GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

GDPR - Business

Internal confidentiality agreements

It is common to have internal confidentiality agreements (a.k.a non-disclosure agreements) for employees within a company. Alternatively, a confidentiality clause in the employment contract. In addition, it is important to include a confidentiality clause in data processing agreements. 

Confidentiality agreement or clause in the employment contract

It is common for employment contracts to contain a confidentiality clause. Alternatively, a separate non-disclosure agreement is added as an annex to the employment contract. In these cases, the confidentiality provisions are often formulated in general terms, and are intended to protect the employer’s confidential information. The obligation of confidentiality therefore rests primarily with the employee. This is a form of unilateral confidentiality relationship. The opposite of this is so-called mutual confidentiality relations. However, these are less common in employment contracts.   

What breaches of the GDPR can lead to an administrative fine?

Written agreements are the most appropriate

In many cases, oral and written agreements are equally valid, but it is easier to prove written agreements in the event of a dispute. Therefore, it is recommended to document the agreement in writing. There is no formal requirement that a non-disclosure agreement must be in writing, which means that in theory it can be verbal. However, if it is not possible to prove that the contract has been concluded, problems may arise and the contract should therefore be in writing.

Include a confidentiality clause in Data Processing Agreements

According to Article 28(3)(b) of the GDPR, a data processing agreement must contain a confidentiality clause. More specifically, it must state that the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality. Alternatively, the processor must ensure that these persons are instead subject to an appropriate statutory duty of confidentiality.

Possible consequences without clear confidentiality requirements

Data leaks

Unauthorised disclosure of personal data

Fines from regulators

Damage to data subjects

The Data Processor should enter into a separate confidentiality agreement with its employees

The company, as a processor, should enter into a separate confidentiality agreement with its employees. The confidentiality agreement should specifically regulate the processing of personal data by staff covered by the data processing agreement. In this way, the processor can present this separate confidentiality agreement to the controller upon request, or the supervisory authority upon review. This means that the processor does not have to present the employees’ employment contracts, as confidentiality is separately regulated and not included as a confidentiality clause in the employment contract.

Examples of personal data that employees often have access to

Personal data relating to customers

Information about other employees

Sensitive personal data

Not all employees need to always have access to personal data

It is not always necessary for everyone in a company to have access to all the personal data that the company processes. Especially if it concerns privacy-sensitive personal data. Therefore, it is important to have appropriate authorisation management. For example, an accountant who manages all the finances of the company usually needs to process the personal data of all employees. This includes information about sick leave, which is sensitive personal data about health, according to Article 9 of the GDPR. However, it is not necessary for everyone in the company to have access to such personal data. 

What can a non-disclosure agreement contain?

Define what is confidential

It is important to define exactly what is confidential. For example, information about the company's customers, systems, and personal data processed within the business.

What is the definition of anonymised data?

Clarify the prohibition

Make it clear that the dissemination of information to unauthorized third parties is not allowed.

Subjektivt integritetskänsliga personuppgifter

Requirements to protect confidential information involving personal data

Requirements to protect such information. For example, not reading classified information in public places and storing it in a safe place.

Sensitive personal data according to GDPR

Time limit for the confidentiality

It is not uncommon for confidentiality to continue even after employment for a certain number of years. In some cases, confidentiality may also apply after termination of employment, without limitation in time.

Measures that companies need to take to comply with GDPR

Consequences of non-performance

Be sure to include what happens if the confidentiality commitment is breached. For example, it can lead to labour law consequences, such as dismissal.

Subjektivt integritetskänsliga personuppgifter

Refer to other internal policies of the company

It is not uncommon to refer to the privacy policy to other internal policies, such as different GDPR practices.

Damages for fears of future misuse of personal data

What is the definition of anonymised data?

Have it as part of the onboarding process

Make sure that all new employees are informed about the confidentiality and understand it, and sign before they have access to the data. Alternatively, the confidentiality agreement can be reformulated into a confidentiality policy instead, which is clearly stated in the employment agreement. But even in these cases, it is good that the company gets proof that the employees have actually seen it through their signature.

Measures that companies need to take to comply with GDPR

Ensure staff training on a regular basis

It can be helpful to remind and train the staff regularly. Keep in mind that employees should understand what privacy actually means in practice.

Reminder during offboarding

It is important to remind employees who stop working about the confidentiality, during the offboarding process.

Subjektivt integritetskänsliga personuppgifter

Certain roles and professions may require enhanced confidentiality

Some positions (such as finance, HR, and customer service) may require enhanced confidentiality, as these individuals may have access to quite sensitive information. The same applies to certain professional roles, such as psychologists and teachers.

When it may really be appropriate to have a non-disclosure agreement

  • When employees use CRM systems to manage information about the employer’s customers. 
  • Persons administering personal data of staff. 
  • People who work with IT support and in their work get access to information about the employer’s customers, users, etc. 
  • When the company processes personal data in the role of data processor, on behalf of another actor that is the data controller.

Learn more

Clean-desk routine

Another organizational security measure that can be good for companies to apply is the clean-desk routine and having a clean-desk policy. In other words, that employees do not leave documents or other information containing personal data or other important information without supervision or / and where unauthorized persons can see it. A clean-desk routine is a simple organizational measure that can reduce the risk of unauthorized access to information.

Want to learn more?

Read more
Scroll to Top