A non-disclosure agreement (NDA) — also known in Spanish as an acuerdo de confidencialidad — is the legal instrument through which one or more parties undertake not to disclose information entrusted to them in the context of a commercial relationship, negotiation or collaboration. In Spain, its legal effectiveness rests on two pillars: the general contract law regime under the Civil Code (Articles 1254 to 1258) and, since March 2019, the specific regime of Law 1/2019 of 20 February on Trade Secrets.
The Legal Framework: Law 1/2019 on Trade Secrets
Law 1/2019 transposes EU Directive 2016/943 on the protection of undisclosed know-how and business information. Before this law, protection of trade secrets was channelled primarily through the Unfair Competition Act and the Criminal Code (Articles 278–280, which criminalise the discovery and disclosure of trade secrets with prison sentences of up to four years).
Law 1/2019 establishes three cumulative requirements for information to qualify for protection as a trade secret: it must be secret (not publicly known or easily accessible), it must have commercial value by virtue of being secret, and it must have been subject to reasonable steps to keep it secret by the person who controls it. An NDA is precisely one of those reasonable steps — its existence evidences that the holder took active precautions to preserve confidentiality.
The law also broadens the remedies available to the holder: civil actions for cessation of the infringing conduct, removal of consequences, damages, attribution of ownership of infringing goods, and publication of the judgment. Interim measures — particularly a provisional injunction against use or disclosure — are especially important in M&A processes or licensing agreements where information leakage can have irreversible consequences.
Types of NDA: Unilateral and Mutual
A unilateral NDA binds only one party to maintain confidentiality. It is the standard model when one party (the disclosing party) shares information with a potential investor, buyer or supplier (the receiving party) without any reciprocal exchange of confidential information. Its simplicity is an advantage; the downside is that the receiving party may perceive it as an assertion of negotiating imbalance.
A mutual or bilateral NDA binds both parties on equal terms. It is the appropriate model for joint ventures, strategic alliances, technology collaboration negotiations, or any process in which both parties disclose sensitive information. Although its drafting is more complex — since the definitions and exclusions must be carefully calibrated for both directions of information flow — it provides better mutual protection and is typically required by the party with greater bargaining power.
Essential Clauses of an Enforceable NDA
A generic NDA downloaded from the internet has limited legal value if it does not precisely capture the elements that define its scope. The indispensable clauses are:
Definition of confidential information. This must be broad enough to cover all relevant information — technical, commercial, financial, strategic — but not so generic as to be legally unworkable. In M&A transactions, standard practice is to treat as confidential all information disclosed in the context of the process, with express carve-outs for information already in the public domain before disclosure, information previously known to the recipient, and information independently developed by the recipient without using the disclosed information.
Obligations of the receiving party. These must specify: the duty not to disclose to unauthorised third parties; the duty to use the information only for the agreed purpose (purpose limitation); the duty to apply security measures equivalent to those used for the party’s own confidential information; and the list of persons authorised to access the information on a need-to-know basis.
Duration. The duration of the confidentiality obligation must be distinguished from the duration of the underlying agreement. In Spain, two to five years is typical for commercial information; longer periods — or even indefinite obligations while the information retains its secret character — are appropriate for technical secrets or know-how. An excessively indefinite time limitation may be challenged by courts, although Law 1/2019 does not set an express maximum period.
Governing law and jurisdiction. In cross-border contracts, it is essential to specify the applicable law (under the Rome I Regulation) and the competent jurisdiction or arbitration institution. Omitting this clause in contracts with foreign parties can result in expensive proceedings to determine applicable law before the substance of the dispute is even addressed.
Consequences of breach. Including a liquidated damages clause — setting a pre-agreed indemnity for breach — greatly facilitates judicial claims, as it removes the burden of proving specific loss. Under Article 1154 of the Civil Code, courts may moderate the agreed penalty where the main obligation has been partially performed, so it is advisable to draft the clause specifically for each type of breach scenario.
NDAs in M&A Transactions
In mergers and acquisitions, the NDA — also called the confidentiality agreement — is the first document the parties sign, even before the letter of intent (LOI). Its function in this context is specific: to protect the information in the data room, financial projections, customer base, supplier contracts and any other sensitive information the seller discloses to enable the buyer’s due diligence.
A common M&A practice is to include a standstill clause in the NDA, prohibiting the recipient — for a defined period — from acquiring shares in the target company or launching a takeover bid without the consent of the seller’s board. This clause, of Anglo-Saxon origin, is fully valid under Spanish law, although its enforceability must be analysed in the context of the Securities Market Act and takeover regulations (Royal Decree 1066/2007).
Another important M&A-specific clause is the restriction on using disclosed information to directly approach the target’s customers, employees or suppliers for the recipient’s own commercial benefit — an “anti-circumvention” provision that is distinct from and supplements the basic confidentiality obligation.
NDA and GDPR Interaction
Where confidential information includes personal data, the NDA must be coordinated with obligations under Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPD-GDD). Disclosure of personal data in a due diligence process may require execution of a data processing agreement (Article 28 GDPR) or, as the case may be, a joint controller agreement (Article 26 GDPR), independently of the NDA.
Breach of GDPR in this context can generate, in addition to contractual liability under the NDA, administrative fines of up to €20m or 4% of global annual turnover under Article 83 GDPR. Companies that treat an NDA as sufficient protection for personal data shared in a transaction without also addressing GDPR compliance are exposed on two separate legal fronts.
Enforcing an NDA Before Spanish Courts
The practical enforceability of an NDA before Spanish courts depends substantially on the precision of its drafting. Courts have declined to enforce confidentiality clauses where: the definition of confidential information was so broad as to be contrary to good faith principles; the post-employment duration was indefinite in a labour context where the Supreme Court limits non-disclosure covenants; or where there was no identifiable consideration when the NDA was signed in isolation without an underlying transaction.
For maximum enforceability, the NDA should be specific in defining the information protected, reasonable in its duration, linked to an identifiable commercial relationship, and should expressly acknowledge the holder’s right to seek interim relief under Article 23 of Law 1/2019.
At BMC our commercial law team drafts and reviews NDAs tailored to each context — M&A transactions, commercial collaborations, technology agreements, startup funding — ensuring full enforceability under Spanish and EU law. See our commercial law services.
