Is Santa subject to the GDPR?
Santa undertakes large scale monitoring of the behaviour of children, including children resident in the EU/EEA. Therefore, although Santa lives on the North Pole (outside of the EU), the provisions of the GDPR apply to Santa's data processing activities within the EU/EEA.
Is Santa a data controller or data processor?
Santa monitors children to determine whether they have been good or bad and then delivers presents on Christmas Day accordingly. Therefore, Santa decides how any personal data is processed, which makes him a data controller. The elves in his workshop who package all of the presents and label them with the children's names and addresses act on his instructions, so they would be data processors, assuming that they are self-employed rather than Santa's employees.
What is the purpose and legal basis for processing personal data?
The purpose of processing children's personal data by Santa is the allocation of appropriate presents to each child. The most relevant legal basis for such processing, assuming that Santa is a public authority, would be that it is necessary for the performance of a task carried out in the public interest, although some children may claim that the actual legal basis is that the processing is necessary in order to protect the vital interests of the children.
Is Santa prepared for any individuals exercising their rights?
What if Rudolf wanted to exercise a right to be forgotten - would that mean that a certain song about his nose would need to be amended? What if a child wanted to submit a "subject access request" to find out what personal data Santa holds about her? What if a child objected to the processing of his personal data by a mythical character?
There are a number of considerations for Santa relating to the rights of individuals. The right to be forgotten is not absolute, and one exception could be the exercise of the right of freedom of expression and information (including artistic or literary expression). If a child (or other data subject) wishes to exercise one of these rights, Santa would also need to consider the age and capacity of the child and whether or not such rights could only be exercised by a parent or guardian on behalf of the child. The GDPR does not define "child" and it is left to Member State legislation to determine legal capacity. The only specific reference in the GDPR to a child's age can be found in the provision that states that a child of 13 to 16 years (depending on Member State law) may consent to the processing of personal data in connection with information society services.
What are Santa's retention policies?
This will be of particular interest to certain children, who may be wondering if records of past misdeeds are retained. Indefinite retention of data is not permitted under the principles of data minimisation and storage limitation, so the question is whether Santa deletes all records at the end of each year or retains them for the duration of a child's belief in Santa.
Does Santa require a Data Protection Officer?
Yes, Santa definitely requires a Data Protection Officer (DPO). A DPO needs to be appointed by any data controller or processor whose core activities consist of processing operations which require regular and systematic monitoring of individuals on a large scale. A DPO must be able to perform the relevant duties independently and without conflict of interest. So perhaps Santa can get together with the Easter Bunny and the Tooth Fairy to appoint a joint DPO.