GDPR in Public Administration: How to Anonymize Administrative Acts

Public administration faces a dual obligation that may appear contradictory but is entirely manageable: publish decisions and acts transparently, while at the same time protecting the personal data of citizens appearing in those documents. The balance between freedom of information legislation and GDPR is not optional — it is a legal requirement with real consequences for the officials and bodies that fail to manage it correctly.

What GDPR requires of public bodies

GDPR applies to any organization that processes personal data, including all public bodies at every level of government: local authorities, regional governments, universities, autonomous agencies, and publicly-owned entities.

The most relevant obligations for document management are:

Data minimization (Art. 5.1.c): Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose may be processed. When the purpose is to inform the public, in most cases the full national ID, home address, or social security number of the individuals involved is not required.

Privacy by design (Art. 25): Document management systems in public bodies must incorporate technical measures that ensure data protection by default — not as an afterthought, but as an integral part of the publication workflow.

Accountability (Art. 5.2): The body must be able to demonstrate that it complies with GDPR. In the context of document management, this means recording which documents were published, what data they contained, and what measures were applied to protect the individuals concerned.

Publishing on transparency portals: what data must be removed

Transparency legislation in many European countries requires public bodies to publish information about contracts, grants, remuneration, meeting minutes, and the outcomes of administrative procedures. However, data protection authorities have issued clear criteria on what personal data must be removed before publication.

In resolutions and administrative acts:

• Full national ID → replace with the last four digits or remove entirely
• The citizen’s postal address
• Phone number and email address
• Bank account number (common in grant award decisions)
• Health data or family situation where not relevant to the act

In contracts and tenders:

• Personal data of technical staff who signed documents but are not public officials
• ID numbers of legal representatives of tendering companies
• Banking details included in administrative documentation

In minutes of collective bodies:

• Data protection authorities have established that minutes of council meetings may be published with the names of elected officials, but must protect the data of citizens who intervene as private individuals (for example, during public question periods).

In sanction decisions:

• Publication of fines is only mandatory in cases explicitly provided for by law, and subject to the limitations set for each type of procedure.

Anonymization vs pseudonymization: the key distinction

This is the most important technical point, and also the one that causes the most confusion in document management teams.

Pseudonymization: The data is replaced by a code or alternative reference (for example, ID 12345678A → CITIZEN-0042). The original data still exists in a correspondence file. A pseudonymized document is still a document containing personal data from GDPR’s perspective, because technical re-identification remains possible.

Anonymization: The data is deleted or transformed irreversibly. There is no correspondence file, no technical means of recovering the original. The resulting document no longer contains personal data and is not subject to GDPR.

For publication on transparency portals, data protection authorities recommend true anonymization, not pseudonymization, except in cases where the law explicitly requires the individual to be identified (such as certain official gazette publications or public notice boards for formal notification purposes).

The practical test for whether you have anonymized correctly: could someone reading the published document, by combining it with other publicly available sources of information, identify the person? If the answer is yes, the document is not truly anonymized.

How to implement an anonymization workflow in your organization

Most public bodies do not have a systematic document anonymization process. The typical approach is manual: a civil servant reviews the document before publication and manually removes data they remember is sensitive. This approach has three structural problems: it is slow, it is inconsistent, and it generates no audit trail.

A systematic anonymization workflow for a public body should include:

1. Document type classification Establish which categories of documents are published — resolutions, contracts, grants, minutes — and what types of personal data each category typically contains.

2. Automated detection Use NLP tools capable of identifying personal data in unstructured text, including country-specific formats: national ID numbers, social security numbers, vehicle registration plates, IBANs.

3. Human review of ambiguous cases Automation does not replace human review in cases where data is contextually sensitive — for example, a name that is also a company name, or an address that is part of a cadastral reference.

4. Audit log Every published document should be accompanied by an internal record certifying which anonymization process was applied, on what date, and by which person or system. This log is the evidence that protects the body against a complaint to the data protection authority.

5. Periodic review of criteria Data protection authorities periodically update their interpretive guidance. Anonymization procedures must be reviewed at least annually to ensure they remain compliant.

Frequently asked questions about GDPR and public administration

Can a public body publish the names of grant recipients?

Generally yes. Transparency legislation requires publication of grants including the amount and the beneficiary. However, when the beneficiary is a natural person (not a company), GDPR limits what additional information may be published alongside their name. Publishing name + amount + purpose is generally proportionate; publishing name + ID + address is not.

Are small local authorities also required to comply with GDPR?

Yes, without exception. GDPR applies to any body that processes personal data, regardless of size. What varies with size is the obligation to designate a Data Protection Officer (DPO), but not the obligation to comply with the fundamental principles.

What happens when a citizen requests information that contains data about third parties?

The exercise of the right of access to public information does not automatically override GDPR. The body must balance both rights and, in general, provide the requested information in anonymized form when this can be done without undermining the substance of the request.

Can data protection authorities sanction a public body?

Yes. Although public bodies cannot be fined in the same financial terms as private organizations, data protection authorities can issue public reprimands and require corrective measures with binding deadlines. In addition, individual officials may face disciplinary liability.

Conclusion

Publishing with transparency does not mean publishing without control. Public bodies have both the legal framework and the technical tools to comply simultaneously with transparency obligations and GDPR: systematic anonymization of documents before publication.

The first step is recognizing that manual processes are not sustainable at scale. If your organization publishes dozens or hundreds of documents every month, see how anonimiza.do can automate that process and make anonymization a natural part of the publication workflow rather than a bottleneck.