THE traditional warning about misbehaviour at the office Christmas party has been joined by a new set of concerns that corporate Christmas cards could breach GDPR, it is claimed.

IT specialist lawyer Chidem Aliss, of Southampton law firm Clarke Willmott, said a number of lawyers were warning their clients that card lists could fall foul of the General Data Protection Regulation.

But she said that although it is important for businesses to grasp data protection rules before putting cards in the post, reports of the death of the corporate Christmas card had been exaggerated.

The maximum fine for breaching the General Data Protection Regulation is 20million euros or four per cent of annual global turnover.

“Sending cards during the festive season is a treasured tradition and a great way to keep connected with valued clients and suppliers and there is no reason that has to stop,” Ms Aliss said.

“However, it’s vital that businesses do so in a compliant manner. First, all marketing lists need to be kept up to date and regularly pruned, so that people who have objected in the past to receiving marketing material do not remain on Christmas card lists, and people who have not dealt with a business for many years are also dropped.

“Secondly, businesses need to co-ordinate their card-sending efforts, so that the same person does not receive the same card five times from different individuals.

“Information relating to religious beliefs is ‘sensitive personal data’ requiring additional safeguards. Any decision to send or not to send cards to specific recipients based on assumptions or knowledge about those individuals’ religious beliefs needs to be handled with very great care.

“Subject to the above, Christmas cards should be seen as no different from other marketing communications when they originate within a business to a business context, and people need to consider the same issues with respect to them as they would with any other marketing communication. It is unlikely that a business would suffer major consequences simply with respect to a Christmas card sent to an unwilling recipient , but it might be a symptom of a badly managed approach to data issues within the organisation as a whole, which could give rise to much more serious problems.”

Many firms now send e-cards as a green option or to save on costs. Ms Aliss adds that in this case they must also comply with electronic marketing data protection rules.

“If sending a corporate Christmas greeting electronically, people must also adhere to the Privacy and Electronic Communication Regulation (PECR) rules on electronic marketing,” she added.

“The PECR sits alongside data protection and GDPR rules and outlines specific privacy rights in relation to electronic communications. In particular, it makes consent mandatory for any direct marketing by email. There is a limited exception for existing clients and prospects, but even in this case all direct marketing communications (which would include a Christmas card) needs to offer an ‘unsubscribe’ option which is then respected for future communications.”

For PECR breaches action can include criminal prosecution, non-criminal enforcement and audit or a monetary penalty notice imposing a fine of up to £500,000. Individuals aggrieved by the use of their data also have a direct right of action.

Latest figures show the UK greeting card market is worth £1.7bn, with Christmas making up just under half. This represents 100m single and 900m boxed Christmas cards sold in the UK.

Charities estimate £50m is raised for good causes by charity Christmas cards each year.