Blog

Are housing corporations allowed to register and share blacklists?

Organisations in different professions use blacklists to warn each other about people who are causing nuisance. This also applies to housing corporations. But is that always allowed? Is the privacy of the people on such lists not infringed? What is a blacklist? Housing corporations can benefit from refusing former tenants who have shown criminal, unlawful […]

Organisations in different professions use blacklists to warn each other about people who are causing nuisance. This also applies to housing corporations. But is that always allowed? Is the privacy of the people on such lists not infringed?

What is a blacklist?

Housing corporations can benefit from refusing former tenants who have shown criminal, unlawful or nuisance behaviour in their previously rented accommodation. The blacklist includes former tenants who, for example, have run a hemp farm in a rented house or have caused serious damage to their rented accommodation. By means of a blacklist, which is accessible to all housing corporations in a certain region, housing corporations can effectively protect themselves against misconduct by former tenants.

Justified, Significant Interest

The decision to blacklist a tenant has a major impact on his right to housing, as this person cannot rent accommodation from housing corporations in a particular region for a number of years. In addition, the right to private life is at stake, because (sensitive) personal data of former tenants are stored and shared with other organisations, without this persons consent. Therefore, a blacklist may only be drawn up if the organisation has a justified and significant interest in doing so.

In the case of a housing corporation, this interest could for example consists of preventing financial damage and improving the housing satisfaction of other tenants. After all, the housing satisfaction of others is infringed if a neighbour runs a hemp farm or otherwise cause nuisance. The purpose of the blacklist is therefore, among other things, to prevent nuisance-causing tenants from concluding a new rental agreement with another housing corporation in order to be able to continue their nuisance-causing activities there again.

Is a permit needed?

Sharing a blacklist is only permitted under the supervision of the government. This means that a licence must be obtained from the “Autoriteit Persoonsgegevens” (‘AP’). Under the old Personal Data Protection Act (‘Wet Bescherming Persoonsgegevens’ or ‘Wbp’), which expired on 25 May 2018, a preliminary investigation had to be requested, in which the AP assessed whether a blacklist could be shared.

  1. Has the AP already issued a lawfulness decision for sharing a blacklist?

In that case, with the entry into force of the General Data Protection Regulation (GDPR), the decision was converted by operation of law into a licence issued by the AP. This was the case, for example, with the Stichting Woonruimte Verdeling Regio Utrecht (SWRU). Read here (Dutch) the AP’s decision that the housing associations affiliated to this foundation may share a black list with each other.

  1. If the AP has not issued a lawfulness decision under the Wbp, a permit must be applied for at the AP to share the blacklist.

Licence requirements

When applying for a permit, the AP assesses whether the organisation’s blacklisting complies with the requirements of the GDPR and the GDPR Implementation Act. Based on this regulation the following steps should be taken:

  • A Data Protection Impact Assessment (‘DPIA’) must be carried out before an organisation can apply for a licence. In short, an organisation in a DPIA maps out the privacy risks that might occur when maintaining a blacklist and it describes the measures that are taken to limit these risks.
    • The outcome of the DPIA must be submitted with the application for a permit.
  • In addition, a brief description of how the data is processed must be provided. If the blacklist is used by several housing corporations, it must also be stated who the central data controller is and how the mutual relationships between organisations participating in the sharing of the blacklist are arranged.
  • Finally, a “protocol” must be drawn up in which, among other things, the housing corporation indicates how the personal data are processed and how the obligations from the GDPR are met. This protocol is an important document for obtaining a permit. In a subsequent blog, the question of what such a protocol should look like will be discussed further.

Auteur

Expertises

Deel dit artikel

Meer blogs

Data Act: onterecht onderbelicht!

De Data Act (Verordening (EU) 2023/2854) is met ingang van 12 september 2025 rechtstreeks van toepassing in de hele Europese Unie (EU). De Data Act is specifiek gericht op het reguleren van de toegang tot en het delen van data binnen de EU, met als doel innovatie te stimuleren en eerlijke concurrentie te waarborgen.

/LEES MEER

Data Act: onterecht onderbelicht!

De Data Act (Verordening (EU) 2023/2854) is met ingang van 12 september 2025 rechtstreeks van toepassing in de hele Europese Unie (EU). De Data Act is specifiek gericht op het reguleren van de toegang tot en het delen van data binnen de EU, met als doel innovatie te stimuleren en eerlijke concurrentie te waarborgen.

Webinar commerciële/IE-contracten 2024

Op 6 november 2024 presenteerden Ernst-Jan Louwers en Nathalie van der Zande een live webinar over commerciële/IE-contracten voor de Academie voor de Rechtspraktijk. In dit webinar, dat bestaat uit twee blokken van een uur, deelden zij praktische inzichten en bespraken zij actuele kwesties binnen dit vakgebied. Het webinar is on demand terug te kijken.

/LEES MEER

Webinar commerciële/IE-contracten 2024

Op 6 november 2024 presenteerden Ernst-Jan Louwers en Nathalie van der Zande een live webinar over commerciële/IE-contracten voor de Academie voor de Rechtspraktijk. In dit webinar, dat bestaat uit twee blokken van een uur, deelden zij praktische inzichten en bespraken zij actuele kwesties binnen dit vakgebied. Het webinar is on demand terug te kijken.

AVG, gerechtvaardigd belang

AVG en gerechtvaardigd belang: wat de KNLTB-zaak betekent voor uw organisatie

Recent verduidelijkte het Hof dat commerciële belangen onder voorwaarden kunnen gelden als gerechtvaardigd belang voor gegevensverwerking onder de AVG. In deze blog bespreken we de uitspraak en geven we een 5-stappenplan voor het verwerken van persoonsgegevens op grond van gerechtvaardigde belangen.

/LEES MEER

AVG, gerechtvaardigd belang

AVG en gerechtvaardigd belang: wat de KNLTB-zaak betekent voor uw organisatie

Recent verduidelijkte het Hof dat commerciële belangen onder voorwaarden kunnen gelden als gerechtvaardigd belang voor gegevensverwerking onder de AVG. In deze blog bespreken we de uitspraak en geven we een 5-stappenplan voor het verwerken van persoonsgegevens op grond van gerechtvaardigde belangen.