Alert other housing associations/landlords about undesirable tenant behavior? This can be done through a blacklist. Such a list includes tenants who are associated with, for example, hemp cultivation in the home or non-payment. However, blacklists can infringe on tenants' privacy. Compliance with the AVG (General Data Protection Regulation) is therefore very important with these lists.
The previous blog dealt with a court ruling in which a housing association used a blacklist. In addition to the fact that the tenant had to leave the property by court order due to hemp cultivation, he was blacklisted for a period of 5 years. This made him ineligible for rental housing with member housing associations and the municipality for a period of 5 years. The blacklist thus had far-reaching consequences for the tenant in question.
If the data on the blacklist qualifies as criminal personal data, the AVG provides significantly higher protection. The list will then have to be submitted to the Autoriteit Persoonsgegevens for approval, for example. The previous blog shows that by using coding for the reason for listing on the blacklist, there may not be criminal personal data. In this way, the prior approval of the Autoriteit Persoonsgegevens can be avoided. Incidentally, it should be noted that the Autoriteit Persoonsgegevens applies a broader interpretation of the concept of criminal personal data than the courts. See, for example, Decision z2018-12010 of the Autoriteit Persoonsgegevens on the application for a license for the Fraud Helpdesk.
A blacklist is a registration of individuals created, for example, by a housing association, trade association or special interest group (for example, a local shopkeepers' association), to which companies in the same industry have (external) access.
Creating and using a blacklist is not just allowed. An organization wishing to create a blacklist must meet at least three conditions. Basically, these conditions amount to a careful balancing of interests with due regard for the principles of proportionality and subsidiarity, because the consequences for those affected may be far-reaching if they are blacklisted too lightly or for an unnecessarily long period of time.
The first condition relates to a legitimate interest that must exist for the use of a blacklist (e.g., combating fraud or preventing default). In addition, the blacklist must be necessary. This means that the organization cannot achieve the goal in another way that is less intrusive to the privacy of those involved. The third condition relates to a balancing of interests that the organization must make. The organization must be able to make clear why the (business) interest outweighs the privacy interest. In doing so, the organization must look at the seriousness of the offenses of the data subjects and the consequences for them of being blacklisted.
What is the purpose of the blacklist?
Is the data intended for internal use within a legal entity or is data also provided to third parties?
Is the provision (territorially) cross-border in nature?
Should the intention to create a blacklist be submitted to the AP for approval (tip: a blacklist protocol manual is available on the AP's site)?
What is the reason for the blacklist?
Have less far-reaching alternatives been considered?
Are the criteria for blacklisting and removal adequately substantiated?
How and at what point is the individual notified that they have been blacklisted?
By what means can data subject exercise their right to inspect and correct?
In what way and by whom are data provided for the purposes of the blacklist?
Is the blacklist used for automated decisions (note prohibition Art. 22 AVG)?
Is the blacklist based on actual incidents or on profiles (note the prohibition on discrimination)?
Is it ensured that the blacklist data are current and accurate (are no more data processed than strictly necessary)?
Is provision made for a periodic audit or control of the blacklist?
Are the consequences of blacklisting clear to those affected?
Is the individual informed of the reason for contract denial?
Has a balancing of interests taken place between the interest of the company or industry and the interest of the data subject harmed by blacklisting (proportionality)?
Can the goal not be achieved by another route (subsidiarity)?
Is criminal data being processed for the benefit of third parties (Art. 10 AVG joins Art. 1, 32 and 33 UAVG)?
Are sufficient measures in place to secure the blacklist against loss and/or unauthorized processing?
Is there a data breach protocol?
Is provision made for a dispute resolution process?
Various constructions can be followed: for example, one database with one designated controller, or the participants become joint controllers (possibly with a processor managing the database).
Under Art. 35 AVG, a DPIA is required in many cases.
The AVG does not contain a separate provision on the use of blacklists.
Descriptions of reprehensible acts that have occurred are not necessarily classified as criminal personal data. See the blog on hemp cultivation in rental properties for this purpose.
Article 33(4)(c) UAVG provides that private parties may process personal data on criminal convictions and offenses for third parties. But only if they have permission to do so (in the form of a permit) from the AP. If consent is obtained, then the use of such blacklists is permitted (also under the AVG) (Art. 33(4)(c) and (5) UAVG). Several examples of blacklists approved by the AP can be found on the AP's website, including a number of lists on residential rental.
In the book "Checklist Privacy AVG - Privacy Policies in 57 Checklists," by Banning Lawyers' Privacy Team, there is a chapter devoted to these blacklists. This blog contains a summary of it. For the entire book, please refer to Berghauser Pont' s website.
