Drawing up a black list
Do you as an organisation want to draw up a black list? For example, because you do not want to allow customers in your shop who have been convicted of shoplifting? Or to ensure that you do not hire staff that committed fraud before? Then you have to meet the conditions from the privacy legislation for a black list. You are not allowed to register data of people without a good reason.
On this page
Conditions for a black list
You have to meet these 3 conditions in any case:
- Legitimate interest: you must have a legal basis for processing the personal data on your black list. In this case, this may be the legal basis of legitimate interest. To rely on this legal basis, you have to meet all conditions set to legitimate interest.
- Necessity: the black list must be necessary. This means that you cannot achieve your goal in any other way, that is less far-reaching for the privacy of the data subjects.
- Important interest: you must be able to make clear why your (business) interest outweighs the privacy interest of the data subjects. When assessing this, you have to look at the seriousness of the offences and the consequences for the data subjects.
In addition, you have to meet the (general) conditions from the General Data Protection Regulation (GDPR). For example, you must:
- set a retention period;
- inform the data subjects;
- properly secure the data on the black list.
Internal use of a black list
Do you use the black list within your own organisation only? Then you do have to meet all GDPR-conditions, but you don’t have to:
- Apply for a permit.
- Carry out a data protection impact assessment (DPIA). You are allowed to do so, of course. A DPIA may help you meet the requirements of the GDPR.
In the case of an internal black list, having a protocol in place is not mandatory, but advisable. You can use this to show to the data subjects how you process their data. And what safeguards you provide for the proper protection of these data. Having a protocol also enables you to demonstrate more easily that you meet the requirements of the GDPR and the Dutch GDPR Implementation Act (UAVG).
Sharing a black list
Do you want to share your black list outside your own organisation? So that other organisations are also warned for certain persons? In that case, stricter GDPR-conditions apply. For example, you often have to apply to the Dutch Data Protection Authority for a permit. Want to know more? Read Sharing a black list.