Drawing up a black list

Do you as an organisation want to draw up a black list? For example, because you do not want to allow customers in your shop who have been convicted of shoplifting? Or to ensure that you do not hire staff that committed fraud before? Then you have to meet the conditions from the privacy legislation for a black list. You are not allowed to register data of people without a good reason.

On this page

Conditions for a black list

You have to meet these 3 conditions in any case:

  1. Legitimate interest: you must have a legal basis for processing the personal data on your black list. In this case, this may be the legal basis of legitimate interest. To rely on this legal basis, you have to meet all conditions set to legitimate interest.
  2. Necessity: the black list must be necessary. This means that you cannot achieve your goal in any other way, that is less far-reaching for the privacy of the data subjects.
  3. Important interest: you must be able to make clear why your (business) interest outweighs the privacy interest of the data subjects. When assessing this, you have to look at the seriousness of the offences and the consequences for the data subjects.

In addition, you have to meet the (general) conditions from the General Data Protection Regulation (GDPR). For example, you must:

Internal use of a black list

Do you use the black list within your own organisation only? Then you do have to meet all GDPR-conditions, but you don’t have to:

Sharing a black list

Do you want to share your black list outside your own organisation? So that other organisations are also warned for certain persons? In that case, stricter GDPR-conditions apply. For example, you often have to apply to the Dutch Data Protection Authority for a permit. Want to know more? Read Sharing a black list.