Data protection has become an increasingly hot topic in recent years that is debated both in business and private settings. And it doesn’t really come as a surprise that data protection plays a role during the Christmas season as well – but hopefully not that of the evil Grinch who wants to spoil people’s joy at Christmas…

Personalized greetings from Santa Claus

Many people send greeting cards with Christmas wishes to customers or business partners – be it by post, e-mail or in other written form. This activity includes the processing of personal data such as name, postal address or e-mail address – which means the General Data Protection Regulation (EU GDPR) applies. The good news is that sending Christmas greeting cards by post is permitted. However, processing the name and address of the recipient must be done on a legal basis. For example, since companies have a legitimate interest (pursuant to Art. 6 (1) f of the GDPR) to maintain customer or business relations, it is perfectly legal to send personalized greetings from Santa Claus. However, in order to be 100 percent GDPR-compliant, a reference to the privacy notice must also be included on the Christmas card. In this way, recipients are informed about the processing of their personal data and about their right to object to receiving advertising by post.

Caution is advised when sending Christmas greetings by e-mail

To be on the safe side when sending Christmas greetings by e-mail, the sender is required to obtain the recipient’s express consent to receive e-mails. Some kind of reference to the right of objection must also be integrated into the e-mail. If the recipient has not expressly consented to receiving e-mails, greetings by e-mail, which are intended simply as a token of appreciation, may be considered unreasonable harassment under Article 7 of the German Act Against Unfair Competition and could be punished accordingly. In most cases, sending e-mails for marketing purposes – including Christmas greetings – is legal only when it concerns existing customers. Caution is also advised if Christmas greetings are sent out as an e-mail circular. In this case, it must be ensured that the individual recipients cannot see the other recipients’ names and e-mail addresses. Not only would this be unprofessional, it could also result in a fine under privacy law.


Nosy gifts

So what does data protection have to do with gifts? Quite a bit! More and more wish lists these days include items such as Fitbit watches that track movement and sleep rhythm, smart home devices that make life easier, or dolls that can talk. All of these devices work by processing personal data, which makes this an issue relevant to data protection law.

When purchasing technical equipment, it is always advisable to check whether data is stored and transmitted – and if so, for what purpose, to whom and whether this can be prevented if necessary. Users of devices connected to the Internet should also protect themselves from unauthorized access and be aware of the risks. Even a child’s toy with an Internet connection can become the victim of a hacker attack or other type of unauthorized access from the Internet. The recommendation for a minimum level of safety is therefore to always change default passwords and activate encryption if possible.

The onus is on businesses

Since consumers in the run-up to Christmas – a time that is full of stress as it is – certainly have other priorities than reading pages and pages of privacy notes, the onus here is on manufacturers and legislators. Manufacturers are required by the EU GDPR to implement „privacy-by-design“ or „privacy-by-default“. Legislators should monitor compliance and – if necessary – impose appropriate sanctions so that young and old can enjoy their smart Christmas gifts without any worries.

Only a few rules need to be observed to have a joyful time with gingerbread, mulled wine and Christmas music and avoid receiving cease and desist letters in a business environment. The same goes for the private domain: only a few precautions are sufficient to ensure a little more security.

All things considered, privacy probably will have a hard time becoming as popular as Santa Claus – but it’s certainly not the evil Grinch either.


Lea Probst

Lea Probst

Security Consultant

Lea Probst has been working at TÜV Rheinland as a security consultant in Mastering Risk & Compliance since 2019. Prior to this, she gained extensive experience in project management and worked as a data protection officer in the financial sector. Lea advises several companies on privacy issues and works on various projects such as data erasure strategies and requirements and inspection catalogs for data protection certificates.

More Posts

Robotik Zukunft

Safety is Still Top Priority – 3 New Robotics Predictions for 2020

From autonomous driving to autonomously acting, pandemic-resistant robots: as the robotics market develops, so do safety standards.
Diversity in Unternehmen

20,000 employees at 500 locations worldwide – #Diversitymatters

Racism and exclusion have no place at TÜV Rheinland. On Instagram the international testing service provider demonstrates its diversity.

Carbon budgets: price determines awareness

What if the various divisions of a business had climate budgets as well as financial ones? A proposal for all those tasked with making decisions.



Submit a Comment

Your email address will not be published. Required fields are marked *


No one likes popups. But you’ll like our newsletter.

Get remarkable articles on digitization, modern life, energy and technology.