Twitter can be a goldmine of fun stuff slanted a little bit off-center. It's always extra fulfilling when the twitterverse takes a break from the Kardashians to give us a good dose of compliance humor.
Case in point.
In short: Santa is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679.
Or is it fine as long as he stores it properly and has a good retention schedule and documents it all properly? Thanks, Anna James.
Maybe it doesn’t apply. Do the legitimate interests of a naughty/nice list outweigh the privacy concerns if they can reasonably expect the list to be produced and if a naughty/nice list is really needed?
Does writing a Christmas letter, in this case, qualify as opting in?
Probably not. Consent has to be informed and explicit. Santa could rely on GDPR Article 6(1)(b), steps taken at the data subjects request prior to entering into a contract or to fulfill a contract.
Maybe the whole tweetstorm didn’t need to happen at all.
This entire sequence can have dire consequences for those of us who are (allegedly) well-behaved.
North Pole GDPR
We don’t know exactly how Santa’s actions would play out in the eyes of GDPR -- more than likely it wouldn’t be a big deal since his base is the North Pole, although admittedly he does have a high-touch relationship with European consumers.
While this is all fun and games on Twitter, the sheer volume of this thread underscored how many people are thinking about GDPR, how confusing the compliance might be in some cases and how it can turn a beacon of our childhood’s best memories into a series of “Am I compliant?” concerns.
In short: it’s a jungle out there, even for Santa.