Should Santa Claus Worry About the GDPR?

by Sorin Staicu | Published in Resources


The Holiday Season is upon us. That means it's time for Santa Claus to start his annual gift-giving journey and, as he makes his list and checks it twice, I can't help but wonder: should Santa Claus worry about GDPR?

I dare you to NOT sing along: He's making a list, And checking it twice; Gonna find out Who's naughty and nice. Santa Claus is coming to town! | He sees you when you're sleeping, He knows when you're awake, He knows if you've been bad or good, So be good for goodness sake!

I reckon that's A LOT of personal data to keep track of, so Santa needs to make sure he's protecting it all properly. So, let’s address the pink plush elephant in the room:

Does GDPR Even Apply to Santa? 

It's not just the names, addresses, and behavioural patterns of a massive population of little boys and girls that Santa needs to worry about. Let's not forget about the parents and caretakers of all these children — their personal data is also at risk.

Moreover, we know that he’s working with a lot of elves and reindeers, and he runs the operations of several factories, so it’s quite clear that he is leading a large manufacturing and transportation conglomerate. We are also well aware of the fact that he processes the personal data of European data subjects, which clearly makes GDPR applicable to Santa Claus and his operations.

There is also in-plain-view evidence that he regularly informs data subjects about his processing activities, and this has been going on for decades, even before GDPR came into force — quite the privacy pioneer, this Santa fellow! You can hear his information notices everywhere for weeks and weeks, in markets and malls, on posters and screens, precisely when the processing starts.

Santa sure has a lot on his plate in terms of privacy compliance, but it's not all bad news for the man in red. He can take comfort in knowing that he and his elves can regularly conduct DPIAs to ensure he's complying with the GDPR.

Santa's trusted helpers

Santa’s DPIA

Unnamed sources within the North Pole Xmas HQ have provided us with this year’s draft DPIA — Data Processing Impact Assessment — for Santa’s data processing activities:

  1. Data subjects

    • Children— names, genders, ages, addresses, gift preferences, and behaviour records are collected by Santa and his elves through letters, timely visits to mall Santas, and various other means that are well-kept Santa trade secrets.
    • Parents & Caretakers — names, addresses, and credit card information are collected when they purchase gifts through Santa's online gift shop or make secretive arrangements for visits from Santa.
    • Elves — names, job titles, skills, and performance evaluations are collected and stored in Santa's HR database.
    • Reindeer — names, genders, and medical records are collected and stored in Santa's pet management system.

  2. Data processing purposes

    • Create and maintain a list of children who have been naughty or nice.

    • Fulfil children's gift requests and deliver presents on Christmas Eve.

    • Manage and track the production and distribution of gifts in Santa's workshop.

    • Maintain records of reindeer health & fitness for their annual Christmas Eve journey.

  3. Data risks

    • Children's behaviour records could be accessed and shared by unauthorised individuals, leading to potential embarrassment.

    • Parent's financial information could be accessed by children and used for fraudulent purposes, such as online shopping frenzies.

    • Elf performance evaluations could be accessed and shared by unauthorised individuals, leading to potential damage to their reputations.

    • Reindeer medical records could be accessed, shared, or modified by unauthorised individuals, leading to inadequate Christmas Eve performance..

  4. Data protection measures

    • Santa has implemented strict access controls on his naughty and nice list, limiting access to only authorised individuals (Santa and his trusted elves).

    • Santa's online gift shop uses secure payment processing and encryption to protect parent's financial information.

    • Santa's HR database is password protected and only accessible to authorised personnel.

    • Santa's animal management system is password protected and only accessible to authorised personnel.

Overall, Santa takes the privacy of his data subjects very seriously and has implemented appropriate measures to protect their personal information. Ho ho ho!

Dear Santa

The Little Girl that Wrote Santa a DSAR Letter

Oh, those pesky Data Subjects Access Requests! As kids and parents around the world became increasingly aware of their privacy rights, Santa knew he wouldn’t be able to steer clear of DSARs.

Take this letter from a clearly upset — yet suspiciously eloquent, informed, and well spoken — young lady from London, for example:

Dear Santa,

I am writing to request access to my personal data, as provided for under the GDPR. I am extremely upset with the gifts you have given me in the past and would like to understand the decision making process behind them.

I demand to know all of the personal data that you hold about me. How and why do you collect and process my personal data? How do you use it? I want to know my rights in relation to my personal data as well.

I am completely baffled by the inconsistent choices you have made for my gifts and I want to understand the reasoning behind them. I cannot believe that you would choose such subpar gifts for me after all the good behaviour I have exhibited throughout the years.  

I expect a full and thorough response to this request. Please do not try to brush off my concerns or dismiss my frustration. I have a right to know how my personal data is being used and to have a say in the decisions that are made about me.

Sincerely,

Hannah — which is a palindrome, by the way.

Poor Santa — talk about a disgruntled customer. 🤦 Here’s what he wrote back to Hannah:


Santa’s DSAR Timely & Proper Response

Dear Hannah,

Thank you for your letter and for expressing your concerns about the gifts I have given you in the past. I understand that you would like to have access to your personal data and to know more about how and why I collect and process it.

I'm sorry to hear that you have been disappointed with your past gifts, but I want to assure you that I take your personal data very seriously and only use it to help me make the best decisions about what gifts to give you.

To answer your questions: I collect and process your personal data through various means, including letters you send me, visits to mall Santas, and observations made by my elves. The data I collect includes your name, age, gender, and information about your behaviour and gift preferences. I use this data to create my naughty and nice list and to decide which gifts to give you on Christmas Eve.

I understand that you have the right to access your personal data and to know how it is being used, and I am happy to provide you with a copy of the personal data that I hold about you. Please let me know if you have any other questions or concerns, and I will do my best to address them.
I hope this helps to clarify things for you, and I hope you have a wonderful holiday season.

Warm regards,

Santa

P.S. I'm glad to see that you appreciate palindromes! “Hannah” is a great example. Do you have any other favourite palindromes you'd like to share? I particularly like “deed” — as in a good or a bad deed.

That is a suspiciously comprehensive, legally sound response! So don't let the red suit and jolly personality fool you — Santa Claus has got to stay on top of his GDPR game just like the rest of us.

Happy data protection to all, and to all a jolly Holiday Season!


Might we suggest

Article
SypherPrivacyTalks - April 2025 - Week 18
Blog
How to use the data-sypher attribute to control script execution based on consent
Article
SypherPrivacyTalks - April 2025 - Week 15