Data protection – made Crystal clear for Christmas

I was listening to the excellent A Christmas Gift For You from Phil Spector at the weekend, and one line in The Crystals’ cover of Santa Claus is Coming To Town caught my attention:

He’s making a list and checkin’ it twice
He’s gonna find out who’s naughty and nice

That to me sounds like processing of personal data.

Place of establishment
First things first.

Now I have always understood that Santa Claus lives in Lapland (that’s where I sent my letters, and I always got a nice reply), rather than the potential tax-haven of the North Pole. Lapland is an area covering Finland and Sweden, both of which are EU member states. Under EU data protection law, the test for which member state’s data protection regime applies is the place of establishment of the data controller – not the location of the data subject.

Accordingly, it looks like Santa will be subject to either Finish or Swedish data protection laws in respect of any processing of data relating to children in the European Union.

I tried to see whether Santa had made a notification to either the Swedish Data Inspektionen or the Finnish Data Ombudsmannes, but unfortunately my Swedish and Finnish has failed me.

Has consent been obtained?
Having established that Santa is a data controller, any processing must be in accordance with the EU Data Protection Directive (as implemented into Swedish/Finnish law). Santa should of course be setting all this out in his fair processing notice and making children aware of this before they send in their letters.

Whilst consent to processing for the purposes of delivering presents can probably be implied from a child sending in his or her Santa letter, I am not sure that this would cover the further processing that Santa might carry out to “find out” if the child has been “naughty and nice”. For example, requesting character references from the child’s parents.

In particular, if Santa is planning on carrying out criminal record checks to establish “naughtiness”, then unless Santa can argue that he exists for philosophical purposes (and therefore falls within Article 8(d) of the Directive) the data subject’s express consent will be required as this will involve the processing of sensitive personal data.

Santa should further note that “if you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision.”

Covert monitoring
Listening further, it appears to be suggested that Santa has an all seeing eye – which must mean some form of covert monitoring:

He sees you when you’re sleeping
He knows when you’re awake
He knows if you’ve been bad or good
So be good for goodness sake!

It’s not clear how this is done (CCTV? Telephone tapping? Private investigator (maybe an elf)? Some form of Spooks-style computer system?), but again Santa should ensure that he gives fair notice of this monitoring, and the reasons for which the monitoring is taking place (“…to ensure that only good children receive presents from Santa”). Otherwise he risks breaching his obligations as data controller.

Perhaps he relying upon the nation’s retailers to publicise that fair processing notice though playing Christmas songs on loop from early October onwards?

Compliance with the fourth data protection principle
Whilst there may be some issues over whether or not Santa has properly obtained consent to processing, I note that Santa is careful to comply with the fourth data protection principle (“Personal data shall be accurate and, where necessary, kept up to date) by ensuring that he checks his list not just once, but twice. This should help to avoid any mistakes in the accuracy of his list of naughty children.

And finally..
If you haven’t been naughty but you still don’t get any presents on 25 December, then you may wish to make a subject access request to Santa so that you can see what information he holds about you. If the information is incorrect, then you can require Santa to fix it. Whilst this might not help for this Christmas, it should help ensure that your record is correct in time for next Christmas.

Merry Christmas!

6 Responses to “Data protection – made Crystal clear for Christmas”

  1. 1 RocíoR December 22, 2011 at 12:26 am

    Thanks for your informative reply. That’s excellent news in more than one way, should that be the case. Santa already ‘appoint[s] a representative within the EU to act on its behalf in its capacity as a data controller.’ He has a network of informers who live in most Scandinavian homes and who have rather questionable practices. These are small elf creatures – called ‘nisse’ in Denmark and Norway and ‘tomte’ in Sweden – who live in the loft and are close associates of Santa. This is how he monitors Scandinavian children.
    Whether this constitutes covert monitoring is a bit of a gray area. The household is certainly aware of the presence of Santa’s appointees during the festive period, but they are rather mischievous and capricious creatures. They have yet to formally express in writing what constitutes ‘good’ and ‘bad’ behaviour. Furthermore, there’s an implied agreement that feeding them rice pudding puts you in their good books, which amounts to bribery. Hopefully the proposed new draft will tighten rules and stop these shady practices misguidedly rooted in tradition but somehow not accountable to the Datatilsynet, the Danish Data Protection Agency.

  2. 2 RocíoR December 21, 2011 at 1:30 pm

    Great post :-)
    However, every Danish child knows that Santa lives in Greenland which has had home rule since 1979. In 1985 Greenland left the EU. The 1988 amendments that brought Denmark into compliance with the Council of Europe Convention on Privacy do therefore not apply to Greenland. It has not adopted the European Union Data Protection Directive. It makes sense that Santa would be based somewhere with less stringent data protection requirements.

    • 3 martinsloan December 21, 2011 at 1:58 pm

      @RocíoR – thanks for your comment.

      Interestingly, it looks like the European Commission is trying to close this loophole, perhaps out of concern for the welfare of children in Denmark.

      A leaked copy of the forthcoming draft data protection regulation (which would replace the current directive) states that data controllers established outside the EU, but who nonetheless carry out data processing activities directed at EU citizens, will be subject to EU data protection laws and will need to appoint a representative within the EU to act on its behalf in its capacity as a data controller.

      Whether this makes it into the final regulation is obviously still subject to discussion, and it will be interesting to see if Santa joins forces with other bodies established outside the EU to lobby against this move.

      See recital 55 and article 22 –

  3. 4 Employment Solicitors Liverpool January 31, 2011 at 6:29 pm

    We must have missed this post – sound advice on data protection laced with a pleasant Christmas theme. Solid reminders in here about the nuances of data protection law, some of which should always be borne in mind by employers. Thanks for posting.

    Employment Lawyers & Solicitors Liverpool

  1. 1 Santa’s “Naughty List” and data protection compliance « Brodies TechBlog Trackback on December 21, 2012 at 1:08 pm
  2. 2 How will the proposed data protection law reform affect Santa? « Brodies TechBlog Trackback on December 20, 2012 at 4:01 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

December 2010
« Nov   Jan »

%d bloggers like this: