the Dutch DPA
Close menu

Filter search results

Black list

A black list is a register of persons with whom an organisation does not want or no longer wants to do business. Such as shoplifters, employees who commit fraud, or guests who cause nuisance. A black list often contains criminal data. A black list is also called a warning system or monitoring system.

On this page

  1. General information

Organisation may choose to:

The following rule of thumb applies for all these cases: the larger the scope of the black list, the stricter the conditions.

Examples of a black list

A supermarket may compile a black list of customers and refuse these persons entry. In this case, the supermarket only uses the black list itself, and nobody outside this supermarket has access to the list.

The supermarket may also share the black list with other supermarkets, to ensure that they are also warned about shoplifters. In that case, all supermarkets affiliated with the black list have access to that black list.

Other examples of shared black lists are:

  • a black list of guests who cause nuisance (hospitality industry);
  • a black list of customers and employees who commit fraud (financial institutions).

Shopkeepers' associations, catering establishments and car hire companies, for example, also use black lists.

More about this topic

Quick answers

Am I, as a shopkeeper, allowed to share photos or data of thieves in a WhatsApp group with other shopkeepers?

No, this is not allowed. If you store and share data of thieves (such as photos), you use a black list. And you are not allowed to do this without a good reason. Besides, a WhatsApp group is not suitable for sharing such data. This is because this practice does not meet the requirements of the General Data Protection Regulation (GDPR) in terms of security and other privacy safeguards.

Black list

black list is a warning system. You can use it for warning your colleagues about certain persons whom you no longer want in your shop, such as shoplifters. You are only permitted to compile and use a black list if you meet the requirements for black lists.

Permit needed

You can also share the black list with other shopkeepers. Do you share criminal data in the process? Then you need a permit from the Dutch Data Protection Authority (Dutch DPA).

Collective shop ban model protocol

Do you, as a shopkeeper, want to apply to the Dutch DPA for a permit? Then you can also join the collective shop ban model protocol of the Centre for Crime Prevention and Public Safety (Dutch abbreviation: CCV). You do not have to draw up a protocol yourself in that case. And the procedure with the Dutch DPA for your permit will be faster. Obviously, you must then comply fully with all requirements set out in the model protocol.

Can I access my data at an organisation, or have them rectified or removed?

Yes, you can. If an organisation uses your personal data, you have a number of rights. This will ensure that you keep a grip on your personal data. These are the most important privacy rights:

Do you want to know what other rights you have? Check out Privacy rights under the GDPR.

What can I do if I have a question or complaint about the use of my personal data?

Always submit your questions or complaints to the organisation that uses your personal data first. Do you have a complaint and are you and the organisation unable to work it out together? Then you can lodge a complaint with the Dutch Data Protection Authority (DPA).