• 0800 0862018
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Mon - Fri 8:00 - 17:00

All News

Latest ICO Reprimand. Mr. S. Claus, Chief Executive Officer, North Pole Enterprises

Latest ICO Reprimand. Mr. S. Claus, Chief Executive Officer, North Pole Enterprises


To: Mr. S. Claus, Chief Executive Officer, North Pole Enterprises

Of: North Pole
The Information Commissioner (the Commissioner) issues a reprimand to North Pole Enterprises (‘Santa Claus’) in accordance with Article 58(2)(b) of the UK General Data Protection Regulation in respect of certain alleged infringements of the UK GDPR. 

The reprimand
The Commissioner has decided to issue a reprimand to North Pole Enterprises in respect of the following alleged infringements of the UK GDPR:
personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
“taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” 

The reasons for the Commissioner’s findings are set out below. 

Article 5(1)(f) and Article 32(1)(b)
Technical and Organisational Measures

  • You have been collecting and storing vast amounts of personal information without proper consent from the data subjects. This includes but is not limited to, names, addresses, wish lists, and even behavioral assessments of children across the globe. While we acknowledge the festive nature of your endeavors, it is crucial to remember that the General Data Protection Regulation (GDPR) applies universally, even in the magical realm of the North Pole.
  • The use of "naughty" and "nice" lists to categorize children based on their behavior raises serious concerns about profiling and discrimination. We would like to remind you that individuals have the right to fair and transparent processing of their personal data, and labeling a child as "naughty" without providing clear criteria for such judgment falls short of these principles.
  • Your mode of data transfer, namely the use of reindeer-drawn sleighs and chimneys, lacks the necessary encryption measures, posing a significant risk to the confidentiality and integrity of the information you handle. We highly recommend a thorough review of your information security protocols to ensure compliance with contemporary standards.

Aggravating factors

Moreover, your recent practice of leaving such information unattended in sacks labelled "Happy Christmas" whilst eating mince pies and drinking sherry is alarming. Not only does this constitute improper disposal of sensitive information, but it also raises questions about the security of your data handling processes as it blatantly encourages the investigation of the contents of the sack. We recommend implementing secure and GDPR-compliant disposal methods, such as shredding or incineration, to safeguard the confidentiality of the information you collect. Or at a minimum, use bags labelled "Confidential Waste" and keep them in a securely locked cabinet.

Decision to issue a reprimand

Taking into account all the circumstances of this case, including the aggravating factors and remedial steps, the Commissioner has decided to issue a reprimand to North Pole Enterprises in relation to the alleged infringements of Article 5(1)(f) and Article 32(1) of the UK GDPR set out above.

Please provide a written response outlining the steps you intend to take to rectify these concerns by no later than January 15, 2024. Failure to do so will leave us with no choice but to escalate this matter and consider further enforcement actions.

We wish you a Merry Christmas and a GDPR-compliant New Year.

Yours sincerely,

D. P. Adi-Humbug
Chief Information Commissioner
Information Commissioner's Office North Pole Division