The Importance Οf Securing Confidentiality
Every company faces a lot of challenges to become and remain healthy, but also to maintain the high standards it has possibly achieved in terms of operation, efficiency and profitability. Maintaining (and, more importantly, increasing) its market share in the geographic areas of its activity requires a series of obstacles to be overcome daily.
Achieving and maintaining healthy entrepreneurship is always not only a requirement but also an everyday challenge. One of its prerequisites is to ensure that the information that the business identifies as confidential will be maintained as such and, among other things, will not diffuse into competition.
In some, special cases, the obligation to preserve the confidentiality of the information that is handled by the company is imposed by the institutional framework (see below on personal data). In these cases, the consequences do not refer to the smooth operation and development of the company. The consequences may refer to indefinitely high fines and penal sanctions!
Persons Liable For Confidentiality
The obligation to preserve confidentiality is an obligation that everyone has. Without exception!
As the worker or the company’s usher is not excluded the same way (obviously), the executives, the senior management, the CEO or even the main shareholder are not excluded. It is important, however, to stress that this obligation also includes any third party with whom confidential information is shared, e.g. a close associate or consultant of a business.
Form And Way Of Notification Of Privileged Information
The form of the information is of no importance for its protection: It may be documents, electronic files, even for oral information disseminated to a specific number of persons and pertaining to a particular company or group of companies.
Additionally, the way of knowing the information covered by the confidentiality obligation is also meaningless. It may be information that (e.g.) an executive has become acquainted with while performing his/her duties at his workplace or even outside such (e.g. at the client’s premises). It may still be information about matters handled by the person responsible for such, colleagues, business associates or consultants of the company. Finally, there may be information on issues related even to customers of the latter.
Information covered by the confidentiality obligation may refer to commercial know-how (commercial information: e.g. customer and supplier lists, cost accounting and price calculations, sales strategies, marketing methods, and so on) and / or technical know-how (expertise, technical information). They may relate to the methodology, procedures, planning, data, development and results of any business activity, process, research, product output or service provision. They may relate to procedures, policies, documents of auditing authorities related to the company. It may, in the end, concern any issue of importance for the company.
Particularly, On Personal (Personal and Sensitive Information) Data
Thus, some of the protected information may even be related to personal data – personal and sensitive information. This scenario adds more obligations for companies as provided by the current institutional framework (EU / 1995/46 Directive incorporated by Law 2472/1997) as well as by the new Regulation (EU / 2016/679) which will be implemented as of 25 May 2018 and beyond – regardless of whether or not the (expected) law which implements it be adopted.
However, it is not only the additional obligations of companies that are being created by the existing and the new institutional frameworks with regard to personal and sensitive data but also, especially, the threatened sanctions in case of non-compliance and / or violation (for all these issues please refer to the relevant article “Personal Data Protection and Companies”)
The Obligations Of Executives And Partners
Contracts that associate all employees and external partners with a company (must) include provisions that restrict the use of information that come to their knowledge during and solely in the context of their cooperation with the company. And even more: (they ought to) regulate the obligations of employees and associates during the period after the expiration of their cooperation (e.g. return of forms, documents, notes, deletion or return of electronic files) as well as the sanctions for breach of their (contractual and post-contractual) obligations (usually high penalties – in addition to general claims for compensation).
Particularly, Decision 1/2017 Of The Arios Pagos (Supreme Court of Cassation)
This decision has been a landmark on the specific issue.
By virtue of this decision, it has been accepted that constitutionally protected rights (including the rights of the employees) such as the confidentiality of letters and communication (article 19 of the Constitution), the inviolability of private and family life (article 9C) and the protection of personal data (article 9A C) be limited on the basis of the constitutionally guaranteed principle of proportionality (article 25C).
Therefore, in the context of this decision, the right to legal protection (article 20 par. 1 C) and of the freedom to conduct business (articles 5 & 106 par. 2 C) of an employer / company could prevail over the abovementioned rights of the employees.
However, what was, practically, the meaning of the limitation of the constitutionally guaranteed employees’ rights in the framework of this specific and of other similar cases?
There has been recognized the Employer’s right (whose above-mentioned constitutional rights were deemed to prevail, in the particular case and under the particular circumstances) to:
- Monitor the electronic (professional and personal) correspondence of its employees as it is imprinted on the computers and on the other means of its company
- Draw the deleted mail from these computers that constitute its property
- Record the data obtained from the computers of its company and, in particular,
- Exercise its legal rights on the basis of data contained in the personal or professional correspondence of its employees which took place through the company’s computers even if they had been deleted in the meantime.
There is no doubt that this decision is extremely important: The Company does not remain (legally) unprotected against malicious employees who, under the guise of their constitutionally protected rights, attempt to harm it for their own benefit.
When Does The Confidentiality Obligation Recede?
The confidentiality obligation recedes:
- when the information to which it refers is public (and a priori) known
- when there is an obligation to disclose this information arises from the existing institutional framework or is imposed by a competent authority or a competent court.
Confidentiality Provisions In Business Level
In business level, the provisions that refer to confidentiality are (or should be) normally contained:
- in the employment contracts, in the service agreements, in work contracts etc. of the company
- in the company’s Work Rules (where applicable)
- in the Code of Ethics (or Code of Conduct) of the company
- in the NDA’s of the company and its customers- clients τόσο της επιχείρησης όσο και των πελατών της (to the extent that the latter apply to the company and, in addition, to its employees)
Confidentiality Provisions Contained Into Legislation – Generally
In cases where (contrary to what is agreed or what the law requires) the person who breaches the confidentiality obligation causes damage, the person responsible is obliged to restore it in its entirety (losses and damages – article 914 of the Civil Code, moral damage – article 932 of the Civil Code)
However, irrespective of the civil claims maintained by the injured person against the person responsible, there are a number of criminal provisions relating to the criminal offense of the offender [indicatively: article 370 of the Penal Code (violation of letters privacy), article 370A of the Penal Code (violation of the telephone conversation and oral conversation privacy) , article 370C of the Penal Code (illegal access to an information system) and the related provisions of articles 370B, 370D, 370E of the Penal Code]
There are, of course, also provisions referring to specific issues arising from the breach of confidentiality, as (indicatively):
There are, of course, also provisions referring to specific issues arising from the breach of confidentiality, as (indicatively):
More Specific Provisions
(a) With regard to personal data breach
Whenever the confidentiality obligation breach is related to personal data breach, there are administrative, criminal and civil penalties directly or indirectly imposed (also) on the offender.
On the basis of the existing institutional framework (Law 2472/1997) which is in force until 25.5.2018 – when Regulation 2016/679 – http://koumentakislaw.gr/en/blog/articles/personal-data-protection-and-companies/ enters into force, there are provided specific administrative penalties (Article 21), criminal sanctions (Article 22) and also civil liability of the offender (Article 23).
Regulation 2016/679, of course, provides for very serious administrative sanctions (Article 83) and for civil liability for those who violate personal data (Article 82). It is expected that the law currently being drafted will further specify said sanctions or even impose additional (e.g. criminal) for the offenders (Article 84).
(b) With regard to unfair competition
Where through confidentiality breach there is also violation of the provisions of unfair competition (Law 146/1914), both criminal penalties (Article 16 & 17) and civil sanctions (Article 18) are provided for.
(c) With regard to Codes Of Ethics
It is not unusual for the operation of certain business sectors to be governed by Codes of Ethics. In these Codes, we often encounter a number of provisions regarding the obligation to ensure confidential data as well as sanctions in case of breach. (Indicatively: Code of Greek Pharmaceutical Conduct – provisions of articles 26-chapter A and 4 of chapter C)
Penalties on Breach of Confidentiality: Legal, Business And Not Only …
In general, in view of the above, one could say that the obligation to preserve confidentiality directly or indirectly is supported in almost the whole range of law (e.g. civil, criminal, administrative). More specific provisions of the existing institutional framework and of the contractual relationships that have arisen in the course of the negotiations, specify both this obligation and the many consequences of its breach.
The penalties provided envisaged relate to offenders-natural persons and, sometimes, the directly or indirectly involved companies: those who did not do the appropriate to protect those affected as well as those who urged the offenders into their unlawful actions.
Thus, the sanctions are not only legal:
The persons who violate this obligation they also suffer the corresponding personal and professional demerit.
However, in the case of companies where the offenders were employed, the consequences are sometimes unbearable: For how long can a company operate when data, personal data (or even worse sensitive personal data) of its customers are loaded into the Internet? For how long can a company operate when its critical business secrets (whether it’s recipes or clientele, or production or marketing methods or whatever) are diffused to its competitors?
Necessity Of Compliance And Consequences Of Non-Application Of Confidentiality – The Role Of The Legal Advisor
Storing and disseminating information (also at business level) is an element of everyday life-one that does not seem to be differentiated from vital, human, functions..
Safeguarding the integrity and confidentiality of information, notwithstanding the avoidance of the aforementioned sanctions, ensures the existence of high professional standards (in particular) for the companies concerned. This fact, inevitably, is reflected in its existence and development, in its relations with its customers and suppliers. It is reflected into the shareholders, the employees, the associates and their families.
There is no doubt that securing confidentiality is an obligation of all those who are directly or indirectly involved in operating a company. However, the responsibility of the legal advisor is a little more special as he/she has the burden of: (a) informing the parties involved; (b) creating a coherent grid of contractual and other regulations, dissuasive to be breached; and (c) managing the critical situation created in the case of violation of any kind of confidential information.
It is also not of a minor importance that your Legal Advisor’s involvement in Cyber Risk issues is already covered by Directive 2016/1148 on Measures for a High Level of Network and Information Security for Networks across the Union ( Network and Information Security Directive 2016/1148 – also known as NIS) – but for this issue, there shall be a specialized screening and filing on the same site.
The Challenge (By Way Of Conclusion)
In any case, it is more than obvious that securing confidentiality is one of the challenges of today’s business. It is up to us, the directly and indirectly involved (us Legal Advisors in particular), to assist and respond positively to this challenge by providing our own small contribution to what everybody desires, that is to secure and develop healthy entrepreneurship.