Corporate Christmas cards at risk under GDPR


Emailed corporate Christmas cards could be under threat because the European Union’s (EU) new General Data Protection Regulation (GDPR) means that companies need permission to send them.

UK members of Parliament who send out Christmas cards to constituents are also being caught in the same way.

The Institute for Chartered Accountants in England and Wales (ICA) told its members that the cards may only be sent with the recipient's consent “if you can justify that you have a legitimate reason to do so”.

"You can rely on legitimate interests if you can show that how you use people’s data is proportionate, has a minimal privacy impact, people would not be surprised or likely to object and they are given the means to refuse to receive such documentation in future (NB you must adhere to any such refusal)," the ICA said. "Even so, you will need to undertake and document a legitimate interest assessment. If the documentation is sent electronically you will also need to consider whether you need consent under the Privacy and Electronic Communications Regulations."

Sharon Little, chief executive of the Greeting Card Association, told the Daily Telegraph that members of the public did not need to panic, as sending a Christmas card in a purely personal capacity would not be caught by the GDPR.

But she noted that businesses could still send Christmas cards to their customers by post. “GDPR will not stop them spreading festive cheer, unless the recipient has specifically objected to receiving marketing from that business. But why send a card to someone who doesn’t want it?" she said.

Emma Woollacott

Emma Woollacott is a freelance business journalist. Her work has appeared in a wide range of publications, including the Guardian, the Times, Forbes and the BBC.