Organisations in different professions use blacklists to warn each other about people who are causing nuisance. This also applies to housing corporations. But is that always allowed? Is the privacy of the people on such lists not infringed?
What is a blacklist?
Housing corporations can benefit from refusing former tenants who have shown criminal, unlawful or nuisance behaviour in their previously rented accommodation. The blacklist includes former tenants who, for example, have run a hemp farm in a rented house or have caused serious damage to their rented accommodation. By means of a blacklist, which is accessible to all housing corporations in a certain region, housing corporations can effectively protect themselves against misconduct by former tenants.
Justified, Significant Interest
The decision to blacklist a tenant has a major impact on his right to housing, as this person cannot rent accommodation from housing corporations in a particular region for a number of years. In addition, the right to private life is at stake, because (sensitive) personal data of former tenants are stored and shared with other organisations, without this persons consent. Therefore, a blacklist may only be drawn up if the organisation has a justified and significant interest in doing so.
In the case of a housing corporation, this interest could for example consists of preventing financial damage and improving the housing satisfaction of other tenants. After all, the housing satisfaction of others is infringed if a neighbour runs a hemp farm or otherwise cause nuisance. The purpose of the blacklist is therefore, among other things, to prevent nuisance-causing tenants from concluding a new rental agreement with another housing corporation in order to be able to continue their nuisance-causing activities there again.
Is a permit needed?
Sharing a blacklist is only permitted under the supervision of the government. This means that a licence must be obtained from the “Autoriteit Persoonsgegevens” (‘AP’). Under the old Personal Data Protection Act (‘Wet Bescherming Persoonsgegevens’ or ‘Wbp’), which expired on 25 May 2018, a preliminary investigation had to be requested, in which the AP assessed whether a blacklist could be shared.
- Has the AP already issued a lawfulness decision for sharing a blacklist?
In that case, with the entry into force of the General Data Protection Regulation (GDPR), the decision was converted by operation of law into a licence issued by the AP. This was the case, for example, with the Stichting Woonruimte Verdeling Regio Utrecht (SWRU). Read here (Dutch) the AP’s decision that the housing associations affiliated to this foundation may share a black list with each other.
- If the AP has not issued a lawfulness decision under the Wbp, a permit must be applied for at the AP to share the blacklist.
When applying for a permit, the AP assesses whether the organisation’s blacklisting complies with the requirements of the GDPR and the GDPR Implementation Act. Based on this regulation the following steps should be taken:
- A Data Protection Impact Assessment (‘DPIA’) must be carried out before an organisation can apply for a licence. In short, an organisation in a DPIA maps out the privacy risks that might occur when maintaining a blacklist and it describes the measures that are taken to limit these risks.
- The outcome of the DPIA must be submitted with the application for a permit.
- In addition, a brief description of how the data is processed must be provided. If the blacklist is used by several housing corporations, it must also be stated who the central data controller is and how the mutual relationships between organisations participating in the sharing of the blacklist are arranged.
- Finally, a “protocol” must be drawn up in which, among other things, the housing corporation indicates how the personal data are processed and how the obligations from the GDPR are met. This protocol is an important document for obtaining a permit. In a subsequent blog, the question of what such a protocol should look like will be discussed further.
Want to know more?
Would you like to know more about the licence application? Would you like advice on how to carry out a DPIA? Or do you have other questions about blacklists? Please contact Tom de Wit or Lisa Molenaars.