I think I have this right, but it seems rather concerning to me with the way GDPR has tightened things up so much there looks to be a concerning loophole.
I say loophole, it is there for good reason, but even so.
The GDPR is an EU-level document — a regulation — and regulations apply automatically in Member States, without the need for national implementation. The GDPR is a bit of an odd regulation though, as it contains a reasonably large number of areas where Member States are permitted to implement national derogations.
The UK’s new data protection act — the Data Protection Act 2018 — came in with the GDPR, repealing the previous Data Protection Act 1998. The Data Protection Act 2018 does various things, and one of them is to set out certain exemptions to some of the provisions of the GDPR.
For example, the Act exempts a data controller from complying with some aspects of the GDPR where they are processing personal data for "prevention and detection of crime", and where applying the GDPR’s provisions would be likely to prejudice that. This includes provisions dealing with subject access, as well as the right of rectification. This is, in principle a good idea, but I think I can see a problem - "black lists".
I know someone that recently tried to buy an item on-line and the order was cancelled as their email/number is, according to the retailer, on a "fraud list". The obvious answer (on basis that they have not committed any fraud) is Subject Access Request and a demand to have the data corrected.
However Data Protection Act 2018 SCHEDULE 2 part 2 says otherwise. Most of the rights you have, like Subject Access Request and rights to correction of the data simply do not apply where the data is for the purpose of preventing and detecting crime - which could be argued here.
There is a caveat "to the extent that the application of those provisions would be likely to prejudice any of the matters" but I am not sure that helps.
Even arguing it is wrong to be on the list is not clear, what if the list was "the following email address or phone numbers have demonstrated behaviour which is consistent with the behaviour demonstrated by fraudsters" - it could be correct to be on the list. i.e. being on the list may not mean you have committed fraud or are being investigated for doing so, simply that it could be a list useful for preventing and detecting crime.
But as you may not even know of the list (though in this case the retailer said so), let alone its purpose, or what of your data is on it, why and how, then there is no way you can know or do anything about it!
So it looks a lot like secret blacklists of people are completely allowed by GDPR. Am I wrong? Is this morally wrong?
[Some paras courtesy of Neil, thanks for the explanation of how GDPR applies to UK]