How do client blacklists work with gdpr?
@robryk what kind of client blacklists?
@kuba
Examples (multiple because I expect the answer might differ):
a) "we don't serve these people" in a butcher shop
b) "these people cannot attend our performances" in a theatre,
c) "these people cannot buy anything from us" for an online retailer.
(Motivation for the question is https://www.nbcnewyork.com/investigations/face-recognition-tech-gets-girl-scout-mom-booted-from-rockettes-show-due-to-her-employer/4004677/)
@robryk tough question. I suspect there's no general answer. I guess it depends mostly on the purpose of such blocklist and it's proportionality to the importance of that purpose.
@robryk But just stating that you have a legitimate interest isn't enough. You have to do a "balance test" between the importance of your interest and rights and freedoms of data subjects.
@kuba I'm wondering about the case of processing someone's name or photo (that's shown to staff), because e.g. this fellow is too troublesome to serve. (Does gdpr make this qualitatively different from doing face recognition to do the same thing automatically?)
@robryk uh, maybe I'm mixing purposes with legitimate interest here. Legitimate intrerest has to be more abstract, like "ensure physical safety of our staff" or "make sure our clients feel safe" or stuff like that. If they're processing facial recognition results without consent, they have to have a legitimate intetest.