The confidentiality agreement and GDPR

How is a confidentiality agreement defined according to the GDPR? 

The role of a confidentiality agreement is of utmost importance for ensuring compliance with the GDPR in companies. Since the implementation of the European General Data Protection Regulation (EU GDPR) in 2018, the significance of confidentiality has been further emphasized. Considering that most companies handle personal data as an integral part of their business operations, safeguarding this information becomes crucial. It's essential to understand that the declaration of confidentiality under the GDPR should not be confused with a confidentiality agreement aimed at protecting trade secrets. While the latter is commonly included in employment contracts, it cannot substitute the GDPR's declaration of confidentiality, which specifically focuses on the protection of collected and processed personal data.

What is the purpose of a confidentiality agreement, which is defined by the GDPR?

Clear procedures and requirements regarding the use of personal data are outlined in the GDPR. It explicitly states that personal data cannot be collected and processed without the explicit consent of the individuals involved. Companies must adhere to these defined principles when handling such data to avoid the risk of substantial fines and significant damage to their reputation.

Responsibility for the proper management of personal data does not solely rest with the management; it extends to all parties involved, including employees. The GDPR is intended to ensure that all employees who work with and have access to personal data act exclusively within the scope of the GDPR and treat the existing data confidentially.

Article 39 of the EU GDPR emphasizes the role of a designated data protection officer who is responsible for educating and informing employees about their obligations regarding data protection regulations. The data protection officer must also advise the data controller, processor, and employees on complying with the GDPR and monitor adherence to data protection obligations within the company. 

To ensure that the employees concerned are informed, these employees must sign a so-called DSGVO declaration of confidentiality, which makes the information comprehensible and verifiable. The core of the declaration of confidentiality is the principle that the signatory must treat the personal data as confidential in principle and may not pass on the data and information. For the signing to be understood, the employee concerned must have been informed about the definition of personal data and what the consequences of disregarding the defined rules may be. Companies legally protect themselves against violations of the workforce, but at the same time, companies can also use the declaration of confidentiality to prove their obligation to comply with the GDPR. This enables companies to establish and maintain demonstrably compliant processes for the collection and processing of personal data in accordance with the GDPR.

What content is required in a confidentiality agreement under the GDPR? 

The contents of this declaration mainly relate to the confidential and correct handling of personal data by employees. In terms of content, the following points should be part of a DSGVO-compliant declaration of confidentiality:

• How is the employment relationship structured, and what tasks and duration are outlined?
• A statement acknowledging compliance with the necessary confidentiality requirements.
• Clear identification of the confidential data and information included in the declaration.
• Explanation of the purpose for processing personal data
• Inclusion of provisions outlining the consequences in the event of potential breaches of data protection
• A defined period of validity that extends beyond the duration of the employment relationship

The principles of handling personal data must be clearly defined in a GDPR confidentiality agreement. A non-disclosure agreement regarding personal data should be able to have the following definitions:

• Personal data must be processed lawfully and fairly and in a manner that is comprehensible to the data subjects. The principles of "lawfulness", processing in "good faith" and "transparency" apply here
• Personal data may only be collected for specified, explicit and legitimate purposes. They are subject to purpose limitation and may not be further processed if they are not used for the above purposes
• The processing of personal data must be reduced to a necessary level (principle of data minimization). The collection of data must be appropriate to the purpose
• Data must always be correct. If the data is not factually correct, the principle of "accuracy" comes into force. If the data is not up to date, measures must be taken to trigger the deletion of the data or to bring the data up to date
• Personal data may only be stored in a form that is necessary for the duration of use. Identification of data subjects is only possible within this period (principle of storage limitation)
• It must be ensured that the personal data is only processed in such a way that the protection of the information is guaranteed at all times. This includes unauthorized and unlawful processing, unintentional loss, accidental destruction or non-intentional damage to the data. These points are ensured by technical and organizational measures (TOM) and thus cover the points "integrity" and "trust". When processing personal data, the instructions of a data controller must always be obtained. Individual instructions, process descriptions, flow charts, general service instructions, internal agreements, manuals and documentation are considered to be work instructions with regard to personal data

Breach of GDPR Confidentiality Clause: Consequences and Considerations 

A breach of the confidentiality clause can have serious repercussions, including potential fines or imprisonment. It is important to note that such a breach may not only constitute a violation of contractual obligations under the employment contract but also breach general confidentiality obligations. Additionally, civil damage claims may arise as a result of the breach. It is worth highlighting that the confidentiality declaration does not affect any agreements stipulated in the service-employment contract. Crucially, the confidentiality obligation remains in effect even after the termination of the employment relationship.

To ensure comprehensive and transparent information, it is advisable to provide a separate information sheet along with the confidentiality agreement. This annex should contain all relevant legal articles, enabling the employee to be fully informed. The actual declaration of confidentiality should be presented to the employee as a distinct document, allowing it to be easily accessed during official inspections. This eliminates the need to present the entire employment contract to the supervisory authority, should a review be required.

The declaration of confidentiality must be in written form, fulfilling the employer's documentation and proof obligations while aligning with EU GDPR requirements. Whether recorded in written or electronic format is immaterial. A copy of the declaration should be provided to the employee, and the employee-signed copy should be securely stored in the personnel file, ensuring maximum transparency and accountability.

Who is obliged to sign the GDPR declaration of confidentiality?

When signing a GDPR declaration of confidentiality, it is crucial to ensure complete data security within the company. Therefore, it is mandatory for all individuals involved to sign the declaration of confidentiality. This requirement applies to all groups of people who handle personal data, including those involved in its collection, storage, or processing as part of daily business operations. Temporary staff, interns, freelancers, and other similar groups of individuals must also sign the GDPR declaration of confidentiality. In most cases, employees across various roles within a company have access to personal data and information. Hence, nearly all employees will be required to sign a GDPR declaration of confidentiality. Even for groups of individuals who do not currently handle sensitive data, a declaration of confidentiality is still important. This is because job responsibilities can evolve in the course of day-to-day operations, and by signing the declaration, such cases are also appropriately addressed in compliance with data protection standards.