If you send Christmas greetings to customers and business partners, perhaps even using AI tools, there are a few legal requirements to bear in mind. With our guide, nothing will stand in the way of peaceful holidays.
Regulation of festive greetings
Sending Christmas greetings – whether by e-mail or post – is a tradition for many companies and is part of good manners. In these increasingly difficult economic times, Christmas greetings are even more important to maintain business and customer relationships.
But beware: When you send out Christmas greetings, you may be processing personal data. If so the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) must be observed.
Artificial intelligence (AI) is also being used increasingly, for example to create texts or images, design cards, or automate shipping processes. However, the provisions of the UK GDPR and DPA 2018 also apply without restriction to the use of such systems if personal data is being processed.
In addition, the UK regulations governing marketing must be taken into account, namely the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
The reform of the UK data protection law (the Data (Use and Access) Act 2025) has raised the fines for breaches of the PECR. Breaches of the PECRs rules will now be fined in accordance with the UK GDPR and DPA 2018, meaning that fines of up to £17.5 million or 4% of a business’s global turnover for breaches of certain regulations under PECR are now possible.
So, a non-conformity when sending out this year´s Christmas greetings may be very costly.
Use of AI in the creation of Christmas greetings
Many companies already use AI to generate text and images for Christmas greetings, create motifs, or automatically personalise content.
The following applies in terms of data protection law:
- In open AI systems, no personal data of the recipients may be processed (e.g., name, e-mail address, purchase history). This would be a violation of the UK GDPR, as the data protection requirements have not been fulfilled.
- AI may therefore only be used for generating general text, images, or design templates.
- The actual personalisation should only take place in the internal system (e.g., CRM).
- If an AI tool is used to process personal data and is acting as a data processor, a data processing agreement in accordance with Art. 28 UK GDPR is required.
- The use of AI should be made transparent in the privacy policy if it is part of the actual processing process, meaning the AI receives personal data.
The use of AI does not change the legal classification of Christmas greetings – these are still considered direct marketing and must follow the same UK GDPR, DPA 2018 and PECR rules as traditionally created greetings.
Marketing to individuals
In the UK direct marketing via electronic mail to individuals is regulated by Regulation 22 PECR. Christmas greetings count as direct marketing in the UK. Below we shall explain how you may send Christmas greetings to individuals (including sole traders and some partnerships) in a compliant manner.
Christmas greetings by e-mail to individuals
Consent is required in terms of Art. 6 (1) (a) UK GDPR from the individual in order to send them direct marketing messages, such as Christmas greetings, by means of electronic mail i.e. e-mail. It is therefore recommended to send Christmas greetings directly by e-mail as part of an existing newsletter in order to avoid the need for separate consent for Christmas greetings.
Alternatively, the PECR provide for a so-called soft opt-in by the individual. The soft opt-in applies to existing customers and is an exception to the general prohibition against direct marketing via e-mail. Marketing e-mails may be sent to existing customers if:
- the contact details of the recipient have been obtained in the course of a sale (or negotiations for a sale) of a product or service to that individual;
- the e-mails are only marketing the company´s own similar products or services;
- the recipient is given an opportunity to refuse or opt-out of the marketing, at the time their contact details are collected and in every received marketing e-mail thereafter; and
- the recipient has not objected to receipt of the marketing e-mails.
When sending Christmas greetings via e-mail based on a soft-opt in, the legal basis for processing the personal data is your legitimate interest according to Art. 6 (1) (f) UK GDPR. The legitimate interest usually being the maintenance of good customer relations or improvement of the customer relationship. If the conditions of the soft-opt in are not met, it is highly recommended to send the Christmas wishes by newsletter (i.e. consent has been given) or by post.
Note: These same rules apply to texts, picture messages, video messages, voicemails, direct messages via social media or any similar message to individuals that are stored electronically.
Christmas greetings by post to individuals
No consent from the recipient is required for sending Christmas greetings by post. Sending greetings by post is permissible if there is a legitimate interest in accordance with Art. 6 (1) (f) UK GDPR for the data processing and the rights and freedoms of the data subjects do not prevail.
As stated above already, Christmas mail serves to maintain business and customer relations, something in which companies have a legitimate interest. A balancing of the conflicting interests will therefore regularly turn out in favour of the responsible company.
However, one should screen the addresses to see whether any of them are registered with the Mailing Preference Service (MPS). If so, these addresses do not wish to receive unsolicited advertising material by mail, including Christmas cards. These addresses should not be contacted.
Christmas greetings to businesses
The PECR do not prohibit direct marketing via e-mail to businesses. However, the data protection requirements when e-mailing employees at a company who have personalised email addresses must be met. Namely, these employees must have been informed about this use of their data in terms of Art.13 or Art. 14 UK GDPR.
The appropriate legal basis for the processing of their personal data would again be your legitimate interest according to Art. 6 (1) (f) UK GDPR. The legitimate interest usually being the maintenance of good customer relations or improvement of the customer relationship.
General marketing rules under the UK GDPR
Information duties also apply to Christmas greetings
Regardless of whether you send your Christmas greetings by e-mail or post, you must always inform about the data processing when the data is collected (Art. 13 UK GDPR) by providing an information notice/privacy policy. Therefore, at the first customer contact, the use of the provided data for sending Christmas greetings should be pointed out in the information notice/privacy policy and the customer sufficiently informed. Remember to also attach the necessary information notice/privacy policy to the Christmas greetings via a link or QR code.
Note on the use of AI: If AI is an integral part of the processing (e.g., automated text personalisation within an internal AI solution), this should also be stated in the information notice/privacy policy.
Right of objection
In addition, the responsible company must inform the customer about the right to object within the meaning of Art. 21 (2) UK GDPR within the information letter / privacy policy at the time of the first communication both by e-mail and by post, if not earlier. If the customer has objected to the use of his/her data, they may no longer be sent a Christmas greeting.
Right of withdrawal
If you use the legal basis of consent, i.e. if you send your Christmas greetings as part of a newsletter or have obtained consent for sending Christmas greetings by e-mail, it is also essential to refer to the right to withdraw the consent given when contacting the customer. It is important that the withdrawal is no more complicated than the giving of the consent. One possibility is to provide an unsubscribe link in the footer of the e-mail.
Conclusion: Christmas greetings are to be handled like direct marketing communications
Whether sending out Christmas greetings from your company, always observe the regulations of the UK GDPR, DPA 2018 and the marketing regulations on sending out direct marketing communications. Above all, remember to provide your privacy policy and information in accordance with Art. 13 UK GDPR. Then nothing will stand in the way of a peaceful Christmas.