I have a few questions for you about how you are managing my personal information. Now, this is not a formal “subject access request”, nor a “right to be forgotten” demand at all, but, Santa, I just wanted to be sure that you are managing my personal data in accordance with applicable law.
I am aware that you are located at the North Pole and do not have legal entities in any specific jurisdiction, but you may also be aware that many privacy laws do have an extra-territorial application, and this year a number of EU member states as well as regulators in USA and Canada have applied their privacy and marketing laws to operations outside their jurisdiction simply because their citizens data are being remotely collected and processed!
You know that “Nice” and “Naughty” list you keep, Santa? Well, I am worried that you may have been doing some considerable profiling about me and that my personal data is not “accurate and up to date” as the law requires. I mean, I am not perfect, I admit, but I think that overall in the past year I have enough big data out there about me to put me firmly in the “Nice” category, don’t you think?
So where are you getting all this personal data about me please? My mum and dad probably consented on my behalf when I was a child, but now I am a bit more grown up, I am not sure that their consent still applies. Even, if it is implied that you can process my personal information for “legitimate purpose”, I worry that your “little helpers” and also the shops you have reseller arrangements with, may be be sharing a lot more data about me than I have consented to. Also, if you are crawling over my social media and online activities, this may not be something for which I have given permission and you may be getting too “naughty” an impression about me.
Another concern I have is that you may be using third party list brokers to enhance the data you have about me, and as you know a number of regulators are currently concerned about the ethics and efficacy of the way in which those brokers compile and sell personal data, so I worry that you may have toxic information on your database.
While I think about it, the other thing is that you may want to check the quality of your data, because last year one of my few presents was a pack of personalised golf tees, but they had someone else’s name on them! I asked my wife if she knew who “Sexy Simon” was but she said she didn’t. She added that I could still use them when I next played a round, and I guess I can still use them to rest my balls on, but I still wonder how I got Simon’s present and what he got from you that was really mine?
Finally, please let me know that you are taking steps to keep my data secure as I would hate to have my wish list all over the dark web and if you are using big data analytics to compile the “Nice” and “Naughty” list, can you use a narrow definition of “Naughty”?
Robert Bond, December 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.