Black list
A black list is a register of persons with whom an organisation does not want or no longer wants to do business. Such as shoplifters, employees who commit fraud, or guests who cause nuisance. A black list often contains criminal data. A black list is also called a warning system or monitoring system.
On this page
Organisation may choose to:
- use the black list internally only;
- share the black list with other organisations;
- share the black list with other sectors.
The following rule of thumb applies for all these cases: the larger the scope of the black list, the stricter the conditions.
Examples of a black list
A supermarket may compile a black list of customers and refuse these persons entry. In this case, the supermarket only uses the black list itself, and nobody outside this supermarket has access to the list.
The supermarket may also share the black list with other supermarkets, to ensure that they are also warned about shoplifters. In that case, all supermarkets affiliated with the black list have access to that black list. The following applies: if the blacklist contains criminal personal data, sharing this data with other retailers is only permitted with a permit from the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.
Other examples of shared black lists are:
- a black list of guests who cause nuisance (hospitality industry);
- a black list of customers and employees who commit fraud (financial institutions).
Shopkeepers' associations, catering establishments and car hire companies, for example, also use black lists.
Quick answers
Do I always need to apply for a permit for a blacklist?
No. You don't need a permit if you only use the blacklist internally. Nor do you need one if you share the blacklist, but it does not contain any criminal personal data. You do, of course, have to comply with the (general) requirements of the GDPR.
Can I access my data at an organisation, or have them rectified or removed?
Yes, you can. If an organisation uses your personal data, you have a number of rights. This will ensure that you keep a grip on your personal data. These are the most important privacy rights:
- You have a right of access to your personal data.
- Does it turn out that data of you are incorrect? Or that certain data are missing? Then you can ask for rectification of your data (adjustment or addition).
- In some cases, you can also ask for removal of data.
Do you want to know what other rights you have? Check out Privacy rights under the GDPR.
What can I do if I have a question or complaint about the use of my personal data?
Always submit your questions or complaints to the organisation that uses your personal data first. Do you have a complaint and are you and the organisation unable to work it out together? Then you can lodge a complaint with the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.