How EU Member States Are Addressing Privacy and GDPR Considerations in Their Draft Legislation

This is the third blog in a new series of blogs that focuses on Article 7’s Right to Information requirement. Access the the first two blogs below:

• Blog 1: Challenges and How to Ensure Compliance 
• Blog 2: Response Deadlines and Annual Worker Notification Requirements 

As employers plan for Article 7 (Right to Information) under the EU Pay Transparency Directive (EUPTD), one question has continued to surface: 

How do we balance pay transparency with GDPR obligations?

The Directive provides a framework but leaves critical implementation decisions to Member States. The result is a mixed bag in how countries are interpreting and applying data protection principles in the context of pay transparency. 

However, a few key themes are emerging from the existing draft legislation. 

The EUPTD Framework: Transparency vs. Privacy

There are two key provisions in the EU Directive that address GDPR. 

• Recital 44 (non-binding): Any processing or publication of information under this Directive should comply with [the GDPR]. Specific safeguards should be added to prevent the direct or indirect disclosure of information of an identifiable worker. Workers should not be prevented from voluntarily disclosing their pay for the purpose of the enforcement of the principle of equal pay. 
• Article 12(3) (emphasis added): Member States may decide that, where the disclosure of information pursuant to Articles 7, 9, and 10 would lead to the disclosure, either directly or indirectly, of the pay of an identifiable worker, only the workers’ representatives, the labour inspectorate or the equality body shall have access to that information. 

This creates a policy choice for Member States: Should employees receive pay information directly, or only through an intermediary in certain cases?

GDPR Requirements in Practice

Across all draft transpositions, the GDPR baseline is consistent:

• Share only what is strictly necessary
• Protect individual financial privacy
• Limit use of data to the specific legal purpose (equal pay enforcement)

Under Article 6(1)(c) of the GDPR, processing is lawful when required to comply with a legal obligation. Under Article 6(3), that obligation must be:

• In the public interest, and
• Proportionate to the legitimate aim pursued

The key question Member States are answering differently is:

Does Article 7 already satisfy GDPR — or are additional restrictions needed?

Approach 1: No Additional Restrictions (Sweden and Netherlands)

Sweden and the Netherlands have taken the position that the Directive already satisfies GDPR requirements. Thus, additional limitations are unnecessary and undermine transparency. 

Key rationale:

• Legal basis is already established. The Directive itself provides the lawful basis for processing pay data.
• Purpose limitation is built in. Data can only be used to enforce the principle of equal pay.
• Proportionality is satisfied. Transparency is necessary for employees to assess whether discrimination exists.

Sweden’s Position

Sweden concluded that:

• Processing is necessary to meet Directive requirements
• No less intrusive alternative exists
• The benefits of transparency outweigh privacy concerns

Sweden also noted a practical reality: Income data is often publicly accessible, meaning restricting disclosure under Article 12(3) would not meaningfully protect privacy.

Netherlands’ Position

The Netherlands emphasized that:

• Employees cannot exercise their right to equal pay without access to actual information
• Restricting disclosure would undermine access to justice
• Requiring employees to act on secondhand advice (without seeing pay data) is not workable

Ultimately, both countries determined that implementing Article 12(3) would:

• Reduce transparency
• Weaken enforcement
• Create unnecessary friction in employee decision-making

Both Sweden and the Netherlands were concerned about the practical implication of Art. 12(3) requiring the information to be provided instead to workers’ representatives, the labour inspectorate or the equality body who would then be expected to advise workers on a possible claim under the Directive without disclosing the actual pay levels of individual workers.

Approach 2: Restrict Disclosure in Certain Cases 

Every other transposition draft to date has implemented the optional limitation on disclosure in Art. 12(3). No country to date, however, has set a specific threshold for those disclosures. 

Therefore, it is left to the employer in those cases to determine an appropriate, good faith threshold for the size of the worker category (or the minimum number of employees of each gender). More guidance could come from lower level regulations and guidance in each country.

How it works:

If disclosing information would reveal the pay of an identifiable employee:

• The employer provides the data only to:
  • Employee representatives
  • Equality bodies
  • Labour inspectorates
• The employee receives indirect guidance, rather than the underlying data

Key implications:

• Employers must assess whether a worker category is too small to safely disclose data
• No country has defined a strict threshold (yet)
• Decisions are left to employer judgment, applied in good faith

Example: Finland

Finland’s explanatory notes provide useful insight:

• If disclosure risks identifying an individual, data is shared only with a representative or the equality ombudsman
• The size of comparison groups varies
• While statistical practices often use a minimum threshold of ~5 employees, this is:
  • Not fixed
  • Determined case-by-case

A Notable Nuance: Poland’s Position

Poland has implemented Article 12(3), but noted in its accompanying explanatory notes its agreement with Sweden and the Netherlands that this is not a GDPR compliance issue.

“Article 12(3) of the Directive is optional.  The decision regarding its implementation is left to the discretion of the Member States.  This regulation goes beyond the requirements of the GDPR and is not necessary for data processing to comply with the GDPR.”

What Employers Should Do Now

The GDPR element remains a policy choice that can vary across Member States but clarity and consistency on this topic is starting to emerge. 

As draft legislation continues to evolve, employers should begin preparing for both models:

• Establish internal thresholds. Define criteria for when disclosure may risk identifying individuals.
• Develop jurisdiction-specific workflows. Prepare for variation in workflows depending on jurisdiction-specific alternative methods for disclosure. 
• Document decision-making processes. Ensure all disclosure decisions are consistent and defensible.
• Prepare for employee-facing communication. Particularly in jurisdictions allowing direct disclosure. 

How Trusaic Is Helping Clients Comply with Right to Information Requests 

At Trusaic, we are helping employers move from reactive compliance to scalable readiness.

First, organizations conduct a defensible pay equity analysis through PayParity®. This ensures that total remuneration is analyzed, unjustified gaps are identified and remediated using R.O.S.A., and ready for RTI disclosures. A validated pay equity analysis can provide confidence and a clear understanding of risk as companies begin RTI compliance. 

Second, we enable automated RTI workflows. Our bi-directional integrations with global HCM platforms allow pay equity data to flow securely from the Trusaic platform back into the HCM. Employees can then access their RTI reports directly within their existing HR systems. This eliminates manual report generation and reduces compliance risk.

For organizations that prefer platform-based access, RTI reports can also be generated and delivered securely through the PayParity platform, with role-based permissions and full auditability.

Reports can be generated instantly, refreshed regularly, and delivered in any EU language — easing the operational strain on organizations.

Finally, our expert advisory team will assist you in constructing your contextual narratives alongside RTI reports. (Note: Employers also have the option to utilize our in-platform  AI-powered contextual narrative support). Rather than presenting raw pay data without explanation, organizations can configure tailored narratives that reflect their pay philosophy and clarify wage-influencing factors. For large enterprises anticipating thousands of RTI interactions, this significantly reduces administrative burden while improving employee understanding.

Organizations that partner with us will not only be supported in meeting Directive’s requirements — they will enter this new transparency landscape with confidence and credibility.