How is a declaration of confidentiality defined according to the GDPR?
The role of a confidentiality agreement plays an extremely important role in compliance with the GDPR in companies. In 2018, the European General Data Protection Regulation (EU GDPR) came into force and once again brought the issue of confidentiality into focus. Most companies deal with or work with personal data, which is often a cornerstone of business operations. An important point of the declaration of confidentiality according to the GDPR is that it must not be confused with a declaration of confidentiality with regard to the protection of trade secrets. This confidentiality declaration is mostly contained in employment contracts to be signed, but does not replace the confidentiality declaration according to the GDPR, which expressly relates to the protection of personal data that is collected and processed.
What is the purpose of a confidentiality agreement, which is defined in the GDPR?
With regard to the use of personal data, the GDPR sets out clear procedures and requirements. The GDPR stipulates that personal data may not be collected and processed without the clear consent of the person concerned. If companies have access to this type of data, they must adhere to these defined principles. If this does not happen, there is a risk of high fines and an economically unpredictable loss of image. With regard to the proper handling of personal data, the GDPR does not only hold the management responsible. Rather, all those involved, who represent the employees in the company, are obliged to guarantee the confidentiality of the existing data. The GDPR is intended to ensure that all employees who work with and can view personal data only operate within the framework of the GDPR and treat the existing data confidentially.
According to Article 39 of the EU-GDPR, a designated data protection officer must inform the employees of the company concerned about the urgent compliance with the specified data protection regulations and explicitly point them out. In the GDPR, this is defined in such a way that the data protection officer must inform and advise the responsible parties, the processor and the employees with regard to the obligations of the GDPR. Nevertheless, he must ensure compliance with other data protection obligations of the EU member states and monitor them in the company.
In order to ensure that the employees concerned are informed, these employees must sign a so-called GDPR confidentiality agreement, which makes the clarification comprehensible and verifiable. The core of the confidentiality agreement is the principle that the signatory must treat personal data confidentially and may not pass on the data and information. In order to understand the signature, the employee concerned must have been informed about the definition of personal data and what consequences a disregard of the defined rules can entail. Companies protect themselves legally against violations of the workforce, but at the same time companies can also prove their obligation to provide evidence of GDPR with the declaration of confidentiality. This means that companies are always able to design all processes that are related to the processing and collection of personal data in a demonstrably GDPR-compliant manner.
What content is required in a declaration of confidentiality in accordance with the GDPR?
The content of this declaration mainly relates to the confidential and correct handling of personal data by employees. In terms of content, the following points should be part of a GDPR-compliant declaration of confidentiality:
• How is the employment relationship structured? Which tasks and which duration are defined?
• A declaration of compliance with the required confidentiality.
• The definition of the confidential data and information that are part of the declaration.
• The purpose of processing the personal data.
• Clause of the consequences in the event of any data protection violations.
• A specification of the period of validity, which also extends over the duration of the employment relationship.
The principles of handling personal data must be clearly defined in a GDPR confidentiality agreement. A confidentiality agreement with regard to personal data should be able to show the following definitions:
• The personal data must be processed lawfully and fairly and in a way that is understandable for the data subjects. The principles of "legality", processing in accordance with "good faith" and "transparency" apply here.
• Personal data may only be collected for specified, explicit and legitimate purposes. They are earmarked and may not be further processed if they are not used for the above purposes.
• The processing of personal data is to be reduced to what is necessary (principle of data minimization). The collection of the data must be appropriate for the purpose.
• The data must always be correct. If the data is factually incorrect, the principle of "correctness" comes into effect. If the data is not up to date, measures must be taken to trigger the deletion of the data or to bring the data up to date.
• Personal data may only be stored in a form that is necessary for the duration of use. Data subjects can only be identified within this period (principle of storage limitation).
• It must be guaranteed that personal data are only processed in such a way that the information is protected at all times. This includes unauthorized and unlawful processing, unintentional loss, unintentional destruction or unintentional damage to the data. These points are ensured by technical and organizational measures (TOM) and thus cover the points "integrity" and "trust". When processing personal data, instructions from a person responsible must generally be obtained. Work instructions with regard to personal data are individual instructions, process descriptions, flow charts, general service instructions, internal agreements, manuals and documentation.
Content and form of the GDPR non-disclosure clause
A breach of the confidentiality clause should indicate the possibility of a fine or imprisonment. A breach of the confidentiality clause can also constitute a breach of contractual obligations under an employment contract or breach of confidentiality obligations. Attention should also be drawn to (civil law) damage claims that may result from a violation. It should be noted that agreements from the service employment contract are not affected in the confidentiality agreement. An important point is that the confidentiality obligation remains valid even after termination of the employment relationship.
It is generally advisable to add a separate leaflet to the confidentiality agreement. This should contain all relevant articles of the law. This appendix ensures that the employee is fully and transparently informed. The actual confidentiality declaration should be given to the employee as a separate document. This has the advantage that the declaration can be presented during an official inspection. This rules out the need to present the entire employment contract to the supervisory authority if it requires a review.
The confidentiality agreement should be in writing. The employer thus fulfills the documentation requirement and implements the declaration in accordance with EU GDPR. It does not matter whether the declaration of confidentiality is recorded in writing or in electronic form. A copy of the declaration is given to the employee and the copy signed by the employee is added to the personnel file to secure it. This guarantees the greatest possible transparency.
Who is required to sign the GDPR confidentiality agreement?
When signing a GDPR confidentiality agreement, complete data security must always be guaranteed within the company. For this reason, it is imperative that all persons involved sign the confidentiality agreement. This applies to all groups of people who come into contact with personal data - that is, they collect, store or process them in day-to-day business. The GDPR confidentiality agreement must also be signed for groups of people who work as temporary workers, interns or freelancers, etc. Basically, most employee groups in a company come into contact with personal data and information. For this reason, almost all employees will have to sign a GDPR confidentiality agreement. A declaration of confidentiality is also useful for groups of people who do not seem to have come into contact with the security-relevant data, as workflows can shift in day-to-day business and this case is also covered in accordance with data protection regulations after signing.