances store the data so that it is open and accessible for anyone to see. He needs to take the required technical and organizational measures, as set out in Art. 32 GDPR.”
    Santa needs to be aware that the key concepts here are:
    - Pseudonomization;
    - Encryption;
    - Guaranteeing confidentiality;
    - Guaranteeing integrity;
    - Guaranteeing availability;
    - Guaranteeing the resilience of the systems;
    - Processes for reestablishing availability of personal data after a physical or technical incident;
    - Processes for the regular auditing, assessment, and evaluation of the effectiveness of the technical and organizational measures.

Given that Santa is not based in one of the EU Member States, he needs to have an ‘EU Representative’.

  • Does Santa need a Data Protection Officer?

    “Given that Santa comes from the North Pole, and is therefore not based in one of the EU Member States, he needs to have an ‘EU Representative’, as spelled out in Art. 27 GDPR. This person needs to act as a contact point for all data protection-related questions from EU citizens, and also functions as the contact to the supervisory authorities,” according to Benner.

All said and done, Santa should make the most of post-Christmas lethargy to get a bit of data housekeeping done.