A confidentiality agreement is a legally binding contract between two or more parties in which at least one of the parties agrees not to disclose certain sensitive information. The name of this kind of an agreement may depend on the industry; they are often also called an NDA or non-disclosure agreement.

Most companies derive substantial value from their confidential information and data, both by having exclusive use of it in their own businesses and by sharing it selectively with customers, suppliers, and others. A confidentiality agreement is used by individuals or businesses to protect information, data, ideas, trade secrets, intellectual property, transaction details, and more from being revealed to a third-party during the course of a business deal, project, or employment agreement with another party.

In larger transactions or relationships, there are usually confidentiality clauses within an agreement, such as in an influencer agreement. If you want to prevent the receiving party from misusing your business contacts, you should include a non-circumvention clause or agreement.


A confidentiality agreement is used to protect the disclosure of various types of information. Confidential information takes various forms in different businesses and industries, but it includes:

  • Customer information (any information relating to customers or clients, including client lists)
  • Employee and contractor lists and records
  • Supplier and vendor lists and information
  • Pricing and discount structuresfinancial budgets, projections
  • Marketing information (campaigns, projects, plans)
  • Business methods and operations
  • Intellectual property (IP) (including patents, trade secrets, trademarks, software, copyrights)
  • Recipes and chemical formulas and compositions
  • Blueprints, designs, and drawings
  • Terms of commercial contracts
  • Product and service information (production processes, procedures, packaging, equipment, and techniques used to produce a product or service)
  • Accounting information
  • Software algorithms and source code


A confidentiality agreement is recommended as the first step in situations when an individual or business needs to disclose sensitive information in the context of specific business negotiations, such as:

  • When an employer wishes to keep company information protected while negotiating a position with a potential new hire
  • Evaluating or engaging a business or marketing consultant or agency
  • Considering an independent contractor or consultant for hire and the client wishes to keep some of the disclosed information private
  • Soliciting proposals from vendors and other service providers, which usually involves the exchange of pricing, strategies, personnel records, business methods, technical specifications, and other confidential information of both parties
  • During a pending company acquisition to keep the proposed terms of the agreement and company information private
  • When two or more businesses or individuals wish to begin working together (for example, a joint venture, merger, etc.) and the parties involved want to hold certain information discussed in negotiations in confidence


There are several reasons why parties should have a written confidentiality agreement, including

  • Avoiding confusion over what the parties consider to be confidential
  • Enforcing written contracts is easier than oral agreements
  • More flexibility in defining what is confidential
  • Demarcating treatment of confidential information between the parties
  • Ensuring protection of trade secrets, because in some jurisdictions this protection can be weakened or lost (deemed waived) if disclosed without a written agreement


The three main types are 1) fully mutual confidentiality agreement, 2) unilateral confidentiality agreement and 3) reciprocal confidentiality agreement.

In the first situation, each party is both disclosing and receiving confidential information on a fully mutual basis. Each parties have the same set of rights, restrictions and obligations. An example could be where two companies form a strategic alliance. However, mutual confidentiality agreement can be used in transactions and relationships where the confidential information to be exchanged is not of equivalent kind or value.

In the second situation, only one party is disclosing confidential information. For example, where a consultant will have access to the client’s business information in the course of the service. The nondisclosure obligations and access and use restrictions will apply only to the party that is the recipient of confidential information but the operative provisions can be drafted to favor either party.

In the third situation, both parties are disclosing confidential information but not on a fully mutual basis. In that kind of an agreement, the scope and nature of the confidential information that each party will disclose is separately defined and their respective nondisclosure obligations and access and use restrictions may differ accordingly.

Many confidentiality agreements have similar structures and share key provisions, but there is still great variation in the form, structure, and substantive details that should be customized to the specific circumstances of each agreement.


While the form and structure of confidentiality agreements vary, they usually include at least the following provisions:

  • The persons or entities that are parties to the agreement
  • The business purpose of the agreement
  • The definition of confidential information
  • What is excluded from the definition of confidential information
  • All nondisclosure obligations
  • Any use and access restrictions
  • Any safekeeping and security requirements
  • Any provisions relating to the return or destruction of confidential information
  • The agreement’s term and the survival of nondisclosure obligation

In addition, condidentiality agreements usually have some boilerplate clauses such as an entire agreement clause.


The parties should sign a confidentiality agreement as early as possible in their relationship, preferably before any confidential information is disclosed. If a party discloses information before signing the confidentiality agreement, it is important that the agreement specifically covers prior disclosures.


The confidentiality agreement’s term is up to the persons who write the agreement. Confidentiality agreements can run indefinitely, covering the parties’ disclosures of confidential information at any time, or they can terminate on a certain date or event.

It is also possible to state that the rights and obligations (mostly, not disclosing the information received) shall survive the expiration or termination of the agreement for a period of time – the typical survival period ranges between one and five years.

5 Essential Provisions in Social Media Influencer Agreements

Every type of agreement has its own tricks and traps. The contract made between the advertiser/brand and influencer is a unique agreement. There are several issues you should pay attention to when you are signing one. One of the most obvious and top-priority provisions include the influencer’s services in detail and compensation. In this article, we will not talk about them but other things that should not be ignored.

Depending on whether you are an advertiser or an influencer, some of the other provisions are more important to you. Although in an excellent agreement there aren’t any unimportant clauses, some terms are always more central. In this article, we will share 5 clauses that we think should be carefully formulated in an influencer agreement.


Depending on the jurisdiction, the brand is also responsible for following the relevant regulation if the influencer does not. For example in Finland that is the case. In most jurisdictions, the advertiser has a duty to inform the influencer about the relevant legislation, such as consumer protection and marketing laws.

Falling foul of the relevant laws puts you on the risk for sanction and negative publicity. For example, in many jurisdictions, it has been made clear that using only the social media platform tool to mark commercial collaboration is not sufficient.

We recommend using a clause that requires the influencer to acknowledge and comply with the relevant laws, regulations and soft law instruments in your jurisdiction. It is good practice to include a written guidance that has the relevant legislation and guidelines that needs to be followed.

It is important to bear in mind that being in compliance with relevant legislation benefits both parties of the influencer agreement. In today’s world, ignoring legislative obligations and requirements in social media influencer marketing campaigns can be hazardous for both the influencer and the brand.

Consumers are fully aware of the sponsored content on social media and they don’t generally like if they see advertisement that is not clearly disclosed as such. Non-compliance with legislation affects negatively on the influencer’s and brand’s reputation. Making sure legal compliance is in the top priority for parties should, therefore, be highly important for both parties.

Do not forget to include writing about following the terms and conditions of each platform and not infringing others’ intellectual property rights.

If someone paid for your ticket to paradise, do not forget to disclose it.


Social media influencer agreements often contain confidentiality provisions to protect sensitive information both parties may learn during the agreement’s term. For example, the brand might launch a new product or tell other sensitive information to the influencer. Often it’s also in the advertiser’s interest to keep the influencer from sharing the terms and conditions of the influencer marketing campaign.

It can also be that the influencer discloses to the brand something that they want to stay confidential, for example about their metrics. Quite often the writing of confidentiality provision is such that it only obligates the influencer. If two-way confidentiality is desired by the parties, pay special attention to the writing of this clause.

Usually, unless there is a large quantity of confidential information, a separate confidentiality agreement is not necessary to broaden the scope of the protection provided by a well-drafted confidentiality provision. On the other hand, a separate non-disclosure agreement might be needed if confidential information is shared during the negotiations before signing the final contract.

Remember to decide whether the confidentiality will survive expiration or termination of the agreement. Sometimes the confidentiality obligations should only survive for a certain period after termination of the contract, and if that’s the case, it should be clearly stated.


There is a lot of intellectual property (at least copyright and trademarks) related to the influencer agreement. The brand owns intellectual property, for example its’ trademarks. The influencer will usually be creating content for the brand and owns the copyright for that unless nothing else is agreed. Sometimes the influencer has trademarks, perhaps their own name is trademarked, and the brand can not use it without a license.

Therefore, negotiating the scope and ownership of intellectual property is a huge part of the deal. From the influencer’s point of view, assigning the copyright ownership of the content that has been created is not very alluring – unless the compensation is very good. The brands don’t often want to pay that much extra for owning the copyright. That’s why it’s quite usual to agree upon licensing the copyright to the brand.

From the brand’s point of view, the license should be as extensive as possible. It’s good to consider where they want to use the posts, photos and names: only “repost” on social media or also on other platforms, such as in print? Pay also attention to the time the license is valid.

Sometimes the brands forget to permit a license to their logo and other trademarks. From the influencer’s point of view, in that case, there is a risk that the brand could accuse the influencer of trademark infringement if something goes wrong. From the brand’s point of view, it is never good practice to allow anyone to use your trademarks and logo without a license.


Influencers are loved and respected for their authenticity. Part of that authentic image is engaging with several brands and products. Their followers value their opinions which is the point of using them in marketing campaigns and collaborations.

In the influencer’s interest is to be as unlimited as possible when it comes to choosing brands they work with. Of course, working with two or several competing brands from the same sector is not good for the influencer’s creditability either.

From the brand’s point of view, an influencer-led campaign may easily lose its effect if the influencer goes on to promote a competitor’s brand or products not long after. Many nasty disputes are caused because of not including an exclusivity provision in the contract. However, negotiating about exclusivity may be hard and expensive when dealing with the major influencers. Micro-influencers are more willing to agree on exclusivity.

It is good to say explicitly in the influencer agreement what is prohibited: name the direct competitors and define similar products or services. Don’t forget to set a time limit for this obligation.

When drafting an exclusivity clause, make sure it’s in compliance with relevant laws.


Normally the relationship between the influencer and the brand is not meant to be eternal, and in any case, it never will be. Even if the co-operation is for longer time, there should still be provisions about the term and termination.

In the brand’s interest is to obtain strong termination rights for reputational damage, failure to comply with applicable legislation and breach of the terms of the agreement.

If the advertiser sets special success results, the influencer needs to be very careful that they understand what is actually expected from them. The measures of success need to be in clear writing.

One important thing to consider related to the termination is survival of other clauses in the contract. Which provisions shall still apply after the termination? Think especially confidentiality, exclusivity and ownership of the IP.


If you are dealing with influencer campaigns and need help with contracts, we are more than happy to assist and advise you. We bring to the table the following combination: our profound understanding of this unique form of marketing, an in-depth understanding of social media and how different platforms work, and a sound legal experience. If you are interested in our influencer marketing related services, please schedule a free consultation, email us at or reach out to our Partner, Legal Counsel Anne Nyström directly.

Processing Data During the COVID-19

On 19 March 2020, the European Data Protection Board (“EDPB”) released a statement on the processing of personal data in the context of the COVID-19 outbreak. The main message of the statement is that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of fighting against COVID-19. However, the measures adopted need to be necessary, proportionate and consistent with safeguards required under EU member state laws. Emergency is a legal condition which may legitimize restrictions of individual freedoms, when certain criteria is met.

The GDPR already allows competent public health authorities and employers to process personal data in the context of an epidemic. Processing can be necessary for reasons of substantial public interest in the area of public health. The other relevant legal grounds include personal data processing to protect an individual’s vital interests, or to comply with another legal obligation. In these situations, there is no need to rely on consent of individuals.


In the employment context, certain personal data processing may be necessary for an employer to comply with legal obligations, including those related to workplace health and safety or the public interest. However, these measures need to be made in accordance with national laws.

Requiring health information from visitors and employees can be made if applicable national law permits that. An employer can perform medical check-ups on employees if the applicable national employment law or relevant health and safety law allows for it.

In addition to following national laws, employers need to take steps to minimise the amount of information collected and make sure the collecting is done in a proportionate manner.


The EDPB sums up that personal data processed for a particular objective should only be processed for “specific and explicit purposes”.

Individuals should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information should be easy to access and provided in clear and plain language.

It is important to pay attention to adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. These measures should be appropriately documented.


As a means to monitor, contain or mitigate the spread of COVID-19, some governments in member states may use mobile location data to geolocate or send public health messages to individuals. In these situations, the public authorities should first try to anonymise location data (e.g., by aggregation) or, alternatively, obtain the consent of individuals to process such data.

When it is not possible to process anonymous location data, Art. 15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if itconstitutes a necessary, appropriate and proportionate measure within a democratic society. Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.


The proportionality principle means that the least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved. Invasive measures, such as the “tracking” of individuals could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be intensively examined and have safeguards to ensure the respect of data protection principles.


If you need advice on processing data, do not hesitate to contact us or book a free consultation.

Schrems II and the Invalidating of Privacy Shield

We want to inform our clients about this recent CJEU ruling that invalidated the Privacy Shield mechanism.

The central question in the Schrems II case was can personal data from the EU be transferred to and stored in the US while guaranteed an adequate level of data protection as that under the GDPR?

Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and US was challenged based on the argument that US law cannot adequately ensure protection of EU personal data.

In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.

The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.

Next, the CJEU considered the Standard Contractual Clauses (SCCs) valid, another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.

However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.​

You can read the official press release on the ruling here.

What is the Schrems II case about?

Named after Austrian lawyer and data privacy activist Max Schrems, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.

The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.

The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.

These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).

Is EU personal data protected adequately after transfer to the US?

The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.

Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.

The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.

How can Vedinor help you?

If you need assistance in implementing this ruling into your business, you can contact us. Call us +358931546648 or schedule a free consultation to discuss your situation further.

Informing Customers about the European Online Dispute Resolution Platform

SThe European Online Dispute Resolution (ODR) platform is provided by the European Commission to make online shopping safer and fairer for both consumers and traders. It is regulated by Regulation (EU) No 524/2013 on online dispute resolution for consumer disputes that came into force in January 2016. The ODR platform was launched shortly after. 

The platform provides opportunities to solve disputes between traders and consumers and an alternative dispute resolution process. The dispute resolution bodies listed on the ODR platform meet strict standards of quality and independence. 

We recommend registering on the ODR platform. That makes it easier for your customers to get in touch with you if they have a problem. You will get notifications on time and are able to deal with the issues faster before they potentially grow into bigger disputes. 

The main obligations for traders are set in Article 14 of the Regulation: 

  1. You have to clearly provide your e-mail address on your website. Providing only an interactive contact form is not sufficient.  
  1. You have to provide a link from your website to the Online Dispute Resolution platform This link has to be visible and easily accessible on the website.  

If an offer is made by e-mail, then the link to the ODR Platform must also be included in the e-mail. 

The information should also be mentioned in the general terms and conditions applicable to online sales and service contract. 

The obligations apply to all traders established in the European Union and in Norway, Iceland, and Liechtenstein 

The regulation doesn’t define what is needed regarding the placement of the link on the website. The term “easily accessible” needs to be interpreted in a uniform manner throughout the EU which means that in the future we will probably see judgment from the CJEU. 

As all EU regulations, this one is enforceable as law in all member states simultaneously. 

In the meantime, we recommend providing the link at least in the terms and conditions of your website. Also, make sure to have your email address on the website and not just a contact form. 


If you have questions about obligations set by consumer protection laws in the EU, please schedule a free consultation or contact partner Anne Nyström. We have a profound understanding of consumer laws and regularly advise and represent clients in engagements related to consumer protection.