Do you want to list organisations you no longer wish to do business with, or employees who have stolen from you? You can create a blacklist. You are not allowed to share this list with others. You should also fulfil the requirements for a blacklist and ensure you respect the rules around privacy.
In the Netherlands, you may only create a blacklist (in Dutch) if you comply with the following requirements:
- You have a legitimate interest (in Dutch). For example, a threat to your health and safety or preventing fraud or embezzlement
- You cannot achieve your objective by less drastic means
- You can prove that the interests of you and your company weigh heavier than the privacy of the person who is blacklisted
You must register your blacklist (in Dutch) with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Business owners can create their own blacklist to keep a record of unwelcome customers or fraudulent employees. If they choose to do so, they must comply with the General Data Protection Regulation (GDPR or Algemene Verordening gegevensbescherming (AvG), in Dutch).
Sharing a blacklist
If you want to share the personal information on your blacklist with other businesses, you must perform a data protection impac assessment (DPIA) and prepare a protocol of how you will process personal data. Then you can ask the Dutch DPA for a preliminary investigation.
If your DPIA does not indicate a high privacy risk or you can reduce the risk with measures stated in your protocol, you can apply for a permit to the Dutch DPA (in Dutch).
You must also notify the Dutch DPA if you wish to participate in an existing blacklist. Check the public register (in Dutch) of approved blacklists.
Viewing a blacklist
If a customer or employee is on your blacklist, you have to inform them about this. They also have the right to view their personal details (in Dutch) and to ask you to correct or delete them.