Reading Time: 2 minutes
Jon Wilby

Jon Wilby

Partner

Just when you thought GDPR had settled down, it will undoubtedly re-surface this (and every!) Christmas. The question is whether corporate Christmas cards to clients breach data privacy rights?

There has been a suggestion in those parts of the media that love a good GDPR scare story that unsolicited Christmas greetings might be an actionable breach of personal data privacy rights. So, do you need the informed consent of the recipient of your festive greetings?

The answer, of course, is it depends.

If we’re honest about it, a Christmas greeting to a client or a business contact is no different from any other marketing communication. So, provided that your marketing database is audited and maintained under GDPR principles (i.e. that you are relying on either opt-in consent or legitimate interests and, if the latter, you have carried out an impact assessment), a Christmas e-shot is going to be ok. Anyone objecting to the unwelcome intrusion can ask you to take them off the list. However, if the communication is to a personal email address the Privacy and Electronic Communications (EC Directive) Regulations 2003 will apply (regardless of what happens with Brexit, and let’s not go there) which require that you must have obtained the consent of the individual to receive unsolicited communications from you via that email address.

So, an appropriate Christmas greeting to a business client using their business email is fine as long as your database complies with GDPR but any unsolicited email to a personal email address requires informed consent.

The good news for Santa and any traditionalists out there who can afford the cost of a stamp is that the PECR regulations don’t apply to postal communications so an actual card (or a letter from Santa) through the post or delivered personally will always be fine.