Non-Disclosure Agreements in the EU operate within a complex legal framework that limits what can legitimately be kept confidential. The EU Trade Secrets Directive, GDPR, the EU Whistleblowing Directive, and national consumer protection laws all constrain how broadly confidentiality can be imposed. An NDA that ignores these limits — or worse, uses confidentiality to suppress legitimate disclosures — may be unenforceable in key respects, or even unlawful.
What is a Confidentiality Scope?
The scope of an NDA's confidentiality obligations defines what information must be kept secret, for how long, and who it can be shared with. In the EU, the Trade Secrets Directive (2016/943/EU), implemented in all member states by 2018, standardises the definition of a trade secret across the EU and provides civil remedies for misappropriation. But it also includes important carveouts: whistleblowing, journalism, freedom of expression, and disclosure to competent authorities cannot be suppressed by an NDA. GDPR also limits what personal data can be subject to confidentiality obligations.
Red flags to watch for
Under the EU Whistleblowing Directive (2019/1937/EU), employees and other persons have protected rights to report breaches of EU law to competent authorities. An NDA that purports to prevent such disclosures is unenforceable in this respect and may constitute an attempt to obstruct reporting.
The EU Trade Secrets Directive defines a trade secret as information that is secret, has commercial value, and has been subject to reasonable steps to maintain secrecy. An NDA that attempts to make all shared information confidential — regardless of whether it meets this threshold — is overbroad.
While indefinite confidentiality is not automatically void in EU jurisdictions, it is increasingly scrutinised — particularly in employment contexts. French and German courts, for example, have found indefinite NDAs on departing employees to be disproportionate in some circumstances.
Under the EU Whistleblowing Directive and national implementations, employees cannot be prevented from reporting workplace wrongdoing. An NDA that combines confidentiality with a broad non-disparagement clause in an employment contract risks overreach.
If the NDA involves sharing personal data (customer lists, employee data), GDPR Article 28 (data processing) or Article 26 (joint controller) obligations may apply. A contract that ignores the GDPR dimension of information sharing creates compliance risk for both parties.
Your legal rights
In the EU, trade secret protection is governed by the Trade Secrets Directive (2016/943/EU), implemented nationally. The Whistleblowing Directive (2019/1937/EU), implemented by member states from 2021, gives protected status to reporters of EU law violations regardless of confidentiality agreements. GDPR Article 9 prohibits certain processing of special category data and overrides contractual confidentiality obligations. National contract law (e.g., German BGB, French Code civil) also applies to NDA enforceability, and courts in member states have varied approaches to indefinite restrictions and disproportionate scope.
Questions to ask before you sign
- 1Does this NDA define confidential information clearly — particularly the trade secrets threshold?
- 2Does it include a carveout for disclosure to competent authorities, regulators, and whistleblowing channels?
- 3How long does the confidentiality obligation last, and is that proportionate to the information's commercial value?
- 4Does it cover personal data, and if so, does it include the required GDPR data handling provisions?
- 5Which member state's law governs the NDA, and what are the specific enforceability rules in that jurisdiction?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.