It’s the Most Wonderful Time Of The Year……To Be GDPR Compliant.

Dan Dowen, an associate in our commercial department, considers the GDPR implications of sending out corporate Christmas cards.

As we enter the season of merry festivities, we have started to receive some interesting questions about GDPR, such as, when Santa Claus makes his list of children’s names, is he in contravention of GDPR and should he be reported to the IC Ho Ho Ho?!

Bad jokes aside, there are many misconceptions flying about regarding GDPR, and in the last few weeks, one of the most common questions raised with us is whether organisations can send corporate Christmas cards to their clients without explicit consent.

Well, the death of corporate Christmas cards appears to have been exaggerated and it is still recognised that sending cards is a valued way to stay connected with clients. To put it simply, you do not need the recipient’s consent before sending a corporate Christmas card. Notwithstanding this, organisations still need to ensure they are GDPR compliant and the following pointers should help in making sure you don’t fall foul of the regulations:

  • Any marketing lists should be accurate and up to date. This is one of the core principles under GDPR and an ongoing obligation that should already be complied with. However, if you are yet to update your marketing list, then now is the perfect time! Make sure that your organisation is not sending Christmas cards to those who have previously objected to receiving them, in order to respect their right to object, or to those who have not dealt with your organisation for many years.
  • Consider whether the card is coming from the business as a whole or from a specific department of your business. If your organisation has 5 different departments, you should ensure that the individual does not receive the same card 5 times!
  • Make sure it is only a Christmas card and does not contain your latest posters and flyers promoting your goods and services. Any move towards this may be considered as direct marketing and further GDPR compliance would need to be considered.
  • Finally, how are you sending the card? Is it going in the post? Is it going by email? If the latter, then be sure to comply with the Privacy and Electronic Communication Regulations (PECR), which sits alongside GDPR and provides rules on electronic marketing.

To wrap it up, subject to the above considerations, it is unlikely that a business will suffer major consequences from sending Christmas cards to an unwilling recipient. However, it might be an indication that your approach to data protection needs looking at, before it leads to many more issues of a fundamental, and potentially costly, nature.

If you have any questions about GDPR or any commercial matter, please contact Dan Dowen at or alternatively please call 029 20 345511 and ask for the commercial team.