Data Protection

The confidentiality agreement and GDPR

Verschwiegenheitserklärung
252x252_arthur_heydata_882dfef0fd_c07468184b.webp
Arthur
16.06.2023

The General Data Protection Regulation (GDPR) not only obliges companies to secure IT systems or document processes properly - the human factor is also crucial. Data protection does not start with the firewall, but with the employees. As soon as someone in a company works with personal data - such as customer data, employee information or health data - this person must be obliged to maintain confidentiality. In concrete terms, this means that they must confirm in writing that they have been informed of their obligations under data protection law and undertake not to disclose or use any personal data without authorization.

Table of Contents:

What is a confidentiality agreement?

The non-disclosure agreement - often also referred to as a confidentiality agreement (NDA) or “commitment to data secrecy” - is a central component of data protection practice in companies. This is a document in which employees or external persons make a binding commitment to treat all personal data to which they have access in the course of their work as confidential.

Everyday example:
A customer service employee sees addresses, emails and complaints from customers every day. Without a confidentiality agreement, there is a high risk of such information being leaked - intentionally or accidentally. This is exactly what the declaration aims to prevent.

In contrast to general loyalty clauses in employment contracts, the confidentiality agreement is specifically aimed at data protection regulations - in particular the GDPR and national data protection laws. It therefore not only serves to protect trade secrets, but is also intended to ensure that companies fulfill their legal responsibility to protect personal data.

Is a confidentiality agreement mandatory under the GDPR?

Yes, in many cases it is even required by law.

The GDPR obliges companies to take appropriate technical and organizational measures to protect personal data from unauthorized access or misuse (Art. 5 para. 1 lit. f and Art. 32 GDPR). This also includes obliging all persons who work with this data to maintain confidentiality.

The German Federal Data Protection Act (BDSG) also specifies this obligation. Section 53 BDSG states:

"Persons engaged in data processing shall not process or disclose personal data without authorization. This obligation shall continue to apply even after their employment has ended."

Important: The obligation must be active, documented and individual - blanket provisions in a standard employment contract are not sufficient.

Who has to sign a confidentiality agreement?

In principle, all persons who have access to personal data in the course of their work:

Who does this specifically affect?

  • All internal employees, e.g. in HR, IT, marketing or sales
  • External service providers (e.g. IT support, marketing agencies, accounting services)
  • Freelancers and consultants
  • Interns and working students
  • Volunteers and temporary staff
  • Processors, if applicable (in accordance with Art. 28 GDPR in addition to the DPA)

What must be included in the confidentiality agreement?

A GDPR-compliant confidentiality agreement should contain at least the following points

  1. Reference to Art. 5 and Art. 32 GDPR and Section 53 BDSG
  2. Definition of what constitutes personal data (e.g. names, contact details, IP addresses, health information)
  3. Duty of confidentiality during and after the activity
  4. Reference to consequences under employment or civil law in the event of violations
  5. Date, signature and, if applicable, information about training or data protection officers

Important for companies:
The signed confidentiality agreement is not only an organizational step, but also an important part of the obligation to provide evidence in accordance with Art. 5 para. 2 GDPR (“accountability”). Companies must be able to prove that they have taken appropriate measures to protect personal data - this also includes proof that all persons involved have been obliged to maintain confidentiality.

Practical tip: Keep the signed declarations in digital or analog form in a traceable format - ideally with a note on training or instruction. This way, you can prove that your company has fulfilled its obligations in the event of a data protection audit.

Common mistakes in the confidentiality agreement

  • No individual obligation, just a passage in the employment contract
  • No reference to the GDPR or Section 53 BDSG
  • No update in the event of new requirements or role changes
  • No training or documentation of the handover

Tip: A one-off signature is not enough - regular updates (e.g. onboarding, job changes or new tools) increase security and liability coverage.

Role of the data protection officer

The GDPR does not only impose obligations on companies as a whole - the data protection officer (DPO) also plays a crucial role in ensuring internal data protection compliance.

According to Article 39 GDPR, it is a central task of the data protection officer to

“monitor compliance with this Regulation” and “inform and advise controllers, processors and employees carrying out processing operations”.

In concrete terms, this means

Employees must be informed about their obligations when handling personal data.
Ideally, this information is provided as part of data protection training or onboarding processes.
The confidentiality agreement not only serves as legal protection, but also as documented proof that the person concerned has been informed accordingly.

Tip: The task of providing information should not be seen as a one-off formality. Data protection is an ongoing process - regular reminders and follow-up training are useful and even necessary in many industries.

FAQ on the declaration of confidentiality (GDPR)

Do I have to obligate each employee individually?
Yes - blanket provisions in the employment contract are not sufficient.

Does confidentiality also apply after leaving the company?
Yes, according to Section 53 BDSG, the obligation continues to apply even after termination of the employment relationship.

Do I also need a declaration for service providers?
Absolutely - either in the employment contract or separately. A separate declaration is recommended for freelancers.

Conclusion: No obligation - no data protection

The best data protection software is of little use if people are not involved. With a declaration of confidentiality in accordance with the GDPR, you protect yourself legally, raise awareness in the team and show that data protection is taken seriously in the company.