The year 2018 is coming to a close. Among other things, it has brought us a new FIFA world champion, royal weddings and some less joyful things like the EU General Data Protection Regulation (GDPR). The latter could arguably cool one’s Holiday spirit—at least in some cases. For example, reportedly, the annual wish list campaign of the City of Roth, Germany, was intitally cancelled due to GDPR concerns. However, the GDPR could also affect other festive matters like sending corporate Holiday cards.
Addresses are Personal Data
Street and email addresses are considered personal data according to Art. 4, No. 1 of the GDPR, because, either by themselves or in combination with other data, they can be used to identify an individual person. Thus, if someone uses an address to, e.g., get into contact, he or she is processing personal data within the meaning of Art. 4 No. 2 of the GDPR, which is only lawful if a legal basis under Art. 6 GDPR applies.
Legal Bases for Data Processing
The legal justifications for the processing of personal data are conclusively listed in Art. 6 of the GDPR. Since obtaining consent (Art. 6, para. 1, lit. a) GDPR) will likely not be feasible for most hobby Santas (Holiday cards are meant to be a friendly surprise!), legitimate interests (Art. 6, para. 1, lit. f) GDPR) may apply. However, the reliance on legitimate interests requires a balancing act between the interests of the controller and the potential harms to the rights and freedoms of the data subjects (the recipients). According to Recital 47 of the GDPR, legitimate interest could exist, for example, “where there is a relevant and appropriate relationship between the data subject and the controller.”