An Apparent Conflict Between Two Regulations
At first glance, the requirements of Directive 2023/970 (pay transparency) may seem contradictory to GDPR (personal data protection). How do you share pay information without violating employee privacy?
Good news: these regulations are compatible with each other. The directive was designed with GDPR in mind, and it contains specific guidelines regarding data protection.
What Does the Directive Say About Data Protection?
Article 12 of Directive 2023/970 explicitly refers to GDPR:
“Processing of personal data pursuant to this Directive shall be carried out in accordance with Regulation (EU) 2016/679 [GDPR].”
Key Principles
- Data minimization – share only what’s necessary
- Anonymization – where possible, use aggregated data
- Legal basis – legal obligation (Art. 6(1)(c) GDPR)
- Purpose of processing – enforcing the principle of equal pay
What Data Can Be Shared?
✅ Aggregated Data (Anonymous)
Does not require consent and does not violate GDPR:
- Average salary for position X
- Median pay in department Y
- Salary ranges for category Z
- Company pay gap (%)
Correct example: “Average salary for Senior Developers: €7,500 – €9,000”
⚠️ Partially Anonymous Data (Pseudonymization)
Requires caution:
- Salaries in small teams (< 5 people of either gender)
- Data that could indirectly identify an employee
Solution: Aggregate into larger groups or don’t share.
❌ Individual Data (Personal)
Never without consent or legal basis:
- “John Smith earns €6,000”
- List of employees with salaries
”Minimum Sample Size” Rule
The directive introduces an important safeguard:
If a category of workers has fewer than 5 people of either gender, the employer may refuse to provide data due to privacy protection.
Example:
- Department has 8 employees: 7 men, 1 woman
- Providing average for women = revealing that one person’s salary
- Solution: Don’t share data for this category or aggregate with a larger group
Practical Scenarios
Scenario 1: Employee Asks About Average Salary
Query: “How much do people in my position earn on average, broken down by gender?”
Correct response:
Position: Marketing Specialist
Average salary:
- Women (8 people): €3,600
- Men (6 people): €3,900If fewer than 5 people of either gender: “Due to privacy protection, we cannot provide data for categories with fewer than 5 people.”
Scenario 2: Pay Gap Reporting
Requirement: Publish report on pay gap
Correct approach:
- Aggregated data at company and category level
- No names or surnames
- No possibility of identifying individuals
Scenario 3: Joint Pay Assessment
Situation: Employee representatives need detailed data
Solution:
- Pseudonymization (Employee 1, Employee 2…)
- Confidentiality agreement for representatives
- Access only at company premises, no copies
Employer Obligations Under GDPR
Information for Employees
According to GDPR Articles 13-14, inform employees about:
- Scope of data processed for reporting purposes
- Legal basis (directive obligation)
- Data recipients (monitoring body, employee representatives)
- Retention period
Records of Processing Activities
Add new processing activity to records:
- Purpose: Pay gap reporting and ensuring equal pay
- Basis: Art. 6(1)(c) GDPR (legal obligation)
- Data categories: Salary, gender, job category
- Recipients: Monitoring body, employee representatives
- Retention period: According to national regulations
Data Protection Impact Assessment (DPIA)
Consider conducting DPIA if:
- Processing pay data on a large scale
- Introducing new reporting systems
- Data may be sensitive in organizational context
Common Mistakes
❌ Mistake 1: Publishing Pay Lists
“As part of transparency, we publish all employee salaries”
Problem: GDPR violation – no legal basis for individual data
❌ Mistake 2: Refusing All Information
“We can’t say anything due to GDPR”
Problem: Directive violation – employee has right to aggregated information
❌ Mistake 3: Ignoring Small Groups
“We provide averages for everyone, regardless of group size”
Problem: Possibility of identifying individuals in small groups
Summary
GDPR and pay transparency are not contradictory. The key is:
- Aggregation – group data instead of individual
- Minimization – only necessary information
- Small group protection – 5-person threshold
- Documentation – records, information, possibly DPIA
Well-implemented pay transparency strengthens employee trust without violating their privacy.
Last article in the series: “Objective Compensation Criteria – How to Build a Fair Pay System?”
Read Also
- Preparing Your Organization for Compliance with Data Protection Regulations Including GDPR
- ‘Equal pay and EU directive on pay transparency’
- Penalties for Lack of Pay Transparency – What Sanctions Do Companies Face?
Develop Your Skills
This article is related to the training Practical about RODO/GDPR - EU data protection reform. Check the program and sign up to develop your skills with EITT experts.
Read also
- GDPR for Developers - Training Every Programmer Should Take
- GDPR in Practice - Data Protection Reform in Healthcare
- Preparing Your Organization for Compliance with Data Protection Regulations Including GDPR
Frequently Asked Questions
Does sharing pay data under Directive 2023/970 violate GDPR?
No, the directive was designed to be fully compatible with GDPR. It provides specific legal bases for processing pay data and includes safeguards such as anonymization requirements and purpose limitation. Organizations can meet transparency obligations while maintaining data protection compliance.
What pay information must employers disclose to employees?
Under the directive, employers must provide employees with information about average pay levels broken down by gender for comparable work categories. Individual salaries are not disclosed — the data is aggregated and anonymized to protect personal privacy while enabling meaningful pay gap analysis.
How should HR teams prepare for simultaneous compliance with both regulations?
HR teams should conduct a data mapping exercise to identify what pay data exists, where it is stored, and who has access. Implementing role-based access controls, data minimization practices, and clear retention policies ensures that pay transparency reporting meets GDPR requirements from the outset.
Can employees request pay data about specific colleagues under the directive?
No, the directive does not grant employees the right to see individual colleagues’ salaries. They can request aggregated, anonymized pay data by gender for their job category. This approach balances the transparency needed to identify pay gaps with the privacy protections guaranteed by GDPR.