Personal Data in the Procurement Process
A procurement process involves multiple categories of personal data. During ESPD and pre-qualification, authorities collect information about named individuals in senior management of tenderers, including CVs, professional qualifications and references. During evaluation, evaluators' names and their scoring decisions are recorded in evaluation reports. Contract award notices published on eTenders and the Official Journal may identify named individuals as contract managers or signatories. During contract execution, data about personnel deployed on the contract — security clearances, professional licences, health and safety records — may be processed.
Each of these processing activities must have a lawful basis under GDPR Article 6. For the procurement process itself, the most relevant lawful basis is the performance of a task carried out in the public interest (Article 6(1)(e)) for the public authority as controller. For tenderer personal data, the legal obligation to comply with EU procurement rules (Article 6(1)(c)) is also available. Authorities must identify and document the lawful basis for each processing activity in their Records of Processing Activities (ROPA).
Transparency and Privacy Notices
GDPR Articles 13 and 14 require data subjects to be informed about data processing at the point of collection. For procurement, this means that tender documents or the eTenders portal should include a privacy notice specifically addressing the personal data collected during the tender process, the purposes for which it is used, the lawful basis, the retention period, and the rights available to data subjects. Generic organisational privacy policies are insufficient — the notice must be specific to the procurement process.
Particular care is required where tender documents request CVs or biographical information about individuals who may not be aware that their information is being shared with a public authority — for example, proposed subcontractors or project leads who have not personally submitted the tender. Tenderers should be advised to inform such individuals that their data has been provided and to direct them to the authority's procurement privacy notice.
Publication of Award Information
EU Directive 2014/24/EU requires publication of contract award notices on the Official Journal of the EU and national portals for above-threshold contracts. These notices typically include the name of the successful tenderer, the contract value and the award date. For contracts awarded to sole traders or named individuals, this constitutes publication of personal data, and the authority must balance the transparency obligation with the data minimisation principle.
The Data Protection Commission has confirmed that publication of business names and contract award values is generally compatible with GDPR when required by law. However, publication of home addresses, personal email addresses or bank account details of contractor personnel is not required and should be avoided. Where a sole trader wishes to protect their address from publication, authorities can allow trade name or business address to be substituted in the public notice while retaining full details on file.
Retention Periods and Archiving
Procurement records — including tender submissions, evaluation reports, correspondence and award documentation — must be retained for periods that support potential audit and legal challenges. EU Directive 2014/24/EU requires that records sufficient to justify award decisions are retained for at least three years. Irish public bodies are also subject to the National Archives Act and the Civil Service Records Management Policy, which may impose longer retention periods for certain categories of record.
Under GDPR, personal data should not be retained longer than necessary for the purpose for which it was collected. For procurement records, the recommended approach is to retain the full procurement file for the standard period (typically seven years to align with the statute of limitations for contract claims), then review and purge personal data that is not required for historical purposes — for example, CV details of unsuccessful tenderers — while retaining the structural procurement record. Authorities should document their retention schedule in their ROPA and brief procurement teams accordingly.
Let GovIQ route your next procurement automatically.
Get a free procurement audit report — your procedure, documents and audit trail in one signed pack.
Get free audit report