An organisation may process personal data in several member states of the European Union (EU). Or in one member state, but of people from several member states.
A black list is a register of persons with whom an organisation does not want or no longer wants to do business. The larger the scope of the black list, the stricter the conditions.