A meme is doing the rounds and says that, because of his ‘Naughty and Nice list’, Santa is in breach of GDPR! But is it true?
The meme encapsulates all of the misconceptions that people still have regarding GDPR and this blog aims to set out a process by which ‘The List’ could be legitimately be used for the intended purpose.
Legal Basis for processing
There are six legal bases for processing identified in GDPR. It’s difficult to see how Legal Obligation, Fulfilment of a Contract, Public Interest or Vital Interest could apply here so that just leaves Consent or Legitimate Interest.
It might be assumed that every child would consent to be on the nice list, but under GDPR, Consent has to be of a high order. The most obvious way to gain consent would be the grottos in shopping malls all over the world when children get a one-to-one with the big man. However, there is no evidence of any record keeping, either paper or electronic, of when and where consent was obtained, or how it was obtained. Given the size of the database, this would be a huge and challenging task, so we should probably rule out Consent in this case.
NB. Although the North Pole is not in the EU, the regulations apply to the processing of data belonging to all EU citizens, and so still applies for these children.
Child Data Subjects
Although Legitimate Interest appears to be the best option, great care needs to be taken when performing the balance, because Article 6 of GDPR, 1(f), (Lawfulness of Processing) explicitly states:
“…[where] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child...”
One factor in favour of Santa’s use of Legitimate Interest is the expectation of personal data being used in this way. Since every child who is over a year old has previously had their data processed in this way, it is reasonable to assume an expectation that the processing will be repeated this year.
When using Legitimate Interest, as with other legal bases, it is important to provide the data subject with a clear and easy way to opt out or to be forgotten. Letters to the North Pole or visits to a Grotto could be used in this way.
Maintaining ‘The List’
‘The List’ will contain large amounts of historical data, since it has been used every year prior to the implementation of GDPR on May 25 2018.
How long to keep the data
As always when using Legitimate Interest, it is important to decide and record how long personal data will be kept for. An annual cleanse of the database is recommended to identify dates of birth and removal where this is 18 years or older, and to allow deletion of duplicate records (not twins!)
The naughty vs nice profiling must be provided by someone with access to the child, such as mum, dad, grandparents or carers, presumably by letter or grotto visits.
Keeping ‘The List’ updated would require the collection of personal data on all babies born since the last processing. Given the explicit warning about protecting the data for children, it wouldn’t be advisable to try to purchase a list from a data broker. Perhaps Santa helps to support the NHS in return for information on newborn babies? I would recommend that whatever data source is used should be reviewed to determine whether it is compliant with GDPR.
Automated individual decision-making
Children on the naughty side may object to being filed there, but there will be legitimate reasons why. GDPR doesn’t prevent such decision-making but puts down restrictions on automated individual decision-making. Section 4, Article 21, 1 of the GDPR (Automated individual decision-making, including profiling) states:
“…The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her…”
This means that if a naughty child objects to such processing, as long as it is carried out by a person, elf or reindeer, rather than an automated system, the profiling is legitimate.
Finally, a pedantic point. Article 4 of the Regulations is simply a list of 26 formal definitions of terms which are used in the rest of the document, ranging from (1) ‘Personal Data’ to (26) ‘International Organisation’. It is impossible to contravene article 4 because that article doesn’t cite any law or place any obligations.
As it is for the rest of us, with a little careful planning it is easily possible for Santa to stay on the right side of the law.
Do you agree?
For information on data cleansing, or other data quality services please visit our website, or call +44 (0) 151 355 4555