In global data transfers, two agreements dominate the governance of information: the Non-Disclosure Agreement (NDA) and the Data Processing Agreement (DPA). Both protect information, but they do so in different ways. So, let’s explore: NDA vs DPA.
- The NDA is the language of trust: a private contract designed to keep secrets.
- The DPA is the language of accountability: a statutory mandate ensuring that personal data is handled lawfully, securely, and transparently.
Understanding their divergence—and their coexistence—is essential for any organisation building cross-border digital operations under GDPR, POPIA, PDPL, or CCPA.
Different foundations, different obligations
| Dimension | NDA | DPA |
|---|---|---|
| Legal nature | Voluntary contract | Statutory obligation (GDPR Art 28 / POPIA s21) |
| Protected asset | Confidential or proprietary information | Personal data of identifiable individuals |
| Enforcement | Civil law (damages or injunctions), subject to whistleblower exceptions. | Regulatory enforcement (fines, orders, sanctions) |
| Parties | Discloser / Recipient | Controller / Processor |
| Purpose | Preserve secrecy | Enforce lawful data processing |
NDA = protect the secret.
DPA = protect the subject.
The NDA’s authority is commercial. The DPA’s authority is constitutional, rooted in the human right to privacy.
From confidentiality to compliance
A breach of an NDA invites a civil claim and reputational tension.
A breach of a DPA invites a regulator.
Under GDPR, violations can reach €20 million or 4 % of global annual turnover, whichever is higher. POPIA, PDPL, and LGPD impose similar sanctions, underscoring that data protection failures are public wrongs, not private disputes.
This asymmetry means that companies once protected by confidentiality clauses must now build evidence-based compliance ecosystems—TOMs, audits, deletion protocols, and documented instructions.
Contractual freedom vs regulatory prescription
- NDA: parties define “confidential information” as they wish.
- DPA: lawmakers define “personal data” and mandate its protection.
Article 28 of the GDPR prescribes what a compliant DPA must include — from processing scope and sub-processor approval to end-of-service deletion. Failure to include any mandatory clause renders the DPA non-compliant by law, not merely incomplete by contract.
The order of precedence: When laws trump loyalty
In layered commercial relationships, multiple agreements coexist: the master services contract, NDA, and DPA.
The hierarchy is non-negotiable: Standard Contractual Clauses (SCCs) → DPA → Master Agreement → NDA
If a confidentiality clause conflicts with data subject rights (for instance, mandating indefinite retention) the DPA prevails. Regulation, by design, overrides discretion.
The global compliance lens
South Africa | POPIA Sections 19–22
Requires written operator agreements mirroring GDPR-style DPAs, with mandatory security and deletion clauses.
GCC | Saudi PDPL & UAE DPR 2021
Demand lawful processing foundations, cross-border approval mechanisms, and government notification obligations.
EU | GDPR Article 28
Sets the global gold standard for DPA structure, mandating technical and organisational measures (TOMs) and audit rights.
US | CCPA/CPRA
Introduces “service-provider addenda” — narrower in scope but still prohibiting data resale or unauthorised sharing.
A compliant multinational strategy therefore begins with a GDPR-aligned master DPA template — then layers jurisdiction-specific annexes.
Strategic recommendations
- Audit all vendor contracts: Confirm that every processor handling personal data is governed by a compliant DPA distinct from the NDA.
- Standardise the DPA template: Base it on Article 28 GDPR, with annexes for POPIA, PDPL, LGPD, and CCPA variations.
- Insert a clear order of precedence clause: Ensure statutory instruments override commercial terms.
- Negotiate indemnities for regulatory exposure: Controllers should recover fines, investigation costs, and data-subject damages from non-compliant processors.
- Define deletion protocols precisely: Link them to retention schedules and breach-notification workflows.
Together, these steps form the dual-layer shield of modern governance: proprietary confidentiality + data protection compliance.
Why it matters
For most modern enterprises—insurers, fintechs, AI vendors, or law firms—an NDA alone is no longer sufficient. In the post-GDPR world, secrecy without compliance is liability disguised as discretion. The NDA may protect a secret, but only the DPA protects your licence to operate.
FAQs
Can an NDA replace a DPA?
Strictly speaking, no. A DPA is mandatory where personal data is processed. An NDA is optional and purely commercial.
What happens if no DPA is in place?
Depending on the applicable data protection law, both controller and processor might be in breach and may face fines or suspension of processing.
Must NDAs be updated for privacy law?
Yes, NDAs should explicitly acknowledge data protection obligations and carve out lawful disclosures (e.g., regulator reports, data-subject rights).
Does the DPA override other contracts?
Depending on the subject matter, statutory instruments (DPA, SCCs) will likely take precedence over NDAs or master agreements regarding data protection obligations required by law.
What about AI-driven data processing?
DPAs must extend to AI models, ensuring explainability, risk assessments, and audit rights over algorithmic processing.
Closing line
In the new digital order, confidentiality builds trust —but compliance builds legitimacy.
