Creating a blacklist

Published by:
Netherlands Enterprise Agency, RVO
Netherlands Enterprise Agency, RVO

Do you want to list organisations you no longer wish to do business with, or list employees who have stolen from you? You can create a blacklist. You are not allowed to share this list with others. You have to fulfil the requirements for a blacklist and ensure you respect the rules around privacy.

Blacklist requirements

In the Netherlands, you may only draw up a blacklist if you comply with the following 3 requirements:

  • You have a legitimate interest (in Dutch). For example, to prevent fraud or embezzlement
  • You cannot achieve your objective by less drastic means, which does not affect your customer’s or employee’s privacy as much
  • You can prove that the interests of you and your company weigh heavier than the privacy of the person who is blacklisted

Sharing a blacklist

Do you want to share a blacklist with, for example, other entrepreneurs in your area or in your industry? Then you need to apply for a permit to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP, in Dutch) if you include the following information in your blacklist:

  • criminal data (for example customers who have committed fraud) and/or,
  • data relating to unlawful or nuisance behaviour

Before you apply for the permit you must perform a data protection impact assessment (DPIA) and prepare a protocol of how you will process personal data. It depends on the outcome of the DPIA how you apply for the permit. If the privacy risk is limited, you apply for the permit without a preliminary investigation (in Dutch). If the privacy risk is high, you ask the Dutch DPA for a preliminary investigation (in Dutch).

The blacklist register lists all licences granted and rejected by the Dutch DPA (in Dutch).

Business owners can create their own blacklist to keep a record of unwelcome customers or fraudulent employees. If they choose to do so, they must comply with the General Data Protection Regulation (GDPR or Algemene Verordening gegevensbescherming AvG), in Dutch). You do not need a permit if you use the blacklist only within your organisation.

Viewing a blacklist

If a customer or employee is on your blacklist, you have to inform them about this. They also have the right to view their personal details (in Dutch) and to ask you to correct or delete them.

Questions relating to this article?