Article 9 — Data Protection and Pay Transparency | EU Pay Transparency Playbook

Balancing Transparency with Privacy

The EU Pay Transparency Directive (Directive (EU) 2023/970) significantly expands access to pay-related information through Articles 5 to 8. However, this expansion raises a critical question: how can organisations increase transparency without violating employee privacy?

Article 9 addresses this intersection between pay transparency and data protection, ensuring that the Directive operates in alignment with the General Data Protection Regulation (GDPR).

It establishes that while transparency is essential, it must not come at the cost of exposing identifiable personal data.

The Core Principle — Transparency Within Legal Boundaries

Article 9 does not introduce entirely new data protection rules. Instead, it reinforces that all pay-related disclosures must comply with existing GDPR principles, and that transparency obligations must be implemented in a way that protects individual privacy.

Obligation

Provide meaningful pay information to employees and regulators as required by the Directive

Constraint

Prevent identification of individual employees through any disclosed data

Key GDPR Principles Relevant to Article 9

To understand Article 9, it is essential to consider the underlying GDPR framework.

Data Minimisation

Only the minimum necessary data should be disclosed.

Avoid sharing excessive or granular data
Limit disclosures to what is required under the Directive

Purpose Limitation

Pay data must be used only for:

Transparency and compliance purposes
Not for unrelated or secondary uses

Lawfulness, Fairness, and Transparency

Data processing must:

Have a lawful basis
Be fair to employees
Be clearly communicated

Confidentiality and Integrity

Employers must ensure:

Secure handling of pay data
Protection against unauthorised access or disclosure

What Can Be Disclosed Under the Directive

To comply with Articles 6 and 7, employers must provide certain categories of information.

Article 9 — Data Disclosure vs Privacy Boundaries. Disclosures must remain aggregated, anonymised, and compliant with GDPR principles.

Permissible Disclosures

Individual employee's own pay information
Average pay levels for comparator groups
Gender-disaggregated data
Aggregated statistics (e.g., pay gaps)

Compliant when presented in aggregated form and individual identities cannot be inferred.

What Cannot Be Disclosed

Individual salaries of identifiable colleagues
Data that allows indirect identification of individuals
Small-group data where identities can be inferred

The Challenge of Small Comparator Groups

One of the most complex aspects of Article 9 arises when comparator groups are small.

Example Scenario

If a comparator group consists of one male employee and one female employee, providing average pay data effectively reveals individual salaries — a clear GDPR violation.

Required Approach

Aggregate data across larger groups, or
Withhold disclosure where anonymity cannot be ensured

This requires careful judgement and clear internal guidelines established in advance.

Article 9 Decision Framework — Disclosure vs Privacy

When deciding whether to disclose pay data, organisations should apply this logic:

Is the data required under the Directive?

Can it be aggregated or anonymised sufficiently?

Does the group size prevent individual identification?

Proceed with disclosure

Withhold or further aggregate

Interaction with Article 6 — Employee Information Requests

Article 6 gives employees the right to request pay information. Article 9 ensures that responses to such requests remain compliant with GDPR and that employers do not disclose excessive or identifying information.

Practical Implications

When responding to employee requests:

Provide aggregated and anonymised data
Avoid sharing individual-level comparisons
Apply consistent thresholds for disclosure

Lawful Basis for Processing Pay Data

Under GDPR, organisations must identify a lawful basis for processing personal data.

Legal Obligation

Compliance with the Directive provides a direct legal basis for processing pay data for reporting purposes.

Legitimate Interest

Ensuring fair pay practices may also constitute a legitimate interest where processing goes beyond strict legal requirements.

Employers must:

Document their chosen legal basis
Ensure consistency in application

Transparency Toward Employees

Employers must inform employees about:

How their pay data is used
What information may be disclosed
How privacy is protected

This is typically done through:

Privacy notices
Internal policies

Data Security Requirements

Organisations must ensure that pay data is stored securely, access-controlled, and protected against breaches.

Role-Based Access

Restrict compensation data to authorised personnel only

Encryption

Encrypt sensitive information at rest and in transit

Regular Audits

Conduct periodic reviews of data access logs and permissions

Documentation and Accountability

Article 9 reinforces the need for:

Clear documentation of data handling practices
Defined protocols for disclosure
Records of decisions made in borderline cases

Practical Implementation — A Step-by-Step Approach

Map Pay Data

Identify where pay data is stored
Understand data flows within the organisation

Define Disclosure Rules

Establish what can be shared
Define thresholds for aggregation

Align with GDPR Requirements

Identify lawful basis for processing
Update privacy notices

Implement Safeguards

Ensure anonymisation processes are in place
Restrict access to sensitive data

Train HR and Management

Ensure understanding of disclosure limits
Prepare teams to handle requests appropriately

Common Pitfalls and Risks

Over-Disclosure

Sharing too much information increases the risk of individual identification and constitutes a GDPR breach alongside a Directive violation.

Under-Disclosure

Failing to meet transparency obligations by providing insufficient information exposes the organisation to Directive non-compliance.

Inconsistent Application

Different approaches across departments or lack of standardisation creates internal contradictions that increase regulatory risk.

Weak Data Governance

Poor data security practices and lack of clear accountability undermine both GDPR compliance and Directive obligations simultaneously.

Strategic Implications of Article 9

Stronger Data Governance

Strengthen data management practices
Align HR and legal functions

Clear Internal Policies

Standardised disclosure protocols
Defined responsibilities

Balancing Competing Priorities

Transparency vs privacy
Compliance vs operational practicality

Link to Enforcement

Failure to comply with data protection requirements may result in:

GDPR-related penalties
Regulatory scrutiny
Reputational risk

Data protection failures do not exist in isolation. A breach of Article 9 can simultaneously constitute a GDPR violation and Directive non-compliance, compounding enforcement exposure under Article 10.

Key Takeaways

Article 9 ensures that pay transparency is implemented within GDPR boundaries
Employers must balance data disclosure with employee privacy
Only aggregated and anonymised data should be shared
Small group disclosures present significant risk
Strong data governance and documentation are essential

Ready to align pay transparency with data protection?

GenderGov™ helps organisations define disclosure rules, implement anonymisation thresholds, and build the data governance structures needed to meet both Directive and GDPR obligations simultaneously.

Talk to Us

Previous: Article 8 — Joint Pay Assessment Next: Article 10 — Enforcement & Penalties