Pay Transparency Directive and data protection: new requirements for companies

Remuneration Transparency Actand data protection
Categories:
,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

The Pay Transparency Directive (EU) 2023/970 imposes new obligations on companies in Germany until its implementation on June 7, 2026 at the latest. These include the right to information on pay and comparative values, transparency reports and, where applicable, joint pay assessments. At the same time, pay data is personal information. This article shows where the directive is problematic in terms of data protection law and how companies can prepare GDPR-compliant information, reporting and access concepts now.

Background and implementation of the EU Pay Transparency Directive

The EU Pay Transparency Directive (Directive (EU) 2023/970) came into force on June 6, 2023. The aim of the directive is to enforce the principle of „equal pay for equal work or work of equal value“ more effectively and to reduce the gender pay gap. Germany is obliged to transpose the directive into national law by June 7, 2026 at the latest. Accordingly, an amendment to the German Pay Transparency Act (EntgTranspG) is expected by this date. A commission of experts presented proposals for implementation back in November 2025 and the legislative process is expected to start at the beginning of 2026.

Note: The specific scope of obligations may still change before implementation. The German legislator must decide, among other things, how exactly the requirements of the Directive will be implemented at national level. For example, whether a minimum size of peer groups (analogous to the current 6-person limit in the EntgTranspG) will be retained and in what form Art. 12 (3) of the Directive will be implemented. However, companies should already start looking at the upcoming new regulations now, as extensive adjustments to remuneration systems and internal processes will be necessary.

The controversial aspect of these requirements in terms of data protection law is that they Transparency about salaries. A topic that has often been treated confidentially up to now. Employers have to collect, evaluate and forward considerable amounts of personal pay data to Third (Employees, Works Council, authorities): This must be done in compliance with data protection regulations.

Tension between pay transparency and data protection

The Directive expressly emphasizes in Art. 12 (1) that any collection, Processing and disclosure of information in accordance with Art. 7, 9 and 10 in compliance with the GDPR must take place. Basic principles of data protection law therefore also apply without restriction to the implementation of pay transparency measures.

Charge data are personal data. This is not only the case if the name of an employee is mentioned directly. Seemingly anonymous information can also be indirectly personal. For example, if the individual can be identified on the basis of a small peer group or other contextual information. Since the Directive, unlike the current EntgTranspG, does not stipulate a minimum size for comparison groups, the average comparative salary can reveal the individual salary of a person, particularly in the case of very small comparison groups. Example: If a male employee asks about the average salary of the women in his small peer group and there is only one woman in that group, the information would reveal her salary. The German legislator was already aware of this risk in the previous law: Section 12 (3) sentence 2 EntgTranspG stipulates that no comparative salary is to be disclosed if the comparative activity is carried out by fewer than six employees of the opposite sex. This protective clause prevents the identification of individual salaries. However, it also means that the right to information often comes to nothing in small companies.

Although the EU Directive now dispenses with rigid thresholds, it does provide an instrument to mitigate this tension in Art. 12 para. 3 of the Remuneration Transparency Directive. According to this provision, member states can stipulate that in cases where there is a risk of indirect disclosure of individual salaries, sensitive pay information is not provided directly to the employee making the request, but only to an intermediary body. This can be the Works Councilwhich Supervisory authority or the equality body. These bodies should then advise the employee on their rights without disclosing the specific pay levels. This would affected person would be informed of possible claims (e.g. due to discrimination), but at the same time the salary of the comparator would remain protected.

Earmarking for salary data

The Directive also contains a clear provision in Art. 12 (2) that Earmarking: Personal data, Data collected as part of the transparency measures may only be used to enforce the principle of equality. Further processing of this data for other purposes that are incompatible with pay transparency (e.g. general salary benchmarking analyses that go beyond the prescribed scope) is not permitted.

Companies should therefore ensure that they do not misuse fee data collected for information or reports for other purposes.

Important requirements of the Pay Transparency Directive with reference to data protection

The Pay Transparency Directive contains several transparency and reporting obligations that the Processing of employees' remuneration data. The following requirements in particular are in conflict with data protection:

  • Individual right to information (Art. 7 EntgTranspRL): Employees have the right to receive information about their individual pay and the average pay of colleagues with the same or equivalent work. This information must be broken down by gender. The request for information must be granted in writing within two months. In contrast to the previous legal situation, the restriction to companies with more than 200 employees no longer applies. In future, the right will apply regardless of the size of the company. In addition, all employees must be informed of this Right to information to inform.

  • Pay transparency report (Art. 9 Transparency Directive): Employers with at least 100 employees are obliged to regularly prepare a report on the gender pay gap in their company. This must include the general gender pay gap and the differences within individual groups of employees with the same or equivalent work, broken down by pay components. The reports must be made available to employees and employee representatives. Upon request, the Supervisory authority or the equal opportunities office. Companies with 250 or more employees must report annually (for the first time by June 7, 2027, regarding the year 2026). Companies with 100 to 249 employees, on the other hand, only have to report every three years.

  • Common pay assessment (Art. 10 Transparency Directive): If the transparency report identifies unequal average pay for women and men in a comparison group that differs by more than 5 % and the employer cannot objectively justify this gender pay gap, it must carry out a detailed pay assessment together with the employee representatives. As part of this joint analysis, the causes of the pay gap must be investigated and corrective measures developed. The result of the pay assessment must then be presented to the workforce and the Supervisory authority accessible. In addition, the employer must eliminate any unjustified differences within six months of the report being published.

Recommendations for data protection-compliant implementation

In view of the upcoming obligations, companies should take measures at an early stage to ensure GDPR compliance in the Processing of charge data. The following principles and precautions in particular have proven to be essential:

  • Earmarking ensure: Pay data may only be used to implement the pay transparency requirements. Use for other purposes (such as general personnel planning statistics or salary comparisons outside the equal pay context) is prohibited (Art. 12 Para. 2 of the Pay Transparency Directive). Companies should therefore clearly communicate internally what the salary data collected may and may not be used for.

  • Data minimization and memory limitation: The aim is to use as few personal data as far as possible. Only the data required to fulfill the transparency obligations (Art. 5 para. 1 lit. c GDPR) may be processed. In addition, a Deletion concept advisable: Newly collected data records (e.g. salary lists for the report) should only be stored for as long as necessary. Once the purpose has been achieved, the data should be deleted or anonymized promptly.

  • Need-to-know principle implement (access restriction, Art. 5 lit. f GDPR): Highly sensitive pay data must only be accessible to a strictly limited group of people. Therefore, create an access concept that defines which persons from which functions have access to which pay data. Access should only be granted to the extent that is really necessary for the fulfillment of tasks. For example, access to raw data could be restricted to selected HR or compliance employees. Document the assignment of authorizations and deliberately keep the group of authorized persons as small as possible. In addition, all authorized persons should be expressly informed of the Confidentiality of the data (keyword: official secrecy). If data is transferred to the Works Council or other employee representatives, it must be ensured that only the absolutely necessary information is passed on and that the recipients are made aware of their statutory duty of confidentiality. According to Section 79 BetrVG, works councils are obliged to maintain confidentiality as soon as the employer discloses the information. Confidentiality of the information transmitted is expressly emphasized.

TOMs and documentation

  • Technical and organizational measures: Develop a data management concept that defines how and where payroll data is stored securely. Salary data should only be stored in defined, protected locations and only accessed from there. The uncontrolled circulation of salary lists, for example by email to a broad distribution list or as an Excel file in insecure storage locations, should be strictly avoided. Such scenarios harbor a high risk of leakage and misuse: if extensive salary data falls into the wrong hands, there is not only the threat of GDPR fines, but also considerable damage to your image and loss of trust. If possible, use technical solutions that have already implemented privacy-by-default. Special software for payroll transparency can, for example, offer role-based access rights, automatic logging of every inspection and preset security precautions. This ensures that sensitive data cannot be copied or stolen unnoticed. In any case, companies should implement suitable Technical and organizational measures (TOMs) in accordance with Art. 32 GDPR to ensure a level of protection appropriate to the risk. Although salary data does not count as particularly sensitive data within the meaning of Art. 9 GDPR, However, they are highly personal and confidential for most employees, so a higher level of protection is justified.

  • Documentation and accountability: Companies should document all measures and concepts taken in writing (Art. 5 para. 2 GDPR). In the event of an audit, it can be demonstrated to the supervisory authorities that the principles of the GDPR were adhered to. A clean Documentation also creates internal clarity and can gain the trust of employees.

Reading tip: Health data in the event of continued illness as a data protection challenge

Pay transparency and data protection: 2B Advice supports you with implementation

Companies should set the organizational course now so that they are not unprepared for the deadline of 7 June 2026. This includes developing role and authorization concepts at an early stage and drawing up internal guidelines for handling pay data. If necessary, company agreements with the Works Council It is advisable to draw up a binding regulation for the implementation of transparency measures in the company. Finally, all those involved - from the HR department to the data protection officer and management - should be prepared for the new requirements through training.

Careful and confidential handling of salary information is essential to ensure that the noble goal of the directive - equal pay for all genders - is achieved without violating the Privacy of employees can be achieved.

2B Advice supports you in this, among others with:

  • Readiness check / gap analysis (EntgTranspRL requirements vs. actual processes, data situation)
  • Data protection concept for pay transparency (Legal basis, Earmarking, Data minimization, Deletion concept)
  • Access and authorization concept (need-to-know, roles, logging, governance)
  • Process design for requests for information and reporting
  • TOM review and risk assessment practical action plans
  • Training courses for HR, Legal, Data Protection & Compliance (incl. communication guidelines)


If you want to implement Legally compliant and pragmatic at an early stage would like to set up, please contact us! We will be happy to support you with the planning and operational implementation.

Source: Directive EU 2023/970 of 10 May 2023 on strengthening the application of the principle of equal pay for men and women for equal work or work of equal value through pay transparency and enforcement mechanisms

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts