the Dutch DPA
Close menu

Black list

A black list is a register of persons with whom an organisation does not want or no longer wants to do business. Such as shoplifters, employees who commit fraud, or guests who cause nuisance. A black list often contains criminal data. A black list is also called a warning system or monitoring system.

On this page

  1. General information

Organisation may choose to:

The following rule of thumb applies for all these cases: the larger the scope of the black list, the stricter the conditions.

Examples of a black list

A supermarket may compile a black list of customers and refuse these persons entry. In this case, the supermarket only uses the black list itself, and nobody outside this supermarket has access to the list.

The supermarket may also share the black list with other supermarkets, to ensure that they are also warned about shoplifters. In that case, all supermarkets affiliated with the black list have access to that black list. The following applies: if the blacklist contains criminal personal data, sharing this data with other retailers is only permitted with a permit from the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

Other examples of shared black lists are:

  • a black list of guests who cause nuisance (hospitality industry);
  • a black list of customers and employees who commit fraud (financial institutions).

Shopkeepers' associations, catering establishments and car hire companies, for example, also use black lists.

More about this topic

Quick answers

As a shopkeeper, am I allowed to display or share photos of shoplifters?

If you store and share personal data of thieves (such as photos), this means you are using a black list. Doing so is not permitted without a good reason.

It is up to the police to track down shoplifters. And it is up to the court to determine whether someone has, indeed, committed theft, and if so, to impose a penalty.

Shaming someone in public (such as online or clearly visible in your store) or, say, in a WhatsApp group, can have a major impact on someone's privacy. Especially if that person turns out to be innocent. That is why doing so is prohibited under the GDPR.

However, there are other things you can do to warn your staff and other shopkeepers about a (convicted) shoplifter.

Black list

A black list is a warning system. It allows you to warn your staff about certain people you no longer wish to allow in your store, such as shoplifters. You are permitted to create and use a black list only if you meet the black list requirements.

Displaying photos in a non-public place

You are permitted to show photos of (convicted) thieves or other troublemakers to your staff. This way, your employees know whom to deny access to the store. You are only permitted to display such photos in a place where they are not visible to your customers, such as in the staff canteen.

Want to share? You need a permit

You can also share a black list with other shopkeepers. Would this involve sharing criminal data? If so, you need to obtain a permit from the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

Collective store ban model protocol

Are you a shopkeeper or an operator of a hotel, restaurant or cafe who wants to apply for a permit from the AP? You can join the collective store ban model protocol set up by the Centre for Crime Prevention and Public Safety (CCV in Dutch) or the collective catering ban model protocol set up by Koninklijke Horeca Nederland (the Royal Dutch trade association for the hotel and catering industry). Doing so means that you do not need to develop a protocol yourself. Also, joining a collective protocol means that the process for obtaining a permit from the AP goes faster. You will, of course, still need to fully comply with all the requirements set out in the model protocol.

Do I always need to apply for a permit for a blacklist?

No. You don't need a permit if you only use the blacklist internally. Nor do you need one if you share the blacklist, but it does not contain any criminal personal data. You do, of course, have to comply with the (general) requirements of the GDPR.

Can I access my data at an organisation, or have them rectified or removed?

Yes, you can. If an organisation uses your personal data, you have a number of rights. This will ensure that you keep a grip on your personal data. These are the most important privacy rights:

Do you want to know what other rights you have? Check out Privacy rights under the GDPR.

What can I do if I have a question or complaint about the use of my personal data?

Always submit your questions or complaints to the organisation that uses your personal data first. Do you have a complaint and are you and the organisation unable to work it out together? Then you can lodge a complaint with the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

This page was last edited on
.