Site navigation

Santa Claus | Does His Naughty or Nice List Breach GDPR?

Michael Behr


Santa Claus

Santa Claus may be capable of visiting every child in the world in one night, but can he keep tabs on them without breaching GDPR?

Few pieces of legislation have impacted our digital lives as heavily as GDPR. From the obligatory cookie warnings on websites to the fears about how companies store and protect data, virtually no EU citizen – or company – is beyond its watchful eye.

However, there is one person who seems to have avoided the attention of the Information Commissioner, despite their questionable data practices. Somebody who maintains a complete database on every child in the world, who has so proved uncommunicative with Freedom of Information requests, and whose use of our data has significant impacts.

That person is, of course, Santa Claus.

At the Data Protection Virtual Summit earlier this month, Global Data Protection Controller at Pladis Global Transcription Toby Hayes provided crucial insights into whether Santa Claus can maintain his infamous naughty or nice list without contravening GDPR.

“Let us assume that letters sent up chimneys or given to Santa Claus in a shopping mall are indications of membership of the Santa Claus club for children,” he said. “They are indicating that yes, I want to sign up with Santa Claus.

“If you look at his origin story, it has a religious or spiritual origin – Saint Nicolas was certainly a saint with Turkish origins.

“So, if we assume that North Pole Enterprises is a religious or spiritual membership body, then it is reasonable to argue that Santa is acting during his legitimate activities. Obviously, he needs appropriate safeguards in place, but he can operate without consent under Article 61F – legitimate interest.

“But I do appreciate, we are dealing with children’s data here, so, there are many layers of potential complication.”


However, considering Santa Claus enters houses without consent, and maintains an unpaid workforce, breaching GDPR is probably unimportant for him since he regularly breaks the laws of physics.

With Santa Claus’s net worth estimated at approximately $51 trillion, we can estimate that he has made around $25.5 million per year for the last 2000 Christmases. Therefore, he would be subject to a 4% fine of annual global turnover, or around $1 million, in the event of a data breach.

However, with nobody having located his North Pole workshop, and seemingly no internet connections for cyber attackers to exploit, the chances of this are remote.

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: