You’ve probably all seen this joke before. This tweet is the earliest mention I can find but please do correct me in the comments if you have an original source!
He’s making a list
And checking it twice
Gonna find out who’s naughty & nice
Santa Claus is… in breach of the Data Protection Act (1998)
There have been a few “take downs” of this joke but @joelgsamuel/santa-claus-the-general-data-protection-regulation-gdpr-57f1571e7de8" target="_blank" rel="noopener">this one is probably the most thorough.
My take is that whether you are naughty or nice might be considered special category data and he needs specific consent to process that. He’s presumably collecting the naughty/nice data from elsewhere too, and doesn’t appear to notify anyone that he has obtained it. And I am sure he is making decisions using automated processing to which you haven’t been able to object.
But that is not why I am here today.
I am not a data protection “expert” but I reckon I know more than most. In the UK, the Information Commissioners Office (ICO) is responsible for enforcing the data protection rules. However, there must be thousands of insignificant breaches of the DPA everyday that the ICO will never hear about, let alone touch.
Personally, it makes me VERY cross when people misuse my data. I can’t take any legal action against them but I can name and shame them. So I am going to.