Complying with the confidentiality obligation in employment relationships
5 april 2017 – Dorienke de Grave-Verkerk
Clause containing a penalty provision
Including a confidentiality clause with penalty provision in the employment contract gives the employer legal force because the penalty will simply be forfeited when violated and the precise extent of damage does not have to be demonstrated by the employer.
But defining the confidentiality is a delicate one. In most cases, the clause says that no information may be provided to third parties. Judges interpret this text closely and keep the employer to the burden of proof that information has indeed been shared with third parties. Rulings have frequently been that transmitting confidential business information by an employee to his/her personal mail address does not constitute a violation of the confidentiality clause. Neither was this the case when transmission took place after terminating the employment before taking up employment with another (competing) employer, while it will be clear to all that it is in the employee’s interest to send company data to himself while having his/her sights on employment elsewhere.
Hints from the judge
Judges explicitly rule: through the increasing digitalization of society and the emerging new (social) media, society’s attitudes towards the professional use of electronic messaging is subject to change. Yet, an unwritten rule on the basis of which the employee would not be allowed to send data files belonging to his employer to his private e-mail address cannot be distilled from this. According to current views also, it is primarily up to the employer to introduce procedures on this within the framework of the employment and keep an eye on their compliance.
The employer can better protect company information by arranging through behavioral-/email protocol that company information cannot be taken outside the company network, also meaning not to private email addresses. Measures preventing the unlawful processing of personal data (viz. for example customer bases) after “data leaks”) would have to be a part of a protocol. Normally speaking, the Works Council (OR) will have to give its permission for the inclusion of such a procedure.
The legislator will also introduce – presumably by mid-2018 – measures implementing the European Directive for the protection of company data (2016). The directive aims at the effective maintenance by companies of the protection of company data such as technological knowhow, recipes, market strategies, business plans, in short all the information that is not public and having a commercial value. The employer does have to have instituted reasonable measures to keep the information a secret. In this regard, the introduction of a protocol such as described above can also be important. It is interesting that the directive also requires the legal procedures to be set up in such a way that company secrets will remain confidential
 Recent examples are Rechtbank Gelderland 03-06-2015 and Hof Den Haag 15-12-2016