On this page
A blacklist is a list of persons or organisations to be avoided or not to be trusted. A company may choose not to do business with them (either permanently or temporarily) or only under certain conditions. A company may only create a blacklist if they comply with the requirements.
In the Netherlands, you may only create a blacklist (in Dutch) if you cannot achieve your objective by less drastic means. You must register your blacklist (in Dutch) with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Business owners can create their own blacklist to keep a record of unwelcome customers or fraudulent employees. If they choose to do so, they must comply with the General Data Protection Regulation (GDPR or Algemene Verordening gegevensbescherming (AvG), in Dutch).
You must also notify the the Dutch DPA if you wish to participate in an existing blacklist. Check the public register (in Dutch), which lists all approved blacklists. If you want to share the personal information on your blacklist with other businesses, you must also ask the Dutch DPA for a preliminary investigation and draw up a protocol.
Your customers’ or employees’ rights
If a customer or employee is on your blacklist, you are required to inform them about this. They also have the right to view their personal details (in Dutch) and to ask you to correct or delete it.