Written agreements
Internal non-disclosure agreements for employees
It is common to have internal non-disclosure agreements for employees within a company. Alternatively, a confidentiality clause in the employment contract. In addition, it is important to include a confidentiality clause in data processing agreements.
Written agreements are the most appropriate
In many cases, oral and written agreements are equally valid, but it is easier to prove written agreements in the event of a dispute. Therefore, it is recommended to enter into written agreements. However, there are no formal requirements that non-disclosure agreements must be in writing in order to be valid, which means that in theory it can be verbal. However, it can lead to problems regarding evidence of the scope of the oral confidentiality agreement, and therefore it should be in writing.
Non-disclosure agreements or a confidentiality clause in the employment contract
The employer should enter into a separate non-disclosure agreement with its employees, instead of including only a confidentiality clause in the employment contract. It may be that external parties request to see the extent of the agreed confidentiality. Then it is easier to present the separately concluded internal non-disclosure agreements for employees, which can be an annex to the employment contract. Internal non-disclosure agreements for employees rarely contain privacy-sensitive personal data, unlike the employment contract.
An alternative to internal non-disclosure agreements for employees is to establish a non-disclosure policy, which applies to all employees. In such cases, reference should be made to the policy in the employment contract and that the employee undertakes to comply with it. This means that each individual employee does not have to sign the non-disclosure policy.
Possible consequences without clear confidentiality requirements
- Data leaks or other forms of unauthorised disclosure of personal data;
- Damage to data subjects due to the occurrence of personal data breaches, such as unauthorised access to personal data due to a breach of confidentiality.
- Fines from regulators for breach of GDPR.
Include privacy clause in Data Processing Agreements
According to Article 28(3)(b) of the GDPR, a Data Processing Agreement must be in writing. In addition, the contract must include a clause whereby the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality, or that they are subject to an appropriate statutory duty of confidentiality. If this is not stated in the Data Processing Agreement, it is not complete and violates Article 28 of the GDPR. The controller also has the right to review the processor’s compliance with the regulation. Therefore, it is good if the processor draws up internal confidentiality agreements for its employees.
Examples of personal data that employees often have access to
Name, e-mail address, telephone number, postal address, purchase history and other personal data belonging to the company's customers, registered in the company's IT system (e.g. customer register, financial system, CRM system, etc.). If the customers are corporate customers, the personal data of their contact persons and representatives is often processed.
Name, telephone number, e-mail address and any other personal data of other employees of the company.
Sensitive personal data according to Article 9 GDPR registered in the company's systems. For example, information about sick leave, possible allergies, disabilities or other health data, information about trade union membership or the like.
Not all employees always need to have access to personal data
It is not always necessary for everyone in a company to have access to all the personal data that is processed. Especially if it concerns privacy-sensitive personal data. Therefore, it is important to implement appropriate authorization management. For example, a CFO who handles all day-to-day accounting and payroll at the company usually needs to process personal data about all employees. This includes information about their possible sick leave, which is sensitive personal data. However, it is not necessary for all other employees of the company to have access to this personal data.
What should a non-disclosure agreement contain?
Define what is confidential
It is important to define exactly what is classified as confidential. That is, the scope of the obligation of confidentiality and the meaning of the term ‘confidential information’. For example, information about customers, specific systems, personal data and the like.
Clarify the prohibition
Make it clear that it is not allowed to disseminate the information to external parties, without a valid legal basis under the GDPR and without a real need for data sharing.
Requirements to protect personal data
The non-disclosure agreement should include requirements to protect personal data. For example, by not allowing employees to read classified information in public places, and to store classified information in a sufficiently secure manner. It is important that the employee undertakes to take appropriate technical and organizational security measures to protect the personal data from unauthorized access, disclosure and use.
Duration of the confidentiality
It is not uncommon for confidentiality to continue to be binding even after termination of employment, either indefinitely or for a certain number of years. It is important to clarify in the agreement the duration for confidentiality after the termination of the employment contract.
Consequences of non-performance
Be sure to include what happens if the confidentiality is breached by the employee. For example, it can lead to labour law consequences, such as dismissal or resignation.
Refer to other internal policies of the company
It is not uncommon in the non-disclosure agreement to also refer to other applicable related internal policies, such as the IT security policy or different GDPR procedures.
Implement confidentiality in practice
Have it as part of the onboarding process
Make sure that all new employees are informed about the current non-disclosure rules, that they understand them and sign a non-disclosure agreement, before they get access to the personal data.
Ensure staff training on a regular basis
It may be useful to remind about confidentiality and to train staff regularly. Keep in mind that employees should understand what the confidentiality commitment actually means in practice and how it is maintained.
What happens during offboarding
It is good to remind employees who stop working about the confidentiality. Often, confidentiality also applies after the termination of the employment without limitation in time, or for a fixed period.
Certain roles and professions may require enhanced confidentiality
Some professional roles (such as finance, HR, and customer service) may require enhanced confidentiality, as these employees may have access to quite sensitive information. The same applies to certain professional roles, such as psychologists and teachers.
When it may really be appropriate to enter into internal non-disclosure agreements for employees
- When employees use CRM systems to manage information about the company’s customers.
- Persons administering personal data of staff. For example, externally hired accounting consultants or the CFO.
- People who work with IT support and in their work get access to information about the company’s customers or users of the IT systems.
Learn more
Clean-desk routine
Another organizational security measure that can be good for companies to implement is a clean-desk routine and having an associated clean-desk policy. In other words, that employees do not leave documents or other information containing personal data or other important data without supervision or where unauthorized persons can see it. A clean-desk routine is a simple organizational measure that can reduce the risk of unauthorized access to information.