Non-disclosure agreement (NDA): key points to make it effective in a negotiation

In many commercial negotiations, M&A transactions or due diligence processes, the non-disclosure agreement (or NDA) is signed as a preliminary formality. However, its effectiveness depends on how the protected information is defined, which uses are permitted, which obligations the receiving party assumes and which mechanisms are available to respond to a leak.

In practice, an NDA should not be treated as a mere courtesy formality, but as the first document that structures the relationship between the parties before sensitive information is shared. This approach is connected to our practical guide to non-disclosure agreements (NDAs), which explains the main elements of this type of agreement.

What is an NDA and why should it not be treated as a mere formality?

An NDA is an agreement under which one or more parties undertake not to disclose or use certain confidential information outside the agreed purpose. It may be signed at very early stages of a commercial relationship, in discussions with potential partners, suppliers or distributors, or before starting a due diligence process.

In corporate transactions, the NDA usually appears at the beginning of the process, before relevant information about the company or the transaction is shared. It is therefore particularly common in small-market M&A transactions and in the standard M&A transaction timetable.

Although it is often signed within minutes, its role is much more important: it defines what information is protected, who may access it, what it may be used for and what consequences will follow from misuse.

The issue does not lie in the legal instrument itself. An NDA can work, and it does work when properly drafted. Problems arise when it is implemented through generic templates that are downloaded or reused without adapting them to the specific negotiation.

Why many NDAs do not withstand a real dispute

Proving a breach of a non-disclosure agreement can be difficult. Not necessarily because the legal framework is insufficient, but because many generic agreements lack the precision required to support a claim before a court, in mediation or in a damages negotiation.

If the NDA does not clearly describe which uses are prohibited, any indirect use of the information may fall into a grey area that is difficult to challenge. And if it does not define what constitutes confidential information, the receiving party may argue that what was disclosed was general market knowledge or information already known to it.

For this reason, the definition of confidential information should not be limited to broad and abstract language. It should be adapted to the context of the transaction and to the assets that genuinely need protection.

What an effective NDA should include

A robust non-disclosure agreement should regulate, at a minimum, the following points:

  • The specific categories of protected information: technology, financial data, commercial strategy, client databases, proprietary methodologies, due diligence documentation, know-how or intellectual property.
  • The format in which the information may be transmitted: oral, written, digital, physical, audiovisual or through repositories or data rooms.
  • The method for identifying information as confidential, particularly when it is shared verbally or in meetings.
  • Express exclusions: information in the public domain, previously known by the recipient or lawfully received from third parties.
  • The coverage of derivative information, analyses, reports, conclusions or documents prepared on the basis of the confidential information.
  • Use of the information exclusively for the agreed purpose.
  • Identification of the persons who may access the information and the confidentiality obligations they must assume.
  • Minimum custody and security measures.
  • The obligation to report leaks, unauthorised access or misuse.
  • Return or destruction of the information at the end of the negotiation, including copies, extracts and documents stored in digital repositories, except where there is a legal retention obligation.
  • The duration of the confidentiality obligations.
  • Governing law, competent jurisdiction and, where appropriate, mediation or arbitration mechanisms.

The more specific these obligations are, the easier it will be to prove a breach and react effectively.

Common mistakes when signing a non-disclosure agreement

NDAs used in business practice often share a pattern of shortcomings that compromises their usefulness precisely when they are most needed.

Using templates that are not adapted

This is the most common mistake. An NDA for an M&A due diligence should not be the same as one signed to approach a potential distributor or supplier. The assets at stake, disclosure risks and economic consequences can be radically different.

Imprecise definition of protected information

If the document does not specify which information is confidential, the receiving party may argue that there was no certainty as to its protected nature or that it was general market knowledge.

Omitting governing law and jurisdiction

In cross-border transactions, failing to expressly determine the governing law and jurisdiction may lead to conflicts of competence that delay the claim. In certain cases, mediation or arbitration may be worth considering.

Using unilateral NDAs where reciprocity is needed

In many negotiations, both parties share sensitive information. A unilateral NDA may create an unjustified imbalance and weaken the position of the party assuming obligations without receiving equivalent protection.

Failing to regulate what happens when the negotiation ends

The NDA should regulate whether the information must be returned, destroyed or retained due to a legal obligation, as well as the treatment of internal copies, extracts, analyses and derivative documents.

NDAs, trade secrets and protection of strategic assets

In many cases, the information shared is not only confidential in contractual terms but may also qualify as a trade secret. This may be the case for technology, methodologies, algorithms, databases, commercial strategies, non-public financial information or internal documentation.

Where the information has particular competitive value, the NDA should be coordinated with internal protection measures: access controls, download traceability, user limitations, delivery records, confidentiality markings and internal security policies.

An NDA does not replace those measures. It complements them and provides a contractual basis to react if the information is misused or disclosed.

NDAs, GDPR and personal data

Another common mistake is to ignore the interaction between confidentiality and data protection. If the information shared includes personal data of clients, employees, candidates, suppliers or third parties, the NDA does not replace the obligations arising under the GDPR.

In such cases, a data processing agreement or specific clauses on controller/processor roles, security measures, international transfers, retention periods and return or deletion of data may be required. This issue should be coordinated with GDPR compliance in Spain.

The same caution applies to commercial contracts and business agreements, particularly when data or sensitive documentation is shared with distributors, agents, franchisees, suppliers or strategic partners.

Minimum checklist before signing an NDA

Before signing or sending a non-disclosure agreement, at least the following questions should be reviewed:

  • Is the confidential information clearly defined?
  • Does it cover oral, written, digital, physical and repository-based information?
  • Does it regulate derivative information or documents prepared on the basis of the information received?
  • Is the use of the information limited to a specific purpose?
  • Are the persons who may access the information identified?
  • Are minimum custody and security measures provided for?
  • Does it regulate what happens in the event of a leak or unauthorised access?
  • Does it establish the return or destruction of the information?
  • Is the duration reasonable and proportionate to the type of information protected?
  • Does it include governing law, jurisdiction or arbitration?
  • Has it been reviewed for data protection implications?

The NDA as a strategic tool in a negotiation

A well-drafted non-disclosure agreement does more than protect sensitive information: it sets the rules of the game before the parties start showing their cards.

The process of drafting or reviewing an NDA carefully forces the company to identify which assets are truly valuable to the business: technology, methodology, client databases, commercial model, financial documentation or strategic information.

In addition, a well-structured NDA, properly dated and accompanied by control mechanisms, can be decisive in the event of a dispute. Not only to support a damages claim, but also to request urgent measures to stop the misuse of information, contain a leak, require the return or destruction of documents and preserve evidence.

The idea that a demanding NDA slows down the commercial relationship should be set aside. In many cases, the opposite is true: when both parties know exactly what is protected and under which conditions, trust increases and the conversation can move directly to the substance.

Conclusion: confidentiality as the first test of trust

More companies than one might think end up bearing the cost of litigation, mediation or commercial loss arising from a leak that could have been prevented, or at least managed more efficiently, with a well-constructed NDA.

Confidentiality should not be treated as a formality that precedes the real agreement, but as the first test of an organisation’s professional and legal robustness. The NDA is, in many respects, the first clause of the contract of trust between two parties and also the first piece of evidence if that trust is broken.

Therefore, the next time you receive an NDA or prepare one yourself, it is worth asking a simple question: if this relationship ends badly, does this document give me a defensible position or merely the feeling that I have one?

The difference between those two answers is not only legal. It is strategic. And it is decided long before the substantive negotiation begins.

Frequently asked questions about non-disclosure agreements (NDAs)

An NDA is a contract under which one or more parties undertake not to disclose or use certain confidential information outside the agreed purpose.

It should be signed before sharing sensitive information in a commercial negotiation, an M&A transaction, a due diligence process, a strategic collaboration or discussions with potential partners, investors, suppliers or distributors.

Not always. A generic NDA may provide insufficient protection if it does not properly define the protected information, permitted uses, recipient obligations, duration, governing law and mechanisms to react to a breach.

It should identify the categories of protected information, such as financial data, technical information, client databases, commercial strategy, know-how, methodologies, intellectual property, due diligence documentation or any information derived from the information received.

Common mistakes include using non-adapted templates, failing to define confidential information properly, omitting governing law and jurisdiction, signing a unilateral NDA when it should be reciprocal or failing to coordinate the agreement with data protection obligations.

No. If the information shared includes personal data, the NDA must be coordinated with GDPR obligations and, where appropriate, with a data processing agreement or specific data protection clauses.

The duration should be proportionate to the type of information protected and the context of the transaction. In practice, many agreements provide for periods of between two and five years, although certain sectors or types of information may justify longer periods.

Depending on the case, measures may be requested to stop the use or disclosure of the information, claim damages, require the return or destruction of documents and activate the dispute resolution mechanisms provided for in the agreement.

More Technical Articles