Does the GDPR really say that? Festive Edition

09th December 2019

Letter writing, Christmas marketing emails and online shopping – Christmas time is here and with it comes more rumours that the GDPR is ruining the festivities.

Here we take you through the data protection myths that tend to come up at this time of year and point out that if a story about the GDPR sounds too ridiculous to be true, it’s probably because it is too ridiculous to be true.


Does the GDPR ban people sending Christmas cards or letters to Santa?

Rumours have been circulating that the GDPR means that people can’t send Christmas cards, or that children can’t write letters to Santa and this isn’t true.

There is what’s known as a household exemption in the GDPR for individuals doing something in a personal capacity, such as posting a card or letter to friends and family.

However, if you are using a service to send or receive cards and letters then the organisation that runs that service must adhere to data protection laws. Organisations that provide these services or that send corporate Christmas cards do not fall under the household exemption and will need to have a justification for sending cards, letters or messages where personal data is concerned.

And do they need the recipient’s consent before they send these cards and letters? All the DPC wants for Christmas is for people to know that consent is not the only possible legal basis for processing personal data. There may be other, more appropriate justifications for sending corporate Christmas cards, such as ‘legitimate interest’.

For corporate communications, particularly those including festive offers, organisations should also consider whether this involves ‘electronic direct marketing’, in which case they will need to make sure they comply with their obligations under the GDPR and the ePrivacy regulations.


What is the legal basis for Santa’s  ‘naughty or nice list’?

We have been reliably informed by the Data Protection Officer (DPO) for Santa’s Workshop that the personal data analysed to produce the ‘naughty or nice list’ is processed on the basis of legitimate interests –both the legitimate interests of Santa in carrying out his present-delivering activities, as well as the interests of good children in receiving their presents – and that the personal data, both naughty and nice, is deleted once is it no longer necessary, in compliance with the principle of data minimisation.


Does the GDPR stop people taking photos at a school Christmas play or a concert?

Another rumour is that the GDPR has banned photos at Christmas plays and concerts.

As we’ve mentioned before in our blog on taking photos at school events, there is nothing in the GDPR preventing people from taking photos at schools events. Parents and family should still consider the wishes of others, and any internal rules set by a school or the event organisers. However data protection law should not stop parents and family from taking photos in general, particularly where they are done in a purely personal capacity (and not used in any commercial context or published online).

Where schools or organisers want to take some official photography of an event, they won’t be able to rely on the ‘personal exemption’, which parents may rely on, but could still organise for photographs to be taken once they consider and comply with their obligations as data controllers - for example they must have a legal basis to process the personal data (e.g. take and store photos) and they must provide clear and concise information about what it is that they are doing with this personal data, how long they will be keeping it for, etc.


Do you need consent to leave cookies for Santa?

No. You’re thinking about the other kind of cookies. Baked goods raise few, if any, data protection concerns. For information about the other kind of cookies, see our Guidance on Cookies and Similar Technologies.


If I buy a voucher/pass/membership for someone as a Christmas present, do I need the recipient’s consent?

This is an issue which crops up from time to time, and can have many different forms. The general example we see is that someone tries to buy a voucher/pass/membership for someone else as a present but encounters issues because the vendor requires some of the recipient’s personal data, such as their name or date of birth or address.

The exact answer to this question would depend on the facts of each case, but in general data protection shouldn’t come in the way of buying someone a voucher or pass as a present. If it really is necessary to process some of the recipient’s personal data (such as their name for a membership card) it is important to remember as mentioned above that consent is not the only possible legal basis, so it may not be necessary to get the recipient’s consent. There may be legitimate interests which justify the processing of personal data in these cases.

Finally, and again in line with the principle of data minimisation mentioned above, vendors and present-buyers should consider whether it is still possible to organise the gift without having to use any, or as much personal data. For example, you could buy a voucher for a year’s membership of a service, instead of directly buying the membership and signing the recipient up with their personal details. Once as little personal data as necessary is utilised, and there is a good reason for doing so, the GDPR should create no problems for buying these sorts of presents.