REPRIMAND
Of: North Pole
The reprimand
The Commissioner has decided to issue a reprimand to North Pole Enterprises in respect of the following alleged infringements of the UK GDPR:
- Article 5(1)(f) which states:
- Article 32(1) which states:
The reasons for the Commissioner’s findings are set out below.
Article 5(1)(f) and Article 32(1)(b)
Technical and Organisational Measures
- You have been collecting and storing vast amounts of personal information without proper consent from the data subjects. This includes but is not limited to, names, addresses, wish lists, and even behavioral assessments of children across the globe. While we acknowledge the festive nature of your endeavors, it is crucial to remember that the General Data Protection Regulation (GDPR) applies universally, even in the magical realm of the North Pole.
- The use of "naughty" and "nice" lists to categorize children based on their behavior raises serious concerns about profiling and discrimination. We would like to remind you that individuals have the right to fair and transparent processing of their personal data, and labeling a child as "naughty" without providing clear criteria for such judgment falls short of these principles.
- Your mode of data transfer, namely the use of reindeer-drawn sleighs and chimneys, lacks the necessary encryption measures, posing a significant risk to the confidentiality and integrity of the information you handle. We highly recommend a thorough review of your information security protocols to ensure compliance with contemporary standards.
Aggravating factors
Moreover, your recent practice of leaving such information unattended in sacks labelled "Happy Christmas" whilst eating mince pies and drinking sherry is alarming. Not only does this constitute improper disposal of sensitive information, but it also raises questions about the security of your data handling processes as it blatantly encourages the investigation of the contents of the sack. We recommend implementing secure and GDPR-compliant disposal methods, such as shredding or incineration, to safeguard the confidentiality of the information you collect. Or at a minimum, use bags labelled "Confidential Waste" and keep them in a securely locked cabinet.
Decision to issue a reprimand
Taking into account all the circumstances of this case, including the aggravating factors and remedial steps, the Commissioner has decided to issue a reprimand to North Pole Enterprises in relation to the alleged infringements of Article 5(1)(f) and Article 32(1) of the UK GDPR set out above.
Please provide a written response outlining the steps you intend to take to rectify these concerns by no later than January 15, 2024. Failure to do so will leave us with no choice but to escalate this matter and consider further enforcement actions.
We wish you a Merry Christmas and a GDPR-compliant New Year.
Yours sincerely,
D. P. Adi-Humbug
Chief Information Commissioner
Information Commissioner's Office North Pole Division