Sharing a black list
The use of a shared black list has major consequences for the privacy of the people on the list. That is why stricter requirements apply for sharing a black list than for internal use.
On this page
Conditions for sharing a black list
Exactly which requirements apply depends on whether there are criminal data on your black list.
Requirements for a black list without criminal data
Do you want to share a black list with no criminal data on it? Then the following requirements apply:
- You have to assess whether there is an interest of such importance that this justifies such a serious infringement of the privacy of data subjects; also known as ‘legitimate interest.’
- You must clearly describe and record the criteria for blacklisting a person. And make them transparent to those who will be or may be on the list. You can do this, for example, in a protocol. Also determine carefully which retention periods and safeguards you apply.
Requirements for a black list with criminal data
Do you want to share a black list with criminal data on it? Then you have to apply to the Dutch Data Protection Authority (Dutch DPA) for a permit, unless an exception to the permit requirement applies to you. Before the permit is granted, you are not permitted to share the black list.
Did the Dutch DPA approve your black list before 25 May 2018 by means of a prior investigation? Then this approval decision (legality decision) of the Dutch DPA was automatically converted into a permit. In that case, you do not have to apply to the Dutch DPA for a permit. Unless a period of validity has been attached to the legality decision. In that case, if you want to continue processing, you have to apply to the Dutch DPA for a permit before this period has expired.
Cross-sectoral black list
The rules for sharing a black list with other sectors (cross-sectoral black list) are even more stricter than those for sharing a black list within the own sector. A cross-sectoral black list is permitted in highly exceptional cases only.
In the Guide on cross-sectoral data sharing between private parties (in Dutch), the Dutch DPA has drawn up a brief overview of the most important minimum GDPR standards that cross-sectoral black lists have to meet.
Black list protocol
In the protocol to your black list, you describe how you are going to process the personal data. You indicate how your intended processing meets the requirements from the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG). You make the general standards from the GDPR more concrete by translating them into practical measures.
You need the protocol when you apply to the AP for a permit.
Participating in an existing black list
Do you want to join an existing black list where criminal data are shared? Then you have to apply to the Dutch DPA for a permit, unless you are exempted from this obligation. This also applies when the Dutch DPA has already issued a permit to other participants in the black list. After all, as a controller you are yourself responsible for your processing.
Collective shop ban and collective access ban for hotels, restaurants and cafes
As a shopkeeper or an operator of a hotel, restaurant or cafe, you can participate in a collective shop ban or a collective access ban for hotels, restaurants and cafes in a specific shopping area or entertainment area. For this, you have to apply to the Dutch DPA for a permit.
The Dutch DPA has assessed model protocols and model DPIAs drawn up by the sector organisations for the retail sector and hotel and catering industry. Do you follow one of these two model protocols? Then you do not have to draw up a protocol yourself. And you can follow the fast-track procedure at the Dutch DPA for your permit. In that case, you will have to comply fully with all requirements set out in the model protocol.
The Centre for Crime Prevention and Public Safety (Dutch abbreviation: het CCV) and the local departments of Koninklijke Horeca Nederland (KHN), the Dutch trade association for the hotel and catering industry (KHN), coordinate the permit applications in your shopping area or entertainment area. You can find more information about this on the websites of these organisations (both websites in Dutch only):