Nowadays people are much aware of their rights for privacy. We wouldn´t like other people to know when we´re sleeping and when we are awake not to mention whether we´ve been bad or good. However, this information is being processed and I am not talking about Facebook or Whatsapp. I am talking about Santa who can be seen as a pioneer for collecting and processing personal data. But nevertheless, he wanted us to check whether his business is in order relating to privacy issues.
First of all we need to make sure he has a legal ground for processing personal data. Personal data can be processed if it happens in order to protect the vital interest of the data subjects. Aren´t receiving gifts a vital interest? But what if you´ve been bad? Maybe the legal ground lies in the end in the connection between the data subject and the operations of Santa? After all Santa only collects data from those believing in Santa.
The next question is what information can be collected. It must be appropriate and justified to process personal data. Santa doesn´t really need the information of one´s sleep or does he. Would that explain if you´ve been bad? But what about the information of one´s behavior? That information is the core idea in Santa´s business but can it be seen as sensitive information and therefore processing forbidden. According to regulation if Santa only writes down whether you´ve been good or bad this information would not be seen as sensitive data. However,Santa shouldn´t include detailed data on criminal act, punishment or other criminal actionin his files, butjust a note of being good or bad and nothing further.
But what about the providing of information to data subjects? Everybody knows their rights to know about the processing of personal data. When collecting data the controller needs to make sure that the data subject can have information on the controller, on the purpose of the processing of the personal data and how to proceed in order to make use of the rights of the data subject. However, the providing of information is not needed if the data subject already has the relevant information. Doesn´t everybody know these about Santa?
So Santa, you are ok to go - for now. Next year it´ll be another thing when the GDPR comes into effect. Then we need to check among other things, where Santa gets the information and how long he retains it etc. But we´ll get back to those next Christmas time.