How can Santa keep his lists when the GDPR is around?

555

149

For my non European readers, there is excerpt of what the GDPR means: (emphasis mine)

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained, and if it is being shared with any third-parties or outside of the EU.

I haven't been notified by Santa and/or his elves that he is collecting data about me. And mind you: my name and surname are my personal data, not to mention data on whether I have been good or naughty.

Moreover, Santa also needs my full address to deliver my presents, and again, that is also my personal data

I haven't been notified by Santa whether he is updating his Privacy Policy, so my assumption is, that Santa stopped collecting these data, at least for Europeans.

Does it mean that Santa is delivering me nothing this Christmas? If there is any way around this, can you please tell me what it is and how can Santa deliver me presents while still being compliant with the GDPR?

Please assume I haven't been naughty.

Pavel Janicek

Posted 2018-06-04T13:54:38.257

Reputation: 42 849

180Santa's naughty list is clearly exempt from the GDPR, which does not apply to data processed "by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties..." – Mike Scott – 2018-06-04T14:07:20.637

33@MikeScott, he judges based on morality, not law, being rude to your parents isn't criminal but it does put you on the naughty list, no exemption there. – Separatrix – 2018-06-04T14:30:28.537

54Thanks so much to everyone who has contributed to this I really really needed something uplifting today and this has hit the spot beautifully. – Ash – 2018-06-04T15:23:23.713

7Santa has no way to fully comply with GDPR under his traditional practices. However, Santa's fantasic supernatural powers mean that the EU and it's member states are powerless to compel compliance or to sanction Santa for non-compliance. – user535733 – 2018-06-04T16:56:31.137

2Similar question: If I am a private investigator, and in the course of my job I determine certain personal information (for example, let's say my investigate has a second home that I discover, and goes under an alias, and maybe has a second family living there), must I disclose this information to my investigate? Despite a difference in scale, since Santa "see you when you're sleeping, he know when you're awake", I would tend to think of his discoveries as something more in the line of private investigation, despite the presumed difference in the total number of investigates. – RDFozz – 2018-06-04T17:05:16.197

86I think that, if Santa was caught, breaking and entering would be higher up on the list of things he was arrested for than violating GDPR rules. – Lio Elbammalf – 2018-06-04T17:37:53.137

@LioElbammalf: How you gonna catch him? A slow-motion camera has to get lucky to pick up one frame. – Joshua – 2018-06-04T18:21:25.440

You have been warned that "This incident will be reported". https://xkcd.com/838/ The xkcd is considered proper notice and your usage of sudo is clear consent.

– Nemo – 2018-06-04T20:14:33.400

2"By sending a letter / opening this present you agree to our service terms and conditions, readily available for reading in our office at north pole, and you confirm that any current, or previous, services were rendered with your explicit consent and therefore you confirm that they are not subject to any future legal actions (..),", eh, IANAL, but Santa's elves have a lot of experience in all these little footer lines – quetzalcoatl – 2018-06-05T00:07:31.067

16Is nobody going to mention the irony of the tags [santa-claus][reality-check] ? :) – Josh – 2018-06-05T13:51:15.647

1Wouldn’t whoever enforces GDPR on him be put on the naughty list by preventing billions from getting their presents? – DonielF – 2018-06-05T18:57:05.480

@DonielF That would be a small sacrifice to pay for upholding the law and protecting millions of innocent peoples data being misused or unlawfully collected. A hefty fine for each breach and the UK economy will be fixed. – 5202456 – 2018-06-06T10:41:42.633

A Belgian newspaper had a cartoon about this situation today. Technically it's St. Nicholas instead of Santa, but close enough. Translation: "The saint highly values your privacy and wants to know if he, within the context of the GDPR, can keep data about you in his big book?"

– user51617 – 2018-06-06T18:02:00.737

19I suspect part of the legality, as it relates to GDPR, also has to do with whether or not you accept his use of cookies while visiting your site. – SirNickity – 2018-06-07T01:08:18.120

4Congratulations on being the current highest-voted WB question! Santa applauds your effort in "helping him figure out if he needs to update his policies" and puts you on the permanent good list, until such time as you are outscored! – EveryBitHelps – 2018-06-08T10:29:07.927

1Attention VTCers! Questions about Santa are a Worldbuilding tradition meaning BOTH of the VTC:NA/WB votes are improper. It also means pretty much any VTC is improper (it would have to be a wailing bad Santa question to deserve closure), but it is tradition to ask them around the end of the year. So, buckle up, enjoy the ride, and stop making Santa cry. Thanks. – JBH – 2018-06-09T03:44:27.470

2I'm disappointed this wasn't saved for Christmas. =( – jpmc26 – 2018-06-12T03:23:53.950

4I have my ways, sorry can't post them publicly. I wouldn't want to give my competition (regardless of their existence) a leg up. – Santa – 2018-06-12T13:07:45.927

2@SirNickity I will buy you a beverage of your choice for that magnificent cookies comment. That was glorious. – Ti Strga – 2018-06-13T23:00:42.810

2We need a Question of the Year award – Clonkex – 2018-06-14T00:01:35.110

Santa is an individual and not an organization. The question here is if Santa only collects and/or processes data for a purely personal activity or that it has a connection to a professional activity. – Gijs Brandsma – 2018-06-05T13:45:15.643

Santa keeps all the data in his head and GDPR doesn't regulate what you are allowed to keep in your head. – Michael Kay – 2018-06-14T23:36:28.620

@Ti Strga -- Thanks, but it was reward enough that circumstances had aligned to make way for that particular quip, and nobody had yet beat me to it! That said, if we ever had an opportunity to share a beverage, might I suggest milk? :-D – SirNickity – 2018-06-16T00:19:30.167

Santa has now released a public letter that he will now cease and desist all unlawful surveillance and collection of personal information for all EU countries. Unfortunately this means that the deliveries will stop too. Santa will now have to rely on the parents of EU children to provide their gifts. Santa regrets the fact that this legislation has now fully commercialized Christmas. – Mathaddict – 2018-08-22T19:53:57.743

Answers

579

Santa's data collection has always been compliant with GDPR, so he has no need to change his ways. The nature of his data collection is more transparent than most companies, and he is open to updating his records if you contact one of his representatives.

For example, he makes it clear that he is operating in your town:

You better watch out

You better not cry

Better not pout

I'm telling you why

Santa Claus is coming to town

The legitimate business purpose of his data collection is to create a list of those who are naughty and nice this year:

He's making a list

And checking it twice;

Gonna find out Who's naughty and nice

Santa Claus is coming to town

He even gives some examples of what data he's collecting:

He sees you when you're sleeping

He knows when you're awake

He knows if you've been bad or good

So be good for goodness sake!

The GDPR has some other requirements to it, such as an EU-based representative being necessary for operating in the EU, allowing users to request data updates, and getting consent for data collected.

Thankfully for Santa, he's been operating compliant representative systems for decades: Just go to any mall during the holiday season to meet with a representative. To ensure open and accurate records, the representative will ask the child if they've been naughty or nice that year and what type of present they want.

As long as the child's parent/legal guardian is nearby to confirm the data change requests, Santa will be happy to update his database to ensure the naughty/nice data is accurate and that the requested presents are delivered.

As for consent, the children are obviously too young to provide consent and must rely on their parent/guardian to consent to Santa's data collection. I doubt there's a single house that is receiving presents from Santa without the parent's explicit consent, and I'm sure we've all been told by our parents at some point to "be good or Santa won't give you presents this year!".

Giter

Posted 2018-06-04T13:54:38.257

Reputation: 16 240

1So, which lawful basis for processing would Santa rely on? It clearly can not be consent based (no consent was given), nor based on a legitimate interest (as your privacy is heavily intruded)... – David Mulder – 2018-06-04T15:48:32.410

69@DavidMulder: Santa certainly has legitimate interest: he needs to watch you to collect naughty/nice data, and needs to know when you're sleeping in order to deliver your presents. As for consent, just ask any parent with their kid nearby and I'm sure they'll tell you that they're happy to have Santa make sure their kid is being nice all year long. – Giter – 2018-06-04T15:55:08.820

5Legitimate interest isn't just a "I need to do something", but a "I need to do something and my need is far greater than the non-effects on you". Infringing on privacy in a very heavy way simply doesn't allow an argument based on legitimate interests. Especially as Santa doesn't need to infringe of the rights of people to achieve his goals, he could simply give everyone the same present and/or only give presents to those people who wrote to him. – David Mulder – 2018-06-04T16:06:09.600

114Oh, that explains why my Jewish house never gets any gifts from Santa: My parents never consented to it! – OldBunny2800 – 2018-06-04T16:28:13.280

20Oh my, Santa invented GDPR decades ago and we haven't even noticed.. He's so good in hiding! – quetzalcoatl – 2018-06-05T00:11:07.940

24"I doubt there's a single house that is receiving presents from Santa without the parent's explicit consent" --- What about Batman? – PNDA – 2018-06-05T01:18:48.483

32@pandalion98: In such a case, "parent" should really read as "legal guardian", which would be Alfred. – Flater – 2018-06-05T07:39:57.020

2A Visit from St. Nicholas is all you need to know about implied consent. – Paused until further notice. – 2018-06-05T13:22:02.797

I would like to add that Santa himself, along with his entire operation, is based within the EU. https://en.wikipedia.org/wiki/Korvatunturi

– vurp0 – 2018-06-05T15:42:33.263

1Doesn't GDPR require very explicit opt-in? Even preselected checkboxes are disallowed. – Mooing Duck – 2018-06-05T22:57:49.293

2@MooingDuck As the answerer explained, in any relevant case consent has already been given by the parents. – MauganRa – 2018-06-06T12:12:24.287

1@MauganRa: No, the answer states that the parents granted consent, but doesn't say how. GDPR requires very explicit opt-in, and I doubt that parents filled out the proper paperwork and mailed it in. – Mooing Duck – 2018-06-06T19:53:15.537

1@MooingDuck I stand corrected, An explicit opt-in with paperwork (or a mandatory checkbox on a website) is a completely different kind of beast. – MauganRa – 2018-06-06T22:08:18.453

How would you ensure "Erasure"? The right of an Individual to request all(except some cases allowed by law) data related to him to be deleted. – Sahil Singh – 2018-06-08T10:18:36.993

1Given this so-called "song", I think that Santa Claus is open to charges of invasion of privacy, spying, unauthorized recording, and probably a host of other crimes. Mr. Prosecutor - DO YOUR DUTY!!!!! – Bob Jarvis - Reinstate Monica – 2018-06-08T21:16:43.147

9@SahilSingh There is every indication that presents are delivered based solely on data collected in the prior calendar year—which would suggest that all data is cleared annually anyway. Presumably it is also cleared if consent to receive services is withdrawn. And if not, you could request erasure in the same manner as you withdraw your consent. – KRyan – 2018-06-09T15:38:09.733

"Just go to any mall during the holiday season to meet with a representative." Even this is not required, as Santa maintains a permanent residence in Lapland, which conveniently enough is located within EU. You can also mail them to obtain your copy of the records they have on you.

– None – 2018-06-09T19:54:34.643

Deutsche Post also lists official representative addresses of Santa („Der Weihnachtsmann“) in Germany. As you can see on the linked list, the German Christmas market is still dominated by the „Christkind”, though.

– Daniel – 2018-06-11T21:03:48.520

2How do you know so much about my operations??? Bloody Elves. More like goblins. – Santa – 2018-06-12T13:09:53.267

@DavidMulder "give everyone the same present", girls would be sad when they get a new truck because, that is what I am getting, unless they wanted one. – Willtech – 2018-06-12T20:35:54.937

@Willtech The point was to explore avenues through which Santa could in reality comply with GDPR. Legitimate interests are not a valid reason to spy on all kids in the EU. Result is that he either needs to collect consents or stop using the personal data. – David Mulder – 2018-06-13T11:40:57.570

178

Santa is Christian priest (bishop as far as I remember). As you can see here he is covered by exemption:

The new Regulation will maintain the existing exemption which allows churches and other bodies with a 'religious... aim' to process sensitive data:

'in the course of its legitimate activities...';

'...with appropriate safeguards';

'...on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes'; and

on condition that 'the data are not disclosed outside that body without the consent of the data subject'.

As no one ever saw his lists, and we don't know about any other activities, we can safely assume above bullets are met.

Mołot

Posted 2018-06-04T13:54:38.257

Reputation: 31 195

84Ah, the old non-separation of church and state... – Renan – 2018-06-04T14:54:30.170

22@Renan actually it kinda is separation - state does not interfere with church data usage as long as it really is for church purposes. – Mołot – 2018-06-04T14:57:11.010

49Yeah, but this basically makes the church immune to the law, based on a government decision. – Renan – 2018-06-04T14:58:24.723

13May be, maybe not, this discussion is not really going to improve my answer in any way. Would make good question on Politics Stack Exchange, I guess. – Mołot – 2018-06-04T15:01:17.950

15You probably find that Santa checks for any list inaccuracies against the all-inclusive Easter Bunny Visits. Easter Bunny doesn't care if you naughty or nice, and could provide Santa with a slightly updated address field and total regional numbers. They are from the same religious organisation (albeit different departments), but the data was collected under different "given purposes". I don't know if this would be allowed or not. – EveryBitHelps – 2018-06-04T15:04:37.813

his list is revealed when we see those who get presents – V. Sim – 2018-06-05T00:06:52.417

3@V.Sim but then, it's up to the person who got present to decide if he wants to show it to the public or not. So that's perfectly OK. – Mołot – 2018-06-05T06:06:35.487

@V.Sim: Only if you assume a 100% coverage rate. If even the tiniest mistake is theoretically possible; then not receiving a present is not proof of being naughty (maybe a delivery error occurred), and receiving one is not proof of being nice (maybe you got the benefit of a delivery error). Furthermore, since Santa doesn't require you to sign on delivery, what's preventing third parties from stealing the presents after Santa has delivered them? – Flater – 2018-06-05T07:42:49.210

3@Flater and nothing prevents parents from buying presents to their naughty kids... just pretending it was Santa. – Mołot – 2018-06-05T07:44:30.787

2Saint Nicholas was a bishop. Santa Claus is a non/less religious rework of Saint Nicholas by the not Catholic people of the USA. So I doubt he's still a bishop, (definitely not a saint) – Jungkook – 2018-06-05T12:22:02.943

1@SEGod that depends a lot on particular interpretation. But we have to relax a little for this question to make any sense at all - of course IRL there is no way GDPR can be applied to mystical\mythical\fantasy beings. – Mołot – 2018-06-05T12:33:43.817

6@Mołot "mystical\mythical\fantasy beings" You WHAT!!?!? Take that back! He's REAL! – TripeHound – 2018-06-05T12:35:32.183

@SEGod He's definitely still a saint, just in another faith - The patron saint of Capitalism.

– pipe – 2018-06-05T14:02:01.813

1@Renan The degree of separation between church & state varies widely across the GDPR zone, so exemptions like this are not surprising. – DrMcCleod – 2018-06-07T13:15:21.543

The secularization of Christmas and the Santa Claus tradition over the past century+ provides more than sufficient basis to deny any such "religious exemption". Mr. Claus will be required to comply with ALL aspects of the GDPR for his data collection and usage activities. Mr. Claus and his associates are heavily involved in the collection of data regarding society's most vulnerable members - innocent CHILDREN! This so-called "saint" has much to answer for..! – Bob Jarvis - Reinstate Monica – 2018-06-08T21:26:59.167

Well you are making a fundamental misunderstanding about the GDPR (as many have), that consent is the only basis for holding and processing information.

There are actually six legal bases for holding data (you have to scroll down a little as the link doesn't work properly).
Those six bases are:

Consent
Contract
Legal obligation
Vital interests
Public task
Legitimate interests

So let's look at each of them and see if Santa has any basis for collecting our information.

Consent - Actually this one may not even be as troublesome as it first seems. Presumably we're all writing letters to Santa asking for presents, this could potentially be seen as a form of consent for collecting our data, though I think that's a little iffy.

Contract - The letter to Santa could also form the basis for a contract for the provision of services (present delivery), so I think this works.

Legal Obligation - Unless you want to argue that Santa is legally obligated to perform his duties I don't think this one works.

Vital Interests - No one is going to die if Santa doesn't do his job, probably doesn't work either.

Public Task - I think this is a strong contender. From the website I linked above; "the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law." I would say the worldwide provision of joy and happiness is in the public interest, and the processing of our information is definitely required for Santa's official functions.

Legitimate Interests - This is a little of a grey area and many businesses have used it as the basis for continuing to hold and process information, I see no reason why Santa couldn't do the same.

So in short, there is no real issue at all and Santa can continue doing what he needs to do as long as he properly deals with our information and updates his privacy policies.

adaliabooks

Posted 2018-06-04T13:54:38.257

Reputation: 11 904

49Legitimate interest is his strongest argument here. If Santa doesn't hold your data you don't get a present, and you want your present don't you? – Separatrix – 2018-06-04T14:31:45.227

2If we take the official UK interpration of GDPR (easier to understand for us non-lawyers) we find regarding legitimate interests: "It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.". The collection by santa of everything good and bad you do has a HUGE privacy impact and straight up rules legitimate interest out. – David Mulder – 2018-06-04T15:51:58.217

1And Public Task requires it to be set out in law, so that one is out as well. – David Mulder – 2018-06-04T15:53:10.700

2Vital Interests can be covered. For example: "Dear Santa; I want a new heart for Christmas. Signed: A patient with a defective heart." – Frostfyre – 2018-06-04T17:33:30.633

18@Frostfyre If Santa starts delivering human hearts there may be a few other regulations he's breaking. – Lord Farquaad – 2018-06-04T20:37:14.720

@Separatrix: That seems to fit more with the contract argument. Without the data, the service (present delivery) will not be provided. It sort of blends with the legitimate interest (since the data is needed to execute the delivery), I guess. – Flater – 2018-06-05T07:45:23.347

@Flater, legitimate interest is the one that allows him to continue to provide services using data he already holds without having to update contract or consent (you don't need to leave an extra letter up the chimney to cover GDPR). – Separatrix – 2018-06-05T07:56:54.673

@Separatrix: Which applies when you read the title ("keep his lists") as in "retain the existing lists", but not when you read it as "continually track naughty and nice children". One would assume that Santa is still collecting new data, including on new children. – Flater – 2018-06-05T08:04:40.813

@Flater, now that's where legitimate interest gets interesting. A new "good" child would have a christening, this data would be available to those with an interest. Consider a job website, you apply for a position and in doing so make your contact details available to recruiters other than the one you have applied to directly, you have a legitimate interest in them contacting you with related jobs. In this case you have an aspiring "good child" who would have a legitimate interest in being "contacted" by Santa for the rewards for good behaviour. – Separatrix – 2018-06-05T08:20:05.727

@Separatrix: That would imply that children are publically posting whether they're naughty or nice; which somewhat defeats the purpose of checking up on them. Every child thinks that they're nice. Not every child is correct in that assertion. Santa is clearly checking up on them in ways that surpass what the child chooses to advertise about itself. Unless the parents are sending objective evaluation letters to Santa about their children. – Flater – 2018-06-05T08:34:55.073

1I challenge the "Contract" part. Santa does not hold information about how good or bad I have been since I sent him the letter, but of all of the year (otherwise I would not get so many bad presents). Since this is data that he cannot legitimate obtain after the fact (i.e. I do not write it down in my blog so he can check it), it is evident that he has been monitoring my acts before we were in a contract. Privacy issues apart, Santa cannot claim "contract". – SJuan76 – 2018-06-08T12:24:19.843

@SJuan76 but you sent him a letter last year didn't you? That was what made the contract to allow him to observe your activities to determine whether you are naughty or nice. If you keep sending a letter every year then you keep renewing the contract. This only wouldn't work for the first year you receive a present, but as babies who can't write can still receive a present from Santa I presume parents send the letter and make the contract and that the first present you receive is probably generic and based on the assumption a baby can't do much that is naughty. – adaliabooks – 2018-06-08T12:37:52.157

I did sent him a letter for last year gift. After that the contract is no longer valid, as the present has been delivered and the condition for its delivery were my past deeds (no refunds if, just after receiving, I started torturing my pets). So after this year's present is in my hands Santa has no right to keep collecting my info. – SJuan76 – 2018-06-08T12:59:38.117

@SJuan76 I don't think that's the contract your signing. You receive a present once per year on the provision that you are good. For Santa to know you have been good you have to allow him to gather, store and process the necessary information. Continued contact through letter writing each year suggests you accept these terms of use, it's in the fine print. – adaliabooks – 2018-06-08T13:26:03.197

Santa already exempts himself from the petty concerns of local laws. He invades sovereign airspace each year and unlawfully enters private residences.

The GDPR seems to be a lesser violation compared to others he willfully commits each year.

Why should he concern himself with the GDPR?

Michael Richardson

Posted 2018-06-04T13:54:38.257

Reputation: 9 315

42Who is to say Santa doesn't have bilateral treaties with every country in the world that allow him to enter their airspace? I have never seen any country complain about him violating their airspace, yet. – Polygnome – 2018-06-04T21:04:48.510

25@Polygnome The same would apply to entering private residences. I haven't heard of any complaints to the police about it and Santa doesn't seem to be on any police wanted lists. – CJ Dennis – 2018-06-05T00:46:54.733

29@Polygnome NORAD has been tracking Santa's movements for over 6 decades. It's not like his flight path is much of a secret. All countries on his route have been readily informed about his exact location during his flight, and not one single country has objected to Santa in their airspace. I'd say that definitely falls within implied consent. – Shawn – 2018-06-05T15:05:01.973

3I think the whole point is the absurdity of Santa concerning himself with the GDPR. – Klik – 2018-06-06T00:36:27.020

3All of this and to say nothing about owning all those slave elves, forced to make toys all year long without even getting coffee breaks. – Chris Charabaruk – 2018-06-08T16:06:20.173

1@Shawn That because Santa can blackmail every politician of every country. Of course they're not going to do anything. – PyRulez – 2018-06-10T00:58:42.163

The airspace use is perfectly above board. You can just google the NOTAM's (Notice to AirMen) that are routinely issued late December. E.g. https://newsroom.airservicesaustralia.com/images/notam_2015 @Shawn is right that countries have been informed; even the other pilots are informed.

– MSalters – 2018-06-10T01:17:55.693

1@ChrisCharabaruk how do you know those elves aren't volunteering their labor? Or that they aren't getting coffee breaks for that matter? – levininja – 2018-06-13T19:51:56.427

I would like to add, that Santa also doesn't care about the laws of physics, especially the thing about not being faster than light. – Christian – 2019-09-28T21:23:55.423

Everyone gets the same present - a letter about sending your personal data

This year we will all get a letter about the updated general terms and conditions and how you will be required to send a certain set of information to Santa so that he may send you your presents next year. Everyone will be required to send their address, name and age. You will also have to allow your parents to send Santa the data about you being nice or naughty. In case you don't want to disclose the naughty-or-nice information you will receive a generic probably-not-that-naughty present, which will most likely consist of old chocolate he found lying around in the elven workshops.

Be careful to send your data as fast as you can. It will be harder to get into contact with Santa after the timeframe he had allocated for everyone to send in their address, name and age. If you don't send that information you will receive nothing because Santa is not allowed to use your address any longer. If he still sends you something you can sue him - and thereby make sure that lots of children will cry because they won't get any presents after the EU is done with Santa. Good job, now it's clear on which list you are...

There is also talk about Santa cooperating with the Easter Bunny in 2019 for a late present delivery.

Sec SE - clear Monica's name

Posted 2018-06-04T13:54:38.257

Reputation: 17 035

I agree on 90% of this. I just think that instead of a generic present, you will get nothing, since he needs your address to deliver and addresses are also personal data. – Renan – 2018-06-04T14:09:46.523

@Renan That was about the nice-or-naughty information from your parents. If you don't send your address he obviously is not allowed to send you presents and you could instead sue him. – Sec SE - clear Monica's name – 2018-06-04T14:11:14.157

26"We've updated our privacy policy" is already a meme, I can't wait to see the world's collective faces when they wake up on Christmas morning to find it in their stockings as well. – F1Krazy – 2018-06-04T14:21:53.930

2If he's sending presents to everybody then he doesn't need to keep track of our addresses. He can just deliver to note to every house. – Yay295 – 2018-06-05T07:37:02.800

In order to receive presents, you will be required to opt-in to having your personal details stored so that Santa can ensure you receive advertising that is relevant to your interests. You must also consent to Santa sharing your information with other parties, including the Tooth Fairy and the Easter bunny. The use of the information includes, but is not limited to, targeted advertising for dental treatments. – John Gowers – 2018-06-06T12:45:06.057

I'd like to take another route to answering your question:

He simply doesn't care.

For years, he has been punishing kids and breaking into houses; despite attempts from kids and governments, he has never been caught. He doesn't have an aviator's license or a landing permit for his sled, while flying very close to houses and otherwise endangering people.

Though, if you put him to a D&D scale, he may be chaotic good, he is nonetheless chaotic: he breaks the law to reach his goals.
I'm certain he doesn't pay VAT on his gifts. Also, the working conditions of his elves are questionable.

But it's the same with every other criminal:
As long they can't catch him, he will continue.

Swizzler

Posted 2018-06-04T13:54:38.257

Reputation: 361

2I was getting tired of the "your privacy is (suddenly) important to us (because the law forces us to)". It would have been refreshing to get at least one e-mail from Santa Inc honestly stating "we don't care about your privacy". – CompuChip – 2018-06-14T07:52:53.777

Note: This answer pertains to Santa Claus, as distinct from St Nicholas, Sinterklaas, Krampus, etc. - as per the question.

He is not bound by GDPR.

an entity or more precisely an "enterprise" has to be engaged in "economic activity" to be covered by the GDPR

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

What qualifies as "economic activity"? I'm glad you asked:

... the Court determins that an activity is economic on the basis of two criteria of agreement and renumeration

(from https://www.springer.com/cda/content/document/cda_downloaddocument/9789462651166-c2.pdf )

I do not agree with other posts that the recipients of the gifts agree (in the legal sense, nor in any sense that would stand up in court). I am not aware of any way a person can "agree" to be the recipient of gifts from Santa (there are obvious ways to object, of course).

Santa Clause also does not seem to meet the criteria for remuneration. He brings "gifts" or "presents" (https://en.wikipedia.org/wiki/Santa_Claus); "A gift or a present is an item given to someone without the expectation of payment or return" - https://en.wikipedia.org/wiki/Gift

In many cultures, something that may be considered payment is left for Santa (e.g. milk & cookies in the US & Canada; sherry or beer and mince pies in Britain & Australia; rice porridge in Denmark, Norway & Sweden); however, I can find no source that indicates that failing to leave these items will result in suspension of gifts. - https://en.wikipedia.org/wiki/Santa_Claus

Also:

'enterprise' means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

As far as I can tell, Santa Clause is neither a natural nor legal person. Human Beings "acquire legal personhood when they are born (or even before...", juridical persons "acquire legal personhood when they are incorporated" (https://en.wikipedia.org/wiki/Legal_person). I am not aware of Santa Clause having been born, nor incorporated.

Addendum:

There was a question if "being nice" qualifies as remuneration. I would argue against this for the following reasons:

If an item is traded for remuneration, it is, by definition, not a present. The items are clearly declared as presents.
Santa is not the recipient of the "niceness" (in almost all cases).
Although it is clearly document in "Santa Claus is coming to town", (H. Gillespie et al.) that "he's going to find out who's been naughty or nice", "He knows when you've been bad or good" and "He's making a list", there is nothing in this thesis that claims that this list affects the presents. Wikipedia claims it does, but none of the sources it cites (that I checked) back this up. Does anybody know of a reasonable source for this, or is it just an urban myth? Does anybody know of a child that has not received a present, because they were naughty?

AMADANON Inc.

Posted 2018-06-04T13:54:38.257

Reputation: 1 201

3"Santa Clause"? That's a nice slip of the tongue... – dim lost faith in SE – 2018-06-09T18:27:10.640

Sorry, English is my second language. – AMADANON Inc. – 2018-06-10T22:10:16.520

One could argue that being nice would satisfy as renumeration, and thus deemed as payment for services, or 'the present'. – fantasitcalbeastly – 2018-06-12T14:14:54.973

Answered in the addendum. – AMADANON Inc. – 2018-06-14T02:47:01.663

Santa will no longer be giving presents in EU region. Santa will only provide means of transportation for Ded Moroz who exist in time pocket created in USSR in 1946 and as a citizen of USSR is not obligated by EU law as law cannot work backwards.
So your future present WAS delivered before GDPR.

SZCZERZO KŁY

Posted 2018-06-04T13:54:38.257

Reputation: 19 725

3But Santa is based in Lapland, which is in the EU, so he is bound by EU law even for operations outside the EU. – Mike Scott – 2018-06-04T14:08:03.317

2@MikeScott only when processing personal data you need to disclose agreement between data processor and collector. Santa is DRIVER. He don't ask questions. – SZCZERZO KŁY – 2018-06-04T14:11:13.220

@MikeScott no, Santa is based in Canada nowadays.

– Renan – 2018-06-04T14:55:58.387

2I thought he was based at the North Pole? – colmde – 2018-06-05T08:38:22.620

@colmde He is, and he gets his mail via the Alaskan USPS. Renan is linking to a Canadian troller's prank redirecting the mail in that country to Montreal because it allows a postal code to read H0H0H0. Mr Scott is referencing the British impostor 'Father Christmas', who had to be created by HM's Government to keep up spirits in WWI, given that British children were generally exploited as coal sources by unscrupulous parents during the Victorian and Edwardian eras.

– lly – 2018-06-12T23:48:16.550

IANAL but here is my take of things.

In a nuthsell, GPDR requires any businesses/organizations/pineapples that have users in the European Union to:

Disclose what they do with the info they have on you, and why they need it;
Disclose with whom they share that information, and what those other businesses/organizations/pineapples do with it;
Allow you to order them to "forget" you. Once you give them the order, they (and their partners) have to delete all your data that can be used to identify you.

All within limits of reasonability, of course. You can't order the government or a bank to forget that you have not paid your credit card bill and your income tax in months, for example.

Santa has to adhere to the GDPR only for some europeans. For starters, many european countries are not members of the EU, such as Norway and Serbia. Santa Claus also does not operate in Italy.

What would most probably happen is that the elves in charge of Santa's legal department will have sent every parent or legal guardian in the 28 (soon to be 27) member states a letter around May 25 stating that:

They collect personal data from their children in order to assess a naughtiness score;
They are the keepers of the data. The processors of the data are Tencent and Alibaba, two chinese companies that specialize in social credit systems;
The legal guardian or parent may choose to opt-out of the system at any time, if they so wish. They may also request their children's personal data removed from the system at any moment, no questions asked;
However, opting out means their kids will never receive christmas presents again, at least until they join the program once more. Gifts not received due to non-participation will not be resent when they rejoin;
Participation does not imply in presents. Should a child receive a low reputation score due to naughty actions, they may instead receive a lump of coal, a visit from Krampus, or whatever punishment is seen as fit for the culture of the country where they live.

Adults capable of having children will also receive a notice that in the future, they will have to manually input any future children's data in the system if they wish to receive christmas presents. Of course, people who have opted out of any social credit system will not receive such messages.

Finally, Santa will not be the only one sending such letters. So will every imaginary folklore people who bring any joy to kids:

The tooth fairy (and her rat affiliates in France) will promise that any data linking fallen teeth to their owners is anonymized;
Sandman will make sure that parents/legal guardians dream with his new EULA ASAP. Their children will not have sweet dreams until their parents agree to it. Should they opt out, their children will have neither dreams not nightmares.
When winter comes, rather than patterns on windows, people will see Jack Frost new service terms, and a couple of ice buttons for opt-in and opt-out;

The Easter Bunny is the only one having an easy time. AFAIK in Europe he does not hide chocolate eggs for kids to look for - rather, people paint actual eggs and give those as presents. He will provide an easy opt out for people who don't want to pay him his royalties.

Renan

Posted 2018-06-04T13:54:38.257

Reputation: 79 066

2Ah! Hence the real reason for Brexit. – Magoo – 2018-06-05T19:17:57.397

Santa only has output; no income. Therefore, if EU decides to prosecute for an alleged violation, the prescribed percentage penalty is not a burden. Besides, EU has no courts at the North Pole, and no extradition treaty. So it will be hard to collect that penalty of €0.

WGroleau

Posted 2018-06-04T13:54:38.257

Reputation: 817

9Actually it's 4% of annual global turnover or 20 million €, whichever is greater. – Peter Taylor – 2018-06-06T08:37:16.990

In other words, if anyone smaller than Amazon goofs, EU wants to put them out of business. Well, there's still the jurisdiction issue. – WGroleau – 2018-06-06T16:39:26.460

4These are the maximum fines; penalties may be lower. – SJuan76 – 2018-06-08T12:12:41.210

A letter to Santa is considered to be implied consent for data storage, as the data is required for the requested delivery of presents.

This is similar to the implied consent between a patient and a healthcare provider.

Santa will use the data for the purposes of direct gift-giving, without breaching confidentiality.

If you would like to remove your data, or would like to access your data to see if you are considered naughty or nice, you will have to write another letter to Santa.

Santa will have 30 days to respond to your request. If this is in terms of working days, you should expect a reply by 2048.

Milnosh

Posted 2018-06-04T13:54:38.257

Reputation: 91

GDPR is apparently explained as General Data Protection Regulation.

Actually, and thanks to the lobbying of elves and little people, the legislature has come with that clever explanation to hide its real meaning: Gift Donors Privacy Relieved.

Santa, together with other Gift Donors, such as the Tooth Fairy, is exempted from observing the privacy of his "customers" to better serve their interest.

L.Dutch - Reinstate Monica

Posted 2018-06-04T13:54:38.257

Reputation: 132 998

If you are over 16 and have not consented to Santa collecting your personal data, it is very likely that you will not receive presents from Santa. If you are under 13, then the GDPR allows your parents to consent on your behalf, so if they have done so, you likely will receive presents. Between 13 and 16 it depends on the jurisdiction.

Acccumulation

Posted 2018-06-04T13:54:38.257

Reputation: 713

He would just remember everything himself.

He's not a regular person, he's Santa, why shouldn't he simply know all he needs to know? In fact, even under GDPR, no one is obliged to call everyone whose number they have in their head. So personal memories are very clearly exempt from the "any collection of data" clause.

Furthermore, Santa is not in any way a commercial entity and doesn't act commercially. To project our usual human assumptions about our economic system onto a being like Santa is flawed reasoning.

Felix Dombek

Posted 2018-06-04T13:54:38.257

Reputation: 171

2You don't need to call everyone whose name you have in your personal address book, either. GDPR doesn't apply to individuals, see (18): This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. – Ángel – 2018-06-13T20:18:18.230

Santa exists in a parallel world where this law doesn't apply. Children in our world who believe that Santa exists have identical copies in worlds where Santa does exist. If we give them a present and tell that it's from Santa and they believe that to be true, then what we have here is the exact copy of the child who really got that exact same present from Santa.

The moment the child finds out that Santa does not exist, the child diverges from his/her copies in the worlds where Santa does exist.

Count Iblis

Posted 2018-06-04T13:54:38.257

Reputation: 1 569

"then what we have here is the exact copy of the child who really got that exact same present from Santa." Conversations overheard from parents will not be the same. The worlds will diverge in other ways, and very quickly will not be reconcilable. – wizzwizz4 – 2018-06-06T18:18:35.223

This was kinda my "answer", too. If you've watched "Miracle on 34th St.", Santa says that he, his North Pole abode, the elves, etc. live in the "magical" world, not ours. Our rules don't apply there! By the way, "I believe!!" – Jack R. Woods – 2019-03-04T17:48:22.753

Santa did forsee this decades ago. Once he understood where our law-addicted society was headed, he instructed his huge apparatus of elven servants to foster the belief that he didn’t exist. This strategy has been so successful, that no member of the EU executive dares taking action against him, for they would be branded as crazy and sent to uncomfortable places. In fact last year around Christmas I saw something big and distinctly sledge-like in the sky. I was naive enough to point it out, but when I heard someone at the table mutter „97, hampf, dampf, retirement home“, I started giggling and pretending to be drunk...

In fact, the day after I was visited by a strapping young elf who made clear that Santa didn’t wish... Oh, let me get the dooooooor

Ludi

Posted 2018-06-04T13:54:38.257

Reputation: 1 496

He doesn't have to

I might point out that as he is based in the North pole, an area that doesn't fall within the EU's borders, arguably he doesn't have to technically comply with GDPR because the regulation only impacts European businesses, and Santa isn't in Europe.

How GDPR impacts countries outside of the EU is another question altogether, and is certainly a grey area legally because how would the EU enforce it's laws over that of another sovereign nation state or a company located in another country?

They could certain legislate some absurd law (sounds like great grounds for a story) but then how can they enforce against a man who travels faster than the speed of light and can disappear down small chimneys? I'd love to see some lawyers try to serve notice to the man in red in the North pole. A full arctic expedition just to serve some legal documents.

On a legal technicality, GDPR allows for data to be retained where it's needed to provide a service - in this case, knowing the address and whether they're children who meet the eligibility criteria (asleep, good) for present delivery is fundamental. Although, if he's bound to GDPR, then he's probably also bound to anti-discrimination laws regarding good and bad kids.

SSight3

Posted 2018-06-04T13:54:38.257

Reputation: 247

Although he is based in North Pole, he/his company operates in EU, and holds data on EU citizens. He is very much inside the purview of GDPR. – Sahil Singh – 2018-06-08T10:25:34.820

4GDPR is extraterritorial: no matter where you are, if you are handling personal information of EU citizens or you do business in the EU, you must comply with the GDPR. This means GDPR also impacts American or Australian businesses that do business with the EU, even if those businesses are not in the EU. – doppelgreener – 2018-06-08T12:49:40.040

EU says it applies. But neither USA nor Santa's Workshop is going to even read to the end of a GDPR extradition request before tossing it in the bin. – WGroleau – 2019-08-30T01:45:06.173

Extortion.

He simply informs everyone involved in the enforcement of GDPR that if they take action against him he will replace everyone's present that year with a note explaining why they didn't get what they asked for and giving the names and addresses of those responsible.

Nobody's going to want to be the one who spoiled Christmas for everyone in the entire world. That would be a good way to get lynched.

Perkins

Posted 2018-06-04T13:54:38.257

Reputation: 3 532

The elf's head loophole

Santa could hire more elves and teach them memorization techniques for committing all the personal information to memory. The elves would self-organize into groups by cities and would then label themselves with their city region that they have memorized.

Santa can then have easy access to the data without violating any GDPR restrictions.

I'm not a GDPR expert but I can't imagine it prohibiting people (or elves) from remembering personal information. To stop Santa from using this loophole I guess the next move for GDPR is to prohibit systematic memorization of personal information.

But until then Santa is likely to be wanting an AI for predicting which presents that are going to be popular next year so that he can get his elves producing them already. We better stop him before he attempts to do this because it will require quite a few elves in some really ridiculous jobs. Although it would be a really impressive setup of elves!

Vegard

Posted 2018-06-04T13:54:38.257

Reputation: 127

6That would violate GDPR. In this case the elves are both drivers and processors of data, and the fact that they are making commercial use of that information makes them susceptible to the law. – Renan – 2018-06-06T11:55:50.413

@Renan; +1 You’re probably right, as it sounds sensible. I guess where I’m trying to go is to the question of what rights do we have to know things, and what rights do we have to use that information in a commercial setting.

So where exactly are the boundaries drawn between data that one have in one’s head and data on a computer? Say a company hires someone that know a lot about some people in some community, would that company be affected by GDPR? – Vegard – 2018-06-07T09:22:15.363

if the company makes use of that knowledge, then yes. – Renan – 2018-06-07T10:14:17.340

5Art 2.1: "*This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system*" (my emphasis) – Peter Taylor – 2018-06-08T18:21:09.543