Italian Data Protection Authority: the FAQ on the processing of personal data of participants in competition procedures for publicity and transparency purposes has been published.

The Italian Data Protection Authority has returned to the issue of the processing of candidates' data in public competitions, publishing a series of FAQs dedicated to the publicity of selection procedures in the light of the most recent reforms. The intervention stems from a very specific practical context: the Authority has long received numerous complaints, reports and questions on how to correctly manage personal data in the various phases of a competition – from the submission of applications to the publication of rankings – and, in particular, on the limits to the online dissemination of names, votes and other information of participants.

The critical point is the coordination between the sector regulations that require publicity and transparency of procedures and the discipline on the protection of personal data. The laws governing competitions often date back to a time when "publication" meant posting on the bulletin board, paper bulletins or making documents available at offices. Today, the transposition of these same documents on institutional sites, indexed by search engines, involves a much more invasive form of dissemination: the information can be found by anyone, potentially for an indefinite time, and can be aggregated and reused in ways that affect the private and professional sphere of the people involved.

From a legal point of view, the Authority recalls that public administrations, even when managing insolvency or selective procedures, may process candidates' personal data to comply with legal obligations and pursue public interests, in compliance with the general principles of the GDPR. The legal basis for the processing can be found in the rules governing access to public employment and the conduct of competitions, coordinated with the provisions of the Regulation (in particular Articles 5, 6, 9 and 88) and the Privacy Code (Articles 2-ter and 2-sexies). This does not mean, however, that every data collected can be freely disseminated on the web: publication must be limited to what is strictly necessary with respect to the purposes of transparency and according to the procedures provided for by the legislator.

In fact, the Authority points out that "traditional" advertising (bulletin boards, bulletin boards, consultation at offices) does not automatically equate to unlimited publication on the web. Online dissemination, especially if accompanied by indexing through search engines, exposes candidates to a structurally higher risk: the information remains accessible over time, is easily aggregated with other data available on the web and can give rise to improper or discriminatory use. Hence the need to carefully select which data to make public, in what ways and for how long.

This framework also includes the innovations introduced by the regulations on the Single Recruitment Portal (InPA Portal) referred to in art. 35-ter of Legislative Decree 165/2001 and, more recently, by Legislative Decree No. 25 of 14 March 2025, converted into Law No. 69 of 9 May 2025, which affected the publicity of insolvency proceedings. According to the Authority, the new regulatory framework not only confirms but "positiveizes" the interpretative line already supported by the Authority: reconciling the requirements of transparency, good performance and impartiality of the PA (Article 97 of the Constitution) with the principles of data protection, avoiding overabundant or disproportionate processing.

The FAQs, developed by the Italian Data Protection Authority in conjunction with the Department of Public Administration, are therefore proposed as an operational tool for administrations and obliged entities: they recall the precautions accrued in concrete case studies, indicate the points of attention in the different phases of the competition and aim to prevent, rather than sanction, non-compliant practices. The basic objective is clear: to ensure maximum transparency of the selection procedures without transforming participation in a public competition into a permanent exposure of one's personal data on the web.