Keep criminals out with blacklists
- Background
- 4 November 2021
- Edited 13 February 2024
- 4 min
- Managing and growing
- Secure business
Protect your company from theft, damages, or aggression: draw up a blacklist. Find out what a blacklist is, under what conditions you can use it, and which blacklists there already are in your sector. And what about privacy when you blacklist someone?
Cyber Magazine SECURE IT!
Cyber magazine SECURE IT! contains tips and information on how to secure your business online.
A blacklist allows you to warn staff or other companies about certain individuals. This is how you evaluate whether you want to do business with them. For example, you choose whether to allow someone into your shop or stay overnight in your hotel. You can draw up a blacklist together with other entrepreneurs. The Utrecht shopping mall Hoog Catharijne started such a collective blacklist in February 2024 (in Dutch). A blacklist often includes people who have been punished for shoplifting or for causing a major nuisance. Â
You always take into account the privacy of the persons you put on a blacklist. In practice, this means you cannot put a sandwich board outside your shop with photos of shoplifters. And you are obliged to notify persons when you blacklist them. There are 3 types of blacklist you can use: internal, sectoral, and cross-sectoral.Â
Internal blacklistÂ
Do you want to blacklist customers you no longer want to do business with, or employees who have stolen from you? In that case, you must comply with the privacy rules in the General Data Protection Regulation (GDPR). This is a European privacy law that requires that companies and organisations process personal data with care. You are also obliged to let the individual in question know that you are blacklisting them. Creating and using a blacklist is allowed if you meet 3 conditions:Â
-
You have a legitimate interest (in Dutch) in countering fraud or scams. You must have a good reason for drawing up a list of this kind. You cannot simply turn a customer away just because you find them annoying.Â
-
You are unable to achieve the goal, such as barring a customer, in any other way that affects a customer’s, or an employee’s, privacy less. For example, if you build into your online shop’s software the stipulation that the fraudulent customer can no longer create an account, you will have achieved your goal even without using a blacklist. One requirement is that customers know in advance in which situations you are allowed to bar them from creating an account. This prevents discrimination. You can point out these situations to customers in the ordering information or in the general terms and conditions.Â
-
You can show that your business interest, for example financial interest, is more important than the privacy interest. You have to consider the seriousness of the crime and the impact on the person on your blacklist.Â
Sectoral blacklistÂ
Basically, you use a blacklist within your own company. Only under certain conditions (in Dutch) may companies share blacklists with each other, for example within a certain sector. A permit from the Dutch Data Protection Authority is required in order to create or share such a list. That is because the use of a shared blacklist affects the privacy of those whose names appear on it. Designating someone unfairly as a fraudster can have major consequences for them. They may have difficulty finding a job, taking out a mortgage, or renting a house.Â
Want to know if there is a blacklist in your sector? You can find a complete overview on the website of the Dutch Data Protection Authority. For example, there are blacklists in the transport, health and welfare, and housing-rental sectors (in Dutch). Only member companies are allowed to view the lists. Check out the overview and find out how to get access to a list. With a sectoral blacklist, you can screen staff, or prevent shop theft, nuisance in your hospitality business, or financial fraud.Â
Screen your shop staffÂ
The Alert Register (Waarschuwingsregister, in Dutch) lists shop employees who have been fired for committing internal fraude. For example, because of sweethearting: giving away products for free or selling them at big discounts to family and friends. Registration is for a minimum of 1 to a maximum of 4 years. It depends on the gravity of the offence.  SME retailers can sign up for free (in Dutch). Â
Prevent shopliftingÂ
The collective shopping ban (in Dutch) is there as an option to keep shoplifters and troublemakers out of shopping areas. A collective shopping ban allows retailers to come together to ensure that unwanted customers no longer have access to any participating shops within the shopping area. At the moment, 35 shopping areas in the Netherlands have collective shopping bans in place. Â
Would you also like to get started with a collective shopping ban in your shopping area? Just get in touch with the CCV (in Dutch). They will help you start a collective shopping ban. That includes the use of a registration system, standard forms for announcing a shopping ban, and the application for a licence with the Dutch Data Protection Authority.Â
Prevent nuisance in hospitality industryÂ
A collective hospitality sector denial of entry (collectieve horecaontzegging, CHO, in Dutch) is the blacklist in the hospitality sector. With a CHO, you can reduce crime and nuisance in nightlife. Guests who seriously misbehave are no longer welcome at various hospitality establishments. If they do get in anyway, the police will come and pick them up. Want to get started with a CHO along with other hospitality business owners? Please get in touch with the manager of the main Dutch hospitality sector organisation, Koninklijke Horeca Nederland (in Dutch), in your region. They will help you come up with a step-by-step plan and the permit application to the Data Protection Authority, and they will give you an Excel file for registering participating catering establishments.Â
Prevent fraud in financial servicesÂ
Financial service providers such as banks, mortgage lenders, and insurers are using an incident-alert system (in Dutch) to counter fraudulent customers and employees. Financial institutions affiliated with the incident alert system have a list on which they record the details of fraudsters. Financial service providers consult this blacklist, for example, when they are dealing with applications from new customers. Do you want more information about the incident-alert system? Then contact one of the sector organisations who have executed this idea together: the Dutch Banking Association (Nederlandse Vereniging van Banken), The Dutch Association of Insurers (Verbond van Verzekeraars), the foundation for combatting mortgage fraud (Stichting Fraudebestrijding Hypotheken), Vereniging van Financieringsondernemingen Nederland, an association of finance companies, and Zorgverzekeraars Nederland, the national association of health insurers (all links in Dutch). Â
Cross-sectoral blacklistsÂ
Criminals often operate in several sectors. Sharing potential offenders’ details can be useful for entrepreneurs. For this purpose, there are cross-sectoral blacklists. The rules for exchanging details outside your sector are strict. The DPA explains (pdf, in Dutch) what you are allowed to do and how you use a cross-sectoral list. Â