What data can Santa keep?
“In the first place, as set out in Art. 6 Para. 1 GDPR, Santa needs to make sure he has the consent of every ‘data subject’ on his lists for the processing of his or her data,” according to Benner.
“The consent must be given freely and without any kind of coercion (no offer of a special gift for children who sign up, for example). The customers must also be fully informed before they give consent: who is responsible for the data processing (Santa must not hide his identity when he seeks consent), and what the specific purpose of the data processing is. Because there is a strong obligation to fully inform data subjects. If there is more than one purpose for the data processing, then the consent must specify all of them.”
Added to this, Clarissa Benner warns that “Consent should also be in writing (bear in mind for future letters to Santa!), in order to comply with the need for proof as set out in Art. 7 Para. 1 GDPR.”
How long can he keep the data?
“Here, a lot depends on the purpose for which the data subject has given Santa his or her personal data,” she continues.
“1. If Santa has only been given permission for data processing for Christmas 2017, then he has no choice but to erase the data after the present giving. This is dealt with in Art. 17 Para. 1 GDPR: ‘the obligation to erase personal data without undue delay [when] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.’ ”
“2. However, if consent has been granted for data processing for Christmas 2017 and the following years, Santa does not need to delete the data, and can use them again in the following year. That is, unless the data subject decides he or she is too grown-up and cool to be visited by Santa anymore – then they can withdraw their consent and Santa will need to remove them from his database.”
How should the data be stored?
“Santa must not under any circumstances store the data so that it is open and accessible for anyone to see. He needs to take the required technical and organizational measures, as set out in Art. 32 GDPR.”
Santa needs to be aware that the key concepts here are:
– Guaranteeing confidentiality;
– Guaranteeing integrity;
– Guaranteeing availability;
– Guaranteeing the resilience of the systems;
– Processes for reestablishing availability of personal data after a physical or technical incident;
– Processes for the regular auditing, assessment, and evaluation of the effectiveness of the technical and organizational measures.
Does Santa need a Data Protection Officer?
“Given that Santa comes from the North Pole, and is therefore not based in one of the EU Member States, he needs to have an ‘EU Representative’, as spelled out in Art. 27 GDPR. This person needs to act as a contact point for all data protection-related questions from EU citizens, and also functions as the contact to the supervisory authorities,” according to Benner.
All said and done, Santa should make the most of post-Christmas lethargy to get a bit of data housekeeping done.