Publishing personal data on the Internet: what is allowed, what isn’t, and what you should think about before doing it

Years ago, posting information on the Internet was almost an act of enthusiasm: everything was published. Announcements, lists, sanctions, names, resolutions… Without filters. But when search engines began indexing everything and people realized that their name could appear on Google for years because of a fine or a scholarship, reflection arrived: where is the line between transparency and privacy?

The Catalan Data Protection Authority (APDCAT) published in 2008 a very comprehensive recommendation that remains a reference. It explains how public administrations and entities must disseminate personal data when using the Internet. Let’s break it down calmly and in plain language.

1. Publishing is not the same as informing

The first clarification in the recommendation is that sharing personal data online is not an innocent act. Previously, information was posted on physical boards or in bulletins read by few people. On the Internet, any piece of data becomes permanent and accessible from anywhere.

That is why the APDCAT says that every publication must have a legal basis and a clear purpose. Saying “we’ve always done it this way” is not enough. Personal data can only be published when it is necessary to fulfill a public function or to guarantee citizens’ rights.

2. Basic principles: proportionality and purpose

The idea here is simple: publish only what is strictly necessary. If the goal is to report an administrative decision, perhaps the file number is enough and the person’s full name is not needed.

In addition, data must only be kept for the time strictly needed to fulfill the purpose. Once that period is over, it's time to remove or anonymize them. Doing otherwise, says the APDCAT, is a form of overexposure.

3. Information must be accurate and up-to-date

Another point often overlooked: not everything goes in the name of publishing quickly. The administration has the obligation to verify that the data it uploads are correct and up-to-date. A mistake in a resolution, a misspelled name, or an outdated address can cause real harm.

It also stresses the responsibility to keep content updated and to remove anything no longer relevant. The Internet cannot be an eternal archive of errors.

4. Legal basis: when data can and cannot be published

The dissemination of personal data must always be based on one of these situations:

  • An explicit legal obligation (for example, publishing judicial rulings or official announcements).

  • The data subject’s consent.

  • Or the existence of a clear public interest.

Outside of those cases, publishing personal data on a public website is not legitimate.

And beware of “copy and paste”: information often moves from an administrative document to a website without review, when in fact it should go through an adaptation or anonymization process.

5. Electronic bulletins and notice boards count too

Being digital doesn’t free them from limits. If a city council publishes edicts, lists, or announcements containing personal data on its electronic notice board, it must follow the same criteria: only essential data, limited publication time, and automatic removal once the purpose has been fulfilled.

No keeping old lists of candidates, sanctioned individuals, or beneficiaries for years.

6. Search engine indexing: a modern problem

The APDCAT was visionary in anticipating something that is now key: search engines make permanent what should be temporary.

For this reason, it recommended technical measures such as:

  • Using “no index” tags to prevent Google or Bing from storing that data.

  • Limiting access through identifiers or temporary keys.

  • Avoiding PDFs with names and surnames appearing in general searches.

Transparency cannot mean that your name becomes an eternal search result.

7. Dissemination of images and recordings

The document also touches on a sensitive point: the publication of photographs, videos, or voice recordings. These are also considered personal data.

If identifiable individuals appear, their prior consent or a clear legal justification is required. This applies to both public events and institutional material. And if shared on social media or open platforms, the risk of losing control is even greater.

8. Security measures and responsibility

Every public entity that handles personal data must adopt technical measures to protect them: access control, passwords, query logs, and above all, internal responsibility.

Saying “it was the IT guy’s mistake” is not enough. If data is improperly exposed, the administration is accountable.

It is also recommended to designate web content managers responsible for regularly reviewing what information is still necessary and what should be removed.

9. Periodic review and removal

Perhaps one of the most sensible sections of the document. The Internet must not become a data graveyard.

The APDCAT suggests establishing periodic review protocols to delete old, obsolete, or no longer relevant information.

Example: a scholarship announcement published five years ago should no longer remain active with participants’ names.

10. What to do if your data appears online

And if you are the affected person, you also have tools. You can:

  • Request the deletion or anonymization of the information.

  • Exercise your right to be forgotten (in line with the GDPR).

  • Lodge a complaint with the APDCAT if you receive no response.

The authority can order the removal of the content or impose sanctions if negligence is detected.