NDA agreement in Poland: how to protect business information under Polish law

Under Polish law, an NDA (non-disclosure agreement) is a legal document in which the parties undertake not to disclose or use confidential information provided for a specific purpose, e.g. business cooperation or commercial negotiations in Poland. Information covered by an NDA may include financial, strategic or operational data of a company, as well as know-how, business plans, inventions or other valuable information, the disclosure of which could expose the disclosing party to economic damage or loss of competitive advantage.

The purpose of this article is to present a practical approach to drafting an effective NDA so that it actually protects confidential information and is not merely a formal document devoid of practical significance. In this article, we describe, among other things:

• with whom and when should NDAs be concluded in Poland?
• why should the NDA precisely specify the parties to the agreement and the entities authorised to access the information?
• what information can be covered by a confidentiality agreement?
• what information cannot be covered by a confidentiality agreement under Polish law?
• what should the parties’ confidentiality obligations be in an NDA?
• what to do in the event of an NDA breach – how to construct contractual penalty provisions under Polish law?
• what could be the amount of the penalty?
• when can a contractual penalty for breaching an NDA be considered grossly excessive?
• how long should an NDA remain in force?

With whom and when should NDAs be concluded in Poland?

According to Polish law, a confidentiality agreement is a document that must be concluded when an entrepreneur plans to disclose information of economic value to a third party (third parties), the disclosure of which could expose them to loss or weaken their market position. In practice, an NDA should be concluded in particular with the following entities:

• persons involved in the entrepreneur’s current activities, including employees, persons cooperating in the implementation of business projects, contractors and persons providing services on any legal basis who have access to confidential information,

• entities cooperating with the entrepreneur in a B2B model, in particular: sole proprietorships, all advisory and consulting entities, managers, members of the management board and members of the supervisory board,

• external entities such as subcontractors and suppliers, customers with access to sensitive information, companies providing outsourcing services (e.g. IT, accounting, HR, marketing, social media services),

• entities with which the entrepreneur plans to undertake business activities, such as persons or companies participating in commercial negotiations, even before the conclusion of the relevant agreement, potential partners or associates in relation to whom the entrepreneur wishes to protect a business idea, product, technology or know-how, potential investors,
• entities that wish to proceed with due diligence (legal review) in connection with a planned transaction.

A confidentiality agreement under Polish law should be concluded at the stage before any confidential information is disclosed. This is one of the fundamental principles of trade secret protection, as signing an NDA after the disclosure of information does not provide real legal protection, because the obligations under the agreement do not, as a rule, cover information that has already been disclosed.

In practice, this means that an NDA should be concluded at an early stage of cooperation or negotiations, before the other party has access to financial data, technology, know-how, strategic plans or any other sensitive commercial information. This approach minimises the risk of unauthorised use or disclosure of information and allows for effective enforcement of confidentiality obligations from the very beginning of the cooperation.

A practical example from Polish case law:

“A confidentiality agreement (confidentiality contract) is an unnamed agreement whose purpose is to prohibit the debtor from disclosing information to third parties and using it in the debtor’s own business (negative aspect) and to impose on the debtor an obligation to secure the information so that third parties do not have access to it (positive aspect)” (judgment of the Polish District Court in Białystok, 6th Labour and Social Security Division, of 15 April 2014, ref. no. VI P 618/13).

Why should an NDA precisely specify the parties to the agreement and the entities authorised to access the information?

A confidentiality agreement under Polish law should, first and foremost, clearly indicate the entities covered by the confidentiality obligation. In particular, it is necessary to specify precisely whether this obligation applies only to the parties to the agreement or also to other entities, such as companies with capital or organisational links, members of bodies, partners, employees, associates, advisers or subcontractors.

The lack of clear provisions in this regard may lead to significant interpretative doubts related to the NDA, especially when confidential information is disclosed to third parties in the course of day-to-day business activities, e.g. in the course of legal, financial or technical analyses. In practice, this may result in a dispute as to whether the NDA has been breached or whether the disclosure of information was within the limits of permitted use of confidential information.

For this reason, it is recommended not only to precisely identify the group of entities authorised to access confidential information, but also to impose an obligation on the disclosing party to ensure that these persons are effectively bound by confidentiality. This can be done, for example, by concluding separate NDAs or by including appropriate confidentiality clauses in employment contracts or civil law contracts.

The adoption of such a regulation will, on the one hand, preserve the real possibility of using confidential information within the organisational structure of the entrepreneur and, on the other hand, significantly strengthen the protection of the interests of the party disclosing the information, limiting the risk of its uncontrolled further dissemination.

A practical example from Polish case law:

“(…) the confidentiality agreement obliged the defendant to keep confidential information which, using a rather general definition, was described as information concerning (…). However, as evidenced by the established facts, the documents used by the defendant did not contain any information concerning the defendant (…) S.A., whether financial, legal, organisational or any other. The information document contained only information concerning the client (…) S.A., i.e. (…) S.A. (…) Since these documents do not contain such information, it must be concluded that the defendant did not breach the provisions of the confidentiality agreement of 26 June 2007, as the claimant did not disclose any information concerning the claimant in any way” (judgment of the Polish Regional Court in Wrocław, 1st Civil Division, of 18 July 2013, ref. no. I C 1503/10).

What information can a non-disclosure agreement (NDA) cover under Polish law?

A confidentiality agreement entered into in Poland may only cover information which:

• is genuinely confidential,
• is not generally known, and the entrepreneur has taken appropriate organisational measures to maintain its confidentiality, and
• has actual economic or organisational significance for the disclosing party.

In practice, information protected by an NDA will usually be data constituting a trade secret within the meaning of Article 11(4) of the Polish Act on Combating Unfair Competition. This will include technical, technological, organisational or other information of economic value that has not been disclosed to the public and for which the entrepreneur has taken the necessary organisational and technical measures to maintain its confidentiality.

It can be assumed that information has economic significance or value if its disclosure would have any negative impact on the market position of the entity, and therefore if the disclosure is unauthorised, the entrepreneur’s market position will (sooner or later) deteriorate. This does not mean, however, that the disclosure of information must directly and immediately result in damage to the entrepreneur. In many cases of unauthorised action, the effect may not be immediate. However, the mere real risk that the illegal disclosure of information will affect the competitiveness or business position of the data controller will be sufficient to consider that the information has economic value.

Of course, the scope of information covered by an NDA will vary depending on the economic situation, but as a rule, confidentiality agreements in Poland cover the following categories of data:

technical and technological information, including the entrepreneur’s know-how, technical specifications of equipment, design documentation, diagrams, algorithms, prototypes, IT solutions and production processes;

• broadly understood commercial and business information, such as business models, sales strategies, pricing policies, margins, development plans, marketing strategies and information about new products or services that the entrepreneur wants to launch on the market;

• financial information, including accounting data, financial forecasts, budgets, profitability analyses, financing terms and conditions, and information about investors;

• organisational and operational information about the entrepreneur, including the structure of the enterprise, internal procedures, rules for cooperation with contractors and internal regulations (provided that they are not publicly available, as discussed below);

• data on contractors and customers, in particular customer databases, commercial terms, contracts, discounts, schedules and information on business relationships;

• information on employees and associates, to the extent permitted by applicable law, including team structures, job descriptions and remuneration systems;

• most of the information disclosed in the course of negotiations, commercial discussions, due diligence (legal review), audits or the preparation of joint projects — even if the investment agreement is ultimately not concluded, but the data is disclosed anyway,

• all analyses, summaries, studies and derivative materials that were created on the basis of confidential information or contain it indirectly.

A practical example from Polish case law:

“Information constituting a trade secret must have (…) actual, real economic value, but it is not necessary to demonstrate that its disclosure would lead to specific damage to the entrepreneur’s interests. The risk of refusing to disclose information to the public on the grounds of trade secrecy may be merely potential. Therefore, since the legislator does not introduce a norm covering only information whose disclosure would directly cause specific damage to the entrepreneur’s interests, such a narrow interpretation of the norm resulting from the aforementioned provisions is not correct” (judgment of the Polish Provincial Administrative Court in Poznań of 6 November 2025, ref. no. II SA/Po 600/25).

What information cannot be covered by a non-disclosure agreement (NDA) in Poland?

Above, we have provided examples of information that may be covered and protected by an NDA. However, it should be remembered that although in practice a confidentiality agreement in Poland may cover various types of data, not all information is actually protected, even if the parties explicitly designate it as ‘confidential’ in the agreement. Therefore, simply stating in an NDA that information is ‘confidential’ does not mean that it actually is in practice.

Both in business practice and in Polish case law concerning the interpretation of NDA provisions, it is pointed out that the scope of confidentiality cannot be absolute and, as a consequence, must be subject to reasonable limitations. If a different interpretation were to be adopted, in many cases the conclusion of an NDA could lead to unjustified paralysis of the business activities of one of the parties or a violation of the principles of free competition.

A practical example from Polish case law:

“There is a need to clearly define the rights and obligations of the parties to the contract so that they are effectively protected in the event of a breach by the other party, while at the same time having a certain degree of freedom necessary to perform the contract. However, both of these issues are illusory – the definition of confidential information is so broad and based on vague terms (e.g. ‘any of their activities… ‘in any form’, ‘in any way’, ‘all projects’, ‘all information’) that, if the contract were interpreted strictly, in fact neither party would have much room for manoeuvre when attempting to perform their contractual obligations or to enforce them on the other party (…)” (judgment of the Polish Court of Appeal in Gdańsk, 1st Civil Division, of 6 June 2016, ref. no. I ACa 1144/15).

Therefore, in order to avoid interpretative doubts and potential disputes between the parties, a properly constructed confidentiality agreement may specify a list of information that is not subject to protection, even if it has been disclosed in the course of cooperation. Such information may include:

• Publicly available information

An NDA cannot cover information that was already in the public domain at the time of its disclosure, i.e. data that is accessible to an unlimited number of people and has been previously made public in a legal manner. Examples of publicly available information include:

• information disclosed in the Polish National Court Register (KRS) and Polish Central Registration and Information on Business (CEIDG) registers, including data on shareholders, management board members, share capital and the manner of representation of the company;
• information disclosed in financial statements, provided that they are subject to publication;
• information disseminated in the media, industry reports or scientific publications, if made available legally.

Protection also does not cover situations in which the information in question has become publicly available after its disclosure, provided that this occurred legally and not as a result of a breach of confidentiality by the disclosing party. This is because it follows that information to which an unlimited group of entities has access cannot be protected.

• Information known to the party prior to its disclosure

The scope of an NDA cannot also cover information that was already known to the receiving party prior to the commencement of cooperation with the disclosing party. Therefore, if certain information or a set of information was obtained at an earlier stage, for example in the course of conducting one’s own business, carrying out previous projects or in connection with professional experience gained, such information cannot be considered confidential simply because it reappeared during discussions with a contractor.

However, it is important to note that in the event of a dispute between the parties, the ability to prove such prior access to information, for example through documentation, correspondence or internal company materials, will be of key importance. However, if the disclosing party is unable to prove that it was previously aware of the information, it may find it difficult to exempt itself from liability in the event of unauthorised disclosure of confidential information.

• Information obtained from third parties

As a rule, information obtained by the receiving party from a third party is also not covered by the NDA, provided that the third party:

• was authorised to disclose it, and
• was not bound by a confidentiality obligation towards the disclosing party.

In such a situation, responsibility for confidentiality cannot be shifted to an entity that has obtained the information in a fully legal manner.

• Information disclosed independently of the NDA

If the information has become publicly available in a manner other than through a breach of the confidentiality agreement, for example through the publication of a report, an administrative decision, an entry in a register or an official presentation, it may not remain covered by the NDA regime either.

This is because a confidentiality agreement cannot ‘freeze’ information that has objectively ceased to be confidential due to objective factual circumstances and its public disclosure.

• Information developed independently

As a rule, information or data developed independently by the receiving party, in particular by its employees, associates, consultants or agents, is also excluded from the NDA, provided that this process took place:

• without access to the other party’s confidential information, and
• without violating the provisions of the confidentiality agreement.

In practice, this means that an NDA cannot block independent intellectual activity, the development of know-how or the work of teams that create solutions based on their own knowledge and experience.

What should the parties’ confidentiality obligations be in an NDA?

A properly drafted non-disclosure agreement under Polish law should impose specific legal obligations on the parties to the agreement to protect confidential information. In practice, the most important obligations of the parties should include the following:

Proper treatment of information marked as ‘confidential’

The parties should undertake to treat the information disclosed as confidential and not to disclose it to third parties, use it or make it available in any other way that could breach its confidential nature. The parties may specify what is meant by ‘disclosure’ or ‘use’ in order to reduce the risk of differences in interpretation. In general, it will be reasonable for the disclosing party to adopt a broad interpretation that takes into account various forms of breaches of confidentiality, for example, ‘use’ may mean not only the use of information, but also its transfer, sale or any other form of exploitation.

Use of information solely for a specific purpose

Information protected by an NDA in Poland should be used solely for the purpose specified in the agreement, e.g. the implementation of a joint project defined in the agreement, for example:

‘The receiving party undertakes to use the protected information solely for the purpose specified in this Agreement, i.e. in connection with the implementation of the development project indicated in this document. In particular, the receiving party shall not use the protected information for commercial or competitive purposes or for any other activity unauthorised by the disclosing party.’

Restriction of access to information

Access to protected information should be restricted to persons who need to know such information in order to carry out a given project or perform a given contract. In the case of larger teams on the part of the entity receiving the information, there is no need to disclose the information to all employees; it is sufficient to restrict access to the necessary number of persons. Such a restriction minimises the risk of unauthorised disclosure.

Furthermore, persons or entities to whom confidential information is disclosed should also be required to maintain confidentiality, e.g. by entering into a separate NDA or by including appropriate provisions in an existing contract. In this way, the confidentiality obligation will be effectively extended to all third parties who may have access to protected information. For example:

“The Receiving Party shall disclose Protected Information only to its Representatives (management, employees, advisors, auditors) directly involved in the project, after informing them of the confidential nature of the data and obliging them to maintain confidentiality.

The Receiving Party shall be responsible for the compliance of its Representatives with the confidentiality obligations as for its own breaches. At the request of the Disclosing Party, the Receiving Party shall provide a list of Representatives and obtain from them written confirmation of their knowledge and acceptance of the terms of the agreement. The Disclosing Party may prohibit the disclosure of information to selected Representatives.”

Extension of the obligation to related entities

When disclosing protected information to subsidiaries, the disclosing party should first ensure that these entities are bound in writing to maintain confidentiality in accordance with the terms of the NDA. This obligation should include both a non-disclosure obligation and a restriction on the use of information solely for the purposes specified in the agreement. It will be important for the disclosing party to stipulate that the other party bears full responsibility for any breaches of confidentiality obligations by affiliated entities, as if they were its own breaches. In addition, the disclosing party may reserve the right to require third parties to provide written confirmation of their knowledge and acceptance of the terms of the NDA before disclosing information, and may restrict or prohibit the disclosure of information to selected entities at its own discretion.

Breach of NDA – contractual penalty and sanctions for breach of confidentiality agreement

In business practice, the most common sanction for breach of confidentiality is the possibility of imposing a contractual penalty on the entity disclosing confidential information. This right derives from Article 483 § 1 of the Polish Civil Code, according to which it may be stipulated in a contract that compensation for damage resulting from non-performance or improper performance of a non-monetary obligation shall be made by payment of a specified sum. For example, in an NDA, the parties may include the following provision on contractual penalties:

“For each breach of the obligations set out in the agreement regarding the rules for the use, disclosure, storage and transmission of Protected Information, the Party that committed the breach shall be charged a contractual penalty of PLN 100,000 (in words: one hundred thousand zlotys 00/100) payable to the other Party to the agreement. The Party entitled to claim payment of the contractual penalty on the terms specified in the previous sentence shall also be entitled to claim compensation corresponding to the full amount of the damage, including lost profits. In such a case, the amount of the contractual penalty shall be credited towards the full amount of compensation.”

The contractual penalty clause in a confidentiality agreement serves several key functions:

• First and foremost, it acts as a preventive and deterrent measure, as the other party is aware of the real risk of incurring severe financial penalties in the event of a breach of confidentiality;

• it facilitates the pursuit of claims without the need to prove the amount of damage in detail. In a situation where no contractual penalty has been stipulated, the party whose information has been disclosed must prove in court what specific damage it has suffered as a result of the breach of the NDA. In practice, this can be extremely difficult, and sometimes even impossible, as it often requires the appointment of experts, complex economic analyses, and leads to a significant lengthening of the proceedings and additional costs;

• as a result, it increases the actual enforceability of the NDA in the event of a dispute, as the court will generally only examine whether there has been a breach of confidentiality and whether the contractual penalty applies in the given circumstances, without having to determine the extent of the damage;

• it strengthens the negotiating position of the party disclosing the information, both at the stage of concluding the agreement and in the event of a subsequent conflict, limiting the risk of the other party treating the confidentiality obligation instrumentally.

What is the amount of the contractual penalty for breach of an NDA under Polish law?

he parties are free to determine the amount of the contractual penalty, and the provisions of the Polish Civil Code or any other act do not specify an unambiguous upper limit for the amount of the contractual penalty, with the proviso that the contractual penalty cannot be ‘grossly excessive’, as discussed below. Does this mean that the parties may specify any amount of contractual penalty for a breach according to Polish law?

First of all, the contractual penalty must compensate for any damage resulting from the breach of confidentiality, otherwise its function would be illusory. Therefore, if an entrepreneur considers that the disclosure of certain information will expose him to damage in the amount of PLN 1 million, the amount of the contractual penalty should reflect this situation. When determining the amount of the contractual penalty, the entrepreneur disclosing the information should consider a number of business circumstances related to the potential disclosure of information, such as the loss of business development opportunities, the potential withdrawal of investors from the project, or the need to rebuild the image.

At the same time, the contractual penalty for breaching an NDA must be severe enough to adequately ‘motivate’ the counterparty to ensure the confidentiality of the information. If the contractual penalty is too low, the other party may ignore the confidentiality obligation. In other words, potential disclosure must be at least ‘unprofitable’ due to its financial severity.

On the other hand, a contractual penalty cannot lead to a grossly excessive burden on the obligated party or cause unjust enrichment of the other party. This means that its amount should be reasonably proportionate to the potential damage – e.g. if the anticipated loss resulting from a breach of the NDA is PLN 10,000, the contractual penalty should not amount to PLN 100,000, as this would be grossly excessive.

An important element of a properly constructed confidentiality agreement is also a provision that the payment of the contractual penalty does not exclude the right to claim supplementary damages. In practice, this means that if the damage suffered by the entitled party exceeds the amount of the contractual penalty, it may seek full compensation. In such a case, the contractual penalty paid shall be credited towards the compensation due.

For example, if an NDA provides for a contractual penalty of PLN 50,000 for breach of confidentiality, but the actual damage suffered by the party disclosing the confidential information amounts to PLN 200,000, the entitled party may claim compensation in the total amount of PLN 200,000, with the contractual penalty paid being credited towards this amount. As a result, the perpetrator of the breach will be obliged to pay an additional PLN 150,000 as supplementary compensation.

When can a contractual penalty for breach of an NDA be grossly excessive?

As indicated above, although the Polish Civil Code does not specify the maximum amount of contractual penalty that may be stipulated in a contract, the law provides that a reduction of the contractual penalty may be requested (so-called mitigation of contractual penalty) if it is grossly excessive (Article 484 § 2 of the Polish Civil Code). What does this mean in practice?

Case law indicates that the assessment of whether a contractual penalty is grossly excessive takes into account a number of factors, including, among others:

• the relationship between the value of the contractual penalty and the value of the damage suffered by the creditor,
• the relationship between the contractual penalty and the compensation that would be due to the creditor if compensation were sought on general terms;
• the extent of the breach,
• the duration of the breach
• the nature of the breach,
• the mutual intention of the parties to set the purpose of the penalty at a specific amount,
• the manner in which the contractual penalty was determined,
• the circumstances in which the situation justifying the imposition of the penalty arose,
• the degree of fault,
• the nature of the negative consequences for the other party.

Therefore, it cannot be considered that the mere ‘high’ value of the contractual penalty automatically justifies its reduction. Moderation of a contractual penalty is permissible only if there is a clear, excessive and objectively perceptible disproportion between the amount of the penalty and the breach of the obligation. These are therefore extreme cases in which the penalty is clearly contrary to its compensatory function and becomes a repressive measure. Therefore, if the actual damage suffered by the creditor is lower than the contractual penalty stipulated in the Polish NDA agreement, this does not automatically mean that the contractual penalty is grossly excessive. Mitigation is exceptional in nature and requires an individual assessment of all the circumstances of the case, including the purpose of the penalty, the type of obligation and the degree of its breach.

A practical example from Polish case law:

“The amount of the contractual penalty is grossly excessive if it leads to unjustified enrichment of the creditor. This requires verification of whether there was a disproportion between the amount of the contractual penalty stipulated and the protection of the creditor’s interest that was not justified by the circumstances of the case (Polish Supreme Court judgment of 27 November 2024, ref. no. II NSNc 50/24)”.

How long should an NDA be valid?

There are no legal regulations specifying the maximum period for which the obligation to maintain confidentiality of trade secrets may be imposed in an NDA. Information retains its status as a trade secret as long as it remains confidential, i.e. it has economic value and the entrepreneur takes real and appropriate measures to keep it secret.

In business transactions, it is common to find clauses stating that: ‘the confidentiality obligation is valid without time limits’ or ‘the confidentiality agreement is binding on the parties indefinitely’. Although such a solution may seem correct and desirable at first glance, it is not recommended from the point of view of the entrepreneur’s legal security.

It should be noted that Article 365¹ of the Polish Civil Code stipulates that a continuous obligation of indefinite duration (i.e. an NDA concluded for an indefinite period) expires upon termination by the debtor or creditor in accordance with contractual, statutory or customary terms, and in the absence of such deadlines, immediately upon termination. At the same time, the prevailing view in doctrine and case law is that it is unacceptable to create permanent contractual obligations that cannot be terminated by either party to the legal relationship. This position leads to the conclusion that an NDA concluded for an indefinite period is always subject to the risk of termination.

In practice, this means that the agreement may be terminated with almost immediate effect. It is difficult to consider an agreement that can be unilaterally terminated at any time by the other party to the legal relationship as effectively protecting the entrepreneur.

For the above reasons, a much more rational and safer solution is to specify the duration of the confidentiality agreement precisely, while adjusting this period to the actual needs of protecting confidential information.

A practical example from Polish case law:

“Pursuant to Article 365¹ of the Civil Code, a perpetual obligation of a continuous nature expires upon termination by the debtor or creditor in accordance with contractual, statutory or customary terms, and in the absence of such terms, immediately upon termination. The validity of this regulation leads to the conclusion that no contractual relationship can bind the parties in perpetuity, and the rule expressing it is absolutely binding (judgment of the Polish Supreme Court of 23 May 2019, file ref. II CSK 159/18)”.

Is it possible to seek protection of trade secrets without an NDA?

Yes, although it may be more difficult.

Even if the entrepreneurs have not concluded a confidentiality agreement between themselves, it is possible to seek protection under the provisions of the Polish Act on Combating Unfair Competition. Pursuant to Article 11 of this Act, the use or disclosure of information constituting a trade secret constitutes an act of unfair competition, in particular when it occurs without the consent of the person entitled to use or dispose of the information and violates the obligation to restrict its use or disclosure under the Act, a legal transaction or other act, or when it is done by a person who obtained the information by committing an act of unfair competition.

In practice, however, protection based solely on statutory provisions proves to be much more difficult to enforce than protection based on an NDA. This is because Article 11 of the Act uses vague terms, which in each case requires detailed evidence, inter alia, that the information in question was indeed a trade secret, had economic value and that the entrepreneur took real steps to maintain its confidentiality.

It should also be noted that, regardless of civil liability, the Polish Act on Combating Unfair Competition also provides for criminal liability. The unlawful acquisition of information constituting a trade secret and its subsequent use in one’s own business or disclosure to third parties is punishable by a fine, restriction of liberty or imprisonment for up to two years (Article 23 of the Act on Combating Unfair Competition).

More information on trade secrets and criminal liability for their breach under Polish law is explained in a separate article.

For the above reasons, an NDA remains a much more effective and predictable instrument than relying solely on statutory protection, particularly from the perspective of securing the interests of the entrepreneur at the stage of cooperation.

Summary

From the perspective of Polish law, an NDA is one of the basic tools for protecting the interests of entrepreneurs in business transactions, but its effectiveness depends not on the mere fact of signing the document, but on the quality of its structure.

In practice, an effective NDA is not a ‘universal’ document, but should be tailored to the specific business model, type of information and risks associated with its disclosure. Only such an approach allows the NDA to be treated as a real tool for protecting the business, and not just a formal attachment to the cooperation.