The time has come. Tinsel is up, chestnuts are roasting, and Santa is preparing his “Naughty or Nice list”. However, in this time of tradition, should we be thinking of the new data protection laws? Is St Nick in breach of the GDPR?

Well, he might be. Having a list of all the boys and girls is not as simple as it used to be. Many schools have ended up in a pickle when parents asked for a class list to help their children write Christmas cards. It seems a pointless worry; kids know all their classmates already, but in terms of the GDPR, a school should not provide that personal data without consent. Not only would it breach the GDPR, but confirming a child attends a certain school could put that child’s safety at risk. Either way, if you’re asked for a list of names in a class, the answer will likely be no.

So, what about Santa? We know Santa has a list of every child in the world! In fact, as he sees when you are sleeping, and he knows when you’re awake, Santa is collecting personal data all the time. How do we know he’s holding our data responsibly? When he gives our wish lists to his elves, is he breaching our personal data?

That really depends on whether Santa is in scope of the GDPR. If Santa is an individual, who provides presents out of the goodness of his heart, then he doesn’t need to worry about our new data protection laws. However, if he and his helpers are an organisation, compliance should be at the top of his to-do list. He really should ask permission from us all to judge our worthiness for more than a lump of coal.

Unless of course, Santa is a public body. If we signed Santa’s role into law, Santa could perform his task for the good of the people. Much like schools, Santa would need a Data Protection Officer, regardless of the number of elves in his employ.  While he could try to justify his surveillance as a public task, he’d still need to record his data mapping. In fact, along with your wishlist, you could send a Subject Access Request up to the North Pole.

As for his list of all the girls and boys – if our “naughty or nice” rating is processed automatically, he should have explicit consent to do so! Even if Santa makes  all the decisions himself, a list of the name and address of every child in the world sounds like a massive breach risk.


However, as with everything in the GDPR, pragmatism is key. Similar to education institutions, it’s important to find a compromise where compliance is met, and the organisation can still run. In terms of Christmas cards and class lists, you can encourage children to write their own lists. There’s nothing wrong with an individual looking around and writing down the names of the people in the room.

Where Santa is concerned, he appears to be an ageless and all-knowing creature with the ability to travel faster than light. We can probably trust him with our personal data. Although, if Santa is keen on staying compliant, keep an eye out for a privacy notice flying down the chimney soon.