Non-Disclosure Agreement — Disclosure (Ireland)

A Non-Disclosure Agreement — Disclosure in Ireland binds the parties to keep specified information confidential and limits how it may be used or disclosed, and is governed by the Trade Secrets Directive (EU 2016/943, transposed). It restricts disclosure and use of designated confidential information between the disclosing and receiving parties.

The legal protection of confidential information in Ireland derives from three principal sources. The first is the common law doctrine of breach of confidence, a well-established equitable remedy under Irish law. The leading Irish authority is House of Spring Gardens Ltd v Point Blank Ltd [1984] IR 611, in which the Supreme Court confirmed that a duty of confidence arises when information of a confidential nature is communicated in circumstances importing an obligation of confidence. The common law protects against the unauthorised use or disclosure of information that has the necessary quality of confidence.

The second source of protection is the European Union (Protection of Trade Secrets) Regulations 2018 (S.I. No. 188 of 2018), which transposed EU Directive 2016/943 into Irish law. These Regulations provide a statutory framework for the protection of trade secrets. Under Regulation 2, a trade secret is defined as information that is secret (not generally known among persons in the circles that normally deal with such information), has commercial value because it is secret, and has been subject to reasonable steps by the holder to keep it secret. Under Regulation 4, the unlawful acquisition, use, or disclosure of a trade secret is actionable. The limitation period for trade secret claims under Regulation 9 is three years from the date the holder became aware (or ought reasonably to have become aware) of the unlawful conduct, the identity of the infringer, and the information qualifying as a trade secret. The Regulations provide for civil remedies including injunctions, damages, corrective measures, and the publication of judicial decisions. They represent a significant strengthening of trade secret protection in Ireland by providing a clear, harmonised statutory framework alongside the pre-existing common law protections.

The third source is the General Data Protection Regulation (EU) 2016/679 (GDPR), which has direct effect in Ireland as an EU Member State, supplemented by the Data Protection Act 2018. Where confidential information includes personal data, the GDPR imposes strict obligations on the processing, security, storage, and transfer of that data. Ireland's Data Protection Commission (DPC), headquartered in Dublin, is the lead supervisory authority for many of the world's largest technology companies under the GDPR's one-stop-shop mechanism, making Ireland a particularly important jurisdiction for data protection compliance.

An NDA can be unilateral (one party discloses, the other receives) or mutual (both parties disclose and receive confidential information). Mutual NDAs are common in commercial negotiations, joint ventures, and technology partnerships where both parties share sensitive business information. A unilateral NDA is more appropriate when only one party is disclosing sensitive information — such as when a business shares its business plan with a prospective investor, or when an employer shares trade secrets with a new employee.

In the employment context, NDAs are an important supplement to the implied contractual duty of fidelity that exists during employment, and they serve the critical function of extending confidentiality obligations beyond the termination date. Irish courts recognise and enforce post-employment confidentiality obligations in NDAs, provided the obligations are reasonable in scope and duration and are directed at protecting genuine trade secrets rather than preventing the former employee from using their general professional skills and experience. Employers in Ireland across all sectors — from technology and pharmaceuticals to professional services and manufacturing — routinely include NDAs as standard documentation for employees who will have access to commercially sensitive business information.

An Irish Non-Disclosure Agreement is needed whenever confidential information, trade secrets, or proprietary business data is to be shared between parties in a commercial, employment, or transactional context in Ireland. The NDA provides a contractual framework that supplements the common law and statutory protections available under Irish law, giving the disclosing party greater certainty and control over how its confidential information is used and protected.

You need an Irish NDA when you are: entering into commercial negotiations for a business acquisition, merger, investment, or joint venture where due diligence requires the disclosure of sensitive financial, operational, or strategic information; engaging a consultant, contractor, or service provider who will have access to your proprietary business information, customer data, or technical know-how; sharing a business plan, invention, software code, or creative work with potential investors, partners, or co-developers before formal intellectual property protections (such as patent applications or copyright registrations) are in place; hiring employees or directors who will have access to confidential business information, trade secrets, or commercially sensitive data; collaborating with another business on a joint project, technology development, or research initiative that involves the exchange of proprietary technical information; or outsourcing business functions such as IT services, payroll, or customer support to a third-party provider that will process your confidential data or personal data.

In the employment context, NDAs are frequently used as part of the terms of employment or as standalone agreements signed by employees at the commencement of their employment. Under Irish employment law, employees owe an implied duty of fidelity and confidentiality to their employer during the employment relationship, but this implied duty is limited after the employment ends. A well-drafted NDA extends confidentiality obligations beyond the termination of employment, subject to the requirement that post-employment restrictions must be reasonable in scope and duration to be enforceable.

Irish NDAs must be drafted with awareness of the Protected Disclosures Act 2014 (as amended by the Protected Disclosures (Amendment) Act 2022), which protects whistleblowers who report wrongdoing. Any NDA that purports to restrict a person's right to make a protected disclosure under the Act is void and unenforceable. NDAs should include an express carve-out for protected disclosures to avoid any risk of invalidity.

Where the confidential information includes personal data, the NDA must address GDPR compliance, including the lawful basis for disclosure, the security measures required of the recipient, data breach notification obligations, and any restrictions on transferring personal data outside the EEA.

Under the Companies Act 2014, the Companies Registration Office (CRO) maintains the register of Irish companies. Section 343 of the Companies Act 2014 sets annual confirmation obligations. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022. The Central Bank of Ireland regulates financial services under the Central Bank Act 1971. The High Court of Ireland has jurisdiction under Section 212 of the Companies Act 2014.

A thorough Irish Non-Disclosure Agreement should contain several essential provisions to provide effective protection for confidential information and trade secrets under Irish law.

The definition of confidential information is the most critical clause in any NDA. It should be drafted broadly enough to capture all the types of information the disclosing party intends to protect — including business plans, financial data, customer lists, technical specifications, trade secrets, software code, marketing strategies, and personnel information — while being specific enough to give the receiving party clear notice of what is protected. The definition should also specify the format of protected information (written, oral, electronic, visual) and clarify that information disclosed orally is protected if identified as confidential at the time of disclosure and confirmed in writing within a specified period.

The obligations of the receiving party clause should require the recipient to keep the confidential information secret, to use it only for the specified purpose (the purpose limitation), not to disclose it to any third party without the discloser's prior written consent, to limit access to those of its employees, directors, and advisors who need to know the information for the specified purpose, and to confirm that those persons are bound by confidentiality obligations no less protective than those in the NDA.

The exclusions clause defines what is not considered confidential information. Standard exclusions include information that was already in the public domain at the time of disclosure, information that enters the public domain after disclosure through no fault of the receiving party, information that the receiving party can demonstrate was already in its possession before disclosure, and information that the receiving party independently developed without reference to the confidential information.

The permitted disclosures clause addresses situations where the receiving party may be compelled to disclose confidential information by law, court order, or regulatory requirement. The NDA should require the receiving party to give the discloser prompt notice of any compelled disclosure (to the extent legally permitted) and to cooperate with the discloser in seeking a protective order or other appropriate remedy.

The trade secrets clause should expressly reference the European Union (Protection of Trade Secrets) Regulations 2018 (S.I. No. 188/2018) and confirm that information meeting the definition of a trade secret under the Regulations receives the enhanced protections provided by those Regulations, in addition to the contractual protections in the NDA.

The GDPR and data protection clause must address the handling of personal data disclosed under the NDA. It should identify the types of personal data, the lawful basis for disclosure under Article 6 GDPR, the security measures required under Article 32 GDPR, data breach notification obligations under Articles 33 and 34 GDPR, and restrictions on transfers of personal data outside the EEA.

The term and duration clause specifies how long the confidentiality obligations last. In Ireland, there is no statutory limit on the duration of NDA obligations, but the obligations must be reasonable. A typical duration is three to five years from the date of disclosure, although trade secret obligations may continue indefinitely for as long as the information retains the quality of a trade secret.

The remedies clause should acknowledge that a breach of the NDA may cause irreparable harm that cannot be adequately compensated by damages alone, and that the disclosing party is entitled to seek injunctive relief from the Irish High Court without the need to prove actual damage. The clause should also preserve the discloser's right to claim damages, an account of profits, and any other remedies available at law or in equity.

The return or destruction clause requires the receiving party to return or destroy all copies of confidential information (including electronic copies) on termination of the NDA or on request by the disclosing party, and to certify in writing that it has done so.

The governing law and jurisdiction clause should specify that the NDA is governed by Irish law and that the Irish courts have exclusive jurisdiction to resolve disputes arising out of or in connection with the NDA. The forms-legal.com Non-Disclosure Agreement (Ireland) template covers the mandatory elements under Trade Secrets Directive (EU 2016/943, transposed).

An Irish Non-Disclosure Agreement (Ireland) must navigate the intersection of three bodies of law to provide effective and enforceable protection for confidential information and trade secrets.

The foundational authority in Irish law on breach of confidence is House of Spring Gardens Ltd v Point Blank Ltd [1984] IR 611, in which the Supreme Court of Ireland confirmed the equitable jurisdiction to restrain breach of confidence and set out the three conditions for a duty of confidence to arise: the information must have the necessary quality of confidence; it must have been communicated in circumstances importing an obligation of confidence; and there must be an actual or threatened unauthorised use. This authority remains the leading statement of the common law of confidence in Ireland and is applied by the High Court and Commercial Court in confidentiality disputes. Where an NDA is in place, the contractual obligation supplements the equitable duty — meaning that a disclosing party can sue both for breach of contract and for the equitable wrong of breach of confidence.

Post-employment confidentiality restrictions in NDAs must comply with the Irish doctrine of restraint of trade. The High Court examined the enforceability of confidentiality clauses in the employment context in Murgitroyd & Company Ltd v Purdy [2005] IEHC 159. In that decision, the Court considered the principles applicable to restraint of trade clauses in employment agreements and confirmed that restrictions that protect genuine trade secrets are enforceable, while restrictions that purport to prevent a former employee from using their general professional skills and knowledge are not. A post-employment confidentiality obligation in an NDA must therefore be limited to information that genuinely qualifies as a trade secret under the European Union (Protection of Trade Secrets) Regulations 2018 — vague obligations purporting to protect 'all confidential information' indefinitely after termination are vulnerable to challenge on restraint-of-trade grounds.

The second pillar of NDA legal requirements is the European Union (Protection of Trade Secrets) Regulations 2018 (S.I. No. 188 of 2018). These Regulations define a trade secret as information that is not generally known, has commercial value by virtue of its secrecy, and has been subject to reasonable steps to maintain secrecy (Regulation 2). An NDA is the principal mechanism by which a holder demonstrates 'reasonable steps' — without a written NDA, a holder risks being unable to prove that it treated the information as genuinely confidential. Regulation 4 makes the acquisition, use, or disclosure of a trade secret in breach of a confidentiality agreement a civil wrong, and the Regulations provide for injunctions, damages, corrective measures, and the publication of judicial decisions as remedies.

The third legal requirement is compliance with the Protected Disclosures (Amendment) Act 2022. Section 10 renders void any contractual term that purports to prohibit or restrict a worker from making a protected disclosure. Every NDA that applies to workers (including employees, contractors, and consultants) must include an express carve-out confirming that the confidentiality obligations do not restrict the right to make a protected disclosure under the Act. Failure to include this carve-out creates a risk that the NDA is void to the extent that it purports to suppress protected disclosures — and may expose the employer to criminal liability under section 20 of the 2022 Act if a worker is penalised for making a protected disclosure.

An Irish Non-Disclosure Agreement (Ireland) is one of the most commonly misused and poorly drafted commercial documents in practice. Errors in scope, procedure, and legal compliance result in NDAs that provide little or no protection when a breach occurs, or that expose the drafter to liability. The following mistakes are among the most common encountered in Irish commercial practice.

1. Disclosing confidential information before the NDA is signed. Many businesses begin sharing sensitive information — in emails, presentations, or meetings — before the NDA documentation is finalised and signed. A gap in NDA coverage may leave the disclosing party reliant solely on the common law duty of confidence (established in House of Spring Gardens Ltd v Point Blank Ltd [1984] IR 611) rather than the more certain contractual framework. The correct approach is to execute the NDA before any confidential information is shared, and to specify in the NDA whether it covers information shared prior to its execution date.

2. Failing to include a whistleblowing carve-out, risking invalidity of the entire clause. Section 10 of the Protected Disclosures (Amendment) Act 2022 renders void any NDA term that purports to restrict a worker from making a protected disclosure. An employment-related NDA that omits this carve-out is not only non-compliant but may expose the employer to criminal liability if a worker is deterred from reporting wrongdoing. The correct approach is to include a standard whistleblowing carve-out clause confirming that the NDA does not restrict rights under the Protected Disclosures Acts 2014-2022.

3. Defining confidential information vaguely, without specifying categories or exclusions. An NDA that defines confidential information as 'all information disclosed by the disclosing party' without excluding publicly known information, prior knowledge, or independently developed information is likely to be unenforceable to the extent of the over-breadth. Under Irish contract law, a court may apply the doctrine of severance or read down an overly broad definition, but the result may be an NDA that provides narrower protection than intended. The correct approach is to define confidential information with precision — specifying the categories of protected information, the formats (written, oral, electronic), and the standard carve-outs.

4. Using a fixed confidentiality term of the same duration for general confidential information and trade secrets. The European Union (Protection of Trade Secrets) Regulations 2018 protect trade secrets for as long as the information retains the quality of a trade secret — there is no fixed time limit. An NDA that subjects trade secret information to the same three-year or five-year confidentiality term as general confidential information leaves trade secrets unprotected after the term expires. The correct approach is to include a tiered duration clause: a defined term for general confidential information, and an indefinite obligation for information that meets the definition of a trade secret under the 2018 Regulations.

5. Omitting a compelled disclosure notification obligation. When a party is compelled by law or court order to disclose confidential information — for example, in response to a Revenue audit, a court discovery order, or a DSAR under GDPR — the NDA must specify how that party must notify the other before making the compelled disclosure (to the extent legally permitted). Without this notification obligation, the disclosing party may be unable to seek a protective order or challenge the disclosure. The correct approach is to include a clause requiring the recipient to give prompt written notice of any compelled disclosure and to cooperate with the discloser's efforts to seek appropriate protection.

6. Not including a return or destruction clause. An NDA that does not require the receiving party to return or destroy all copies of confidential information — including electronic copies — on termination leaves the disclosing party's information in the hands of the recipient after the relationship has ended. This creates ongoing risk of misuse or inadvertent disclosure. The correct approach is to include a return or destruction clause requiring the recipient to certify in writing that all confidential materials have been returned or destroyed within a specified period of termination.

7. Relying on the NDA alone without complementary information security measures. An NDA is a legal instrument, not a technical security measure — it does not prevent a determined recipient from misusing or disclosing confidential information, it merely provides a right of action after the event. Disclosing parties who rely solely on an NDA without implementing complementary access controls, data classification, encryption, and employee training may find that the information has been misused before any legal remedy can be obtained. The correct approach is to combine the NDA with technical and organisational security measures consistent with the requirements of Article 32 GDPR (where personal data is involved) and with the 'reasonable steps' standard under the European Union (Protection of Trade Secrets) Regulations 2018.

8. Failing to address the position of employees and subcontractors of the receiving party. An NDA that binds the receiving party but does not require the receiving party to impose equivalent confidentiality obligations on its own employees, contractors, and advisers who have access to the confidential information creates a gap in protection. The receiving party's employees and subcontractors are not bound by the NDA (as they are not parties to it), and may inadvertently disclose confidential information. The correct approach is to require the receiving party to bind all persons who have access to the confidential information to obligations at least as protective as those in the NDA.

9. Not specifying the governing law or the correct jurisdiction for dispute resolution. Irish commercial parties sometimes use template NDAs governed by English law — or NDAs that contain no governing law clause at all — without considering whether Irish courts will apply English law to the confidentiality obligations or whether the parties intended Irish law to govern. After Brexit, the automatic recognition of English court judgments in Ireland is no longer guaranteed under EU law. The correct approach is to specify that the NDA is governed by Irish law and that disputes are subject to the exclusive jurisdiction of the Irish courts, and to review any template NDA to confirm that the governing law and jurisdiction clauses reflect the parties' intentions.

10. Using a mutual NDA when a one-way NDA better reflects the commercial reality. A mutual NDA — binding both parties to confidentiality obligations — is appropriate where both parties are genuinely sharing confidential information. Where only one party is disclosing sensitive information (for example, a start-up sharing its business plan with a potential investor, or an employer sharing trade secrets with a new employee), a mutual NDA creates unnecessary confidentiality obligations on the disclosing party in respect of information it receives from the other party, which may not be intended and could create complications. The correct approach is to match the structure of the NDA to the commercial reality of the information flow.