GDPR in public procurement: personal data in tenders and contract files

Public procurement files are one of the most frequent vehicles of personal data leaks in public administration. Procurement law requires broad publication duties on contractor profiles and public procurement platforms, while at the same time GDPR requires protecting the personal data of natural persons appearing in those documents. This guide explains how to reconcile both obligations without infringement.

The clash of principles: publicity vs data protection

Procurement law typically requires the contracting body to publish on its contractor profile:

• The tender notice and tender specifications
• The award decision with identification of the successful bidder and scoring
• The formalized contract
• Contractual modifications
• Penalties imposed, if any

At the same time, GDPR and national data protection laws require that publication not include more personal data than strictly necessary for the purpose pursued (citizen oversight, transparency, equality of opportunity).

Data protection authorities have repeatedly clarified that the transparency obligation is not a blank check: every piece of personal data included in a published document must pass the proportionality test. If it is not essential for transparency purposes, it should not be published.

What personal data appears in a typical procurement file

A full file can contain dozens of personal data points distributed in:

Technical specifications

• Signature and role of the author (civil servant, consultant, etc.)
• Direct contact phone
• Sometimes, data of the consultancy firm that drafted it

Technical memoranda submitted by bidders

• Data of proposed technical staff (CV, qualifications, experience)
• References and data of previous clients
• Signatures and titles

Administrative clauses document

• Drafter signatures
• Data of the contract officer

Procurement panel minutes

• Names and roles of panel members
• Identification of attendees
• Signatures

Economic proposals and award decisions

• Legal representative of the bidder (natural person)
• National ID of the signatory
• Offered amount (not personal, but allows re-identification if cross-referenced)

Formalized contract

• Complete data of the legal representative
• Self-employed address (matches the natural person’s home)

Authority criteria on what to publish and what to anonymize

Consolidated authority doctrine distinguishes:

What should be published with identification

• Contracting body: institution, not natural persons
• Identity of the awardee: if a legal person, company name; if a natural person (self-employed), the name is published because transparency requires identifying who contracts with administration
• Contract amount, deadlines, subject matter

What should be anonymized or minimized

• National ID of the representative — not needed for transparency; name suffices
• Personal phone, personal email, personal address of the representative
• Detailed CV of proposed technical staff — professional profiles needed for evaluation suffice
• Family data appearing in solvency reports
• Handwritten signatures — except in notarial acts, signatures add no transparency and enable forgery

What requires case-by-case evaluation

• Names of procurement panel members — acceptable when they hold institutional roles, nuanced if temporary staff
• Detailed scores by bidder — publishing the full comparison may be needed for transparency but allows inferring information about third-party bidders
• Appeals and submissions — often contain appellant’s personal data not necessary in publication

Real risk: the contractor profile as a source of personal data

We have analyzed dozens of contractor profiles. The most common problematic patterns:

1. Full technical memoranda published without redacting staff CVs.
2. Scanned contracts where the self-employed awardee’s complete national ID appears.
3. Panel minutes with handwritten signatures of all attendees.
4. Sanctioning decisions identifying the sanctioned self-employed with all their data.

Any citizen with time can, through automated searches, build a detailed profile of repeat bidders, municipal technicians, and legal representatives from data that should have been anonymized.

Recommended process before publication

1. Design a checklist specific to each document type (technical spec, memorandum, minutes, contract).
2. Designate a publication officer who always reviews before uploading.
3. Anonymize non-essential data — national ID except when legally required, personal phone and email, handwritten signatures, detailed CVs.
4. Keep a full copy of the file in the internal archive for administrative use; only the redacted version is published.
5. Document the criterion — why X data is published and why Y is removed. This traceability is key if a complaint arises later.
6. Check metadata — PDFs generated from Word retain author and change history.

Particularities of public procurement platforms

Public procurement platforms are typically state-level services aggregating files from all administrations. Documents uploaded are indexed by Google and specialized search engines. What you publish there is globally public, indefinitely, and practically impossible to fully remove once indexed.

Practical consequences:

• A failure to anonymize in 2024 may still appear on Google in 2030.
• Affected bidders have the right to request suppression of their personal data from a published file (right to erasure), and the administration must comply.
• Effective suppression requires removing the original document and coordinating with search engines; it is not an immediate process.

That is why prevention — anonymizing before publishing — is infinitely more efficient than subsequent correction.

What case law has said

Courts have clarified in several rulings:

• Publishing personal data on the contractor profile has a legal basis in procurement law only for data essential for transparency.
• Data exceeding that necessity is unlawful processing and may lead to sanction and compensation.
• The full national ID of the legal representative is not essential; first and last names suffice to identify the self-employed natural-person awardee.
• Handwritten signatures on published documents add no transparency value and should be removed.

Frequently asked questions

Can I publish the full technical memorandum submitted by the bidder?

Not without review. The staff data part (CV, professional certificates, references with client data) must be anonymized. The purely technical and methodological part can be published.

Is the self-employed awardee’s data personal data despite their business activity?

Yes. When the self-employed coincides with the natural person, their data is personal. Procurement law requires publishing the awardee’s identity, which includes the name; other data (full national ID, personal address) should be minimized.

Should we anonymize the names of procurement panel members?

Authorities have accepted publication when they are institutional staff with representative roles. If they are technical staff hired ad hoc or external advisors, it should be evaluated whether their individual identification adds transparency or whether the body suffices.

What if we discover we published a file without anonymization?

Immediate removal or replacement with redacted version; notification to the DPO; assessment of whether there was already indexing by third parties (Google, specialized search engines); and evaluation of whether notification to affected individuals and the authority within 72 hours is appropriate. Document the entire process.

Conclusion

Public procurement requires radical transparency and, at the same time, scrupulous respect for personal data protection. Reconciliation passes through systematically redacting documents before publication, limiting personal data to those strictly essential for citizen oversight. Failing to do so has increasingly frequent consequences in the form of sanctions.

If you manage procurement files in an administration or advise public sector entities, try anonimiza.do to automate the redaction of specifications, memoranda, and minutes before publication. It recognizes European identifiers.