NDA vs Confidentiality Clause in South Africa
When to use a standalone NDA versus a confidentiality clause embedded in another contract
NDA vs Confidentiality Clause in South Africa — what's the difference?
A standalone NDA is a self-contained contract governing confidentiality before, during, or after a separate commercial relationship. A confidentiality clause is a provision inside another contract (employment, MSA, shareholders' agreement) that is enforceable only while the host contract subsists and only between its parties.
Drafted and reviewed by
Attorney & Founder, My-Contracts.co.za · Legal Practice Council of South Africa (LPC F17333)
The two options at a glance
Non-Disclosure Agreement (NDA)
common law + POPIA
A Non-Disclosure Agreement is a free-standing written contract whose sole purpose is to protect confidential information exchanged between a disclosing party and a receiving party. It defines what constitutes "Confidential Information", specifies permitted uses, imposes a duration (typically 3–5 years post-termination), and prescribes remedies for breach. Because it stands alone, an NDA can be signed before any commercial relationship exists — during due diligence, vendor evaluation, or preliminary JV talks — and remains enforceable even if no further contract is concluded. It is the default instrument in M&A, venture capital, and strategic partnership discussions.
When to use
Use a standalone NDA for pre-contract disclosures (due diligence, pitches, JV exploration), when multiple confidentiality relationships with different parties need distinct durations, or when the receiving party is a third party who will never become a counterparty to the main commercial agreement.
Confidentiality Clause
common law (embedded)
A confidentiality clause is a provision embedded within a larger contract — typically an employment agreement, master services agreement, shareholders' agreement, or statement of work — that obliges the parties to keep information disclosed under that contract confidential. Its scope, duration, and enforceability are tied to the host contract: when the host agreement is rescinded, voidable, or terminated, the clause's survival depends on express "survival" wording. South African courts (FirstRand v Wright 2020 ZASCA) have held that embedded clauses are enforceable on the same common-law footing as NDAs, provided the information is properly identified and protectable.
When to use
Use a confidentiality clause when the commercial relationship is already being documented in a larger contract, when the same parties are the only ones exchanging information, and when administrative simplicity (one signature, one contract) outweighs the flexibility of a standalone instrument.
Summary
South African law protects confidential information through two very different instruments. A standalone Non-Disclosure Agreement is a free-standing contract that survives independently of any other deal and is typically signed before negotiations start, when a joint venture is explored, or when a new service provider is onboarded. A confidentiality clause is embedded inside a host contract (employment, MSA, shareholders\' agreement, SOW) and is therefore limited by that contract\'s duration, parties, and definitions. The leading authorities (Van Castricum v Theunissen 1993, FirstRand v Wright 2020) confirm that both are enforceable on ordinary contractual principles, provided the "confidential information" is identifiable, has commercial value, and is not already in the public domain. POPIA section 19 adds a statutory security-safeguards overlay where personal information is disclosed. Standalone NDAs are preferred for pre-contract disclosures and third-party exchanges; embedded clauses are preferred once the host relationship is already documented.
NDA vs Confidentiality Clause — Key Differences
Side-by-side comparison of the two South African confidentiality vehicles.
| Feature | Standalone NDA | Confidentiality Clause |
|---|---|---|
| Legal status | Self-contained contract | Provision within a host contract |
| Timing of signature | Before any commercial deal exists | At the time the host contract is signed |
| Survives host contract termination | Not applicable — it is the host | Only if express "survival" clause included |
| Typical duration | Stated expressly (e.g. 3–5 years) | Inherits host term unless overridden |
| Parties | May bind third parties (consultants, bidders) | Binds only the parties to the host contract |
| Definition of "Confidential Information" | Detailed, negotiated, central to the document | Often truncated, assumed, or cross-referenced |
| Suited to multi-party disclosures | Yes — separate NDAs per counterparty | No — tied to the single host relationship |
| POPIA s.19 interaction | Easy to layer specific security obligations | Security obligations often inherited generically |
| Typical length | 3–8 pages | 1–3 paragraphs |
| Remedies | Bespoke — interdicts, liquidated damages | Usually generic cross-reference to host clause |
| Enforcement case law | Van Castricum v Theunissen 1993 (4) SA 93 (T) | FirstRand v Wright 2020 ZASCA 94 |
| Negotiation dynamic | Standalone commercial bargain | Bundled with the host contract — often glossed over |
What you need to know
The common-law and statutory basis
Both vehicles rest on the same South African common-law foundation. In Van Castricum v Theunissen 1993 (4) SA 93 (T), the court confirmed that a duty of confidentiality arises either contractually (express or implied) or in equity where the recipient receives information in circumstances importing an obligation of confidence. The Supreme Court of Appeal in FirstRand Bank Ltd v Wright 2020 ZASCA 94 reaffirmed that confidentiality obligations — whether standalone or embedded — are ordinary contractual terms enforceable under the reasonableness test articulated in Basson v Chilwan 1993 (3) SA 742 (A) when they operate as restraints.
The statutory overlay is POPIA. Section 19 of the Protection of Personal Information Act 4 of 2013 imposes a mandatory duty on every responsible party to secure the integrity and confidentiality of personal information by taking "appropriate, reasonable technical and organisational measures". Where the confidential information includes personal information of data subjects, the confidentiality instrument must align with POPIA\'s security-safeguards condition. Standalone NDAs make this easier to do deliberately; embedded clauses often inherit a generic data-protection clause elsewhere in the host contract, which can create alignment problems when the information flow does not match the primary commercial purpose.
When to use each
A standalone NDA is the correct instrument where the confidentiality exchange precedes, exceeds, or outlives the commercial relationship. Classic use cases are M&A due diligence, venture-capital fundraising, product evaluation by a prospective customer, outsourced technical reviews by consultants, and multi-party JV discussions where no master contract yet exists. Because the NDA is self-contained, it can bind parties who will never be counterparties to the eventual deal (a corporate advisor, a prospective investor who ultimately declines).
A confidentiality clause is correct where the confidentiality obligation arises directly from, and is co-extensive with, an existing commercial relationship. Examples are the confidentiality clauses in an employment contract (where the employer-employee relationship supplies the context), in a shareholders\' agreement (where the parties are already bound by reserved-matters and information rights), or in a services agreement. The host contract supplies the definitions, duration, and remedies. The drafting risk is that the clause is often treated as boilerplate and fails to address post-termination survival, return of information, or subcontractor obligations — defects that a standalone NDA is less likely to carry because it is negotiated on its own terms.
Critical drafting pitfalls
The most common drafting failure in South African confidentiality instruments is the definition of "Confidential Information". Courts routinely refuse to enforce broad, catch-all definitions that effectively cover every communication between the parties. The information must be identifiable, not trivial, and not already in the public domain (FirstRand v Wright confirms that publicly available information cannot be the subject of a confidentiality claim).
The second failure is duration. A confidentiality clause that simply says "the receiving party shall keep the information confidential" with no end date raises a real risk of being held unreasonable. Best practice is an express period (3–5 years for commercial information, indefinite for trade secrets), coupled with clear return-or-destroy obligations.
The third failure is the interaction with POPIA. Where personal information is disclosed, the instrument should expressly incorporate the responsible-party / operator construct, specify sub-processor consent, and spell out cross-border transfer restrictions under POPIA section 72. Standalone NDAs handle this more cleanly than embedded clauses, which often rely on a separate POPIA clause elsewhere in the host contract — creating potential conflicts.
Finally, remedies. The common-law interdict is available as of right, but liquidated damages require an express pre-estimate of loss (Sasfin v Beukes 1989 principles). Standalone NDAs typically include them; embedded clauses rarely do.
How South African courts treat each
South African courts do not distinguish in principle between NDAs and confidentiality clauses when considering enforceability — both are contractual, both are tested against the ordinary rules of contract and (where they restrain trade) the reasonableness test in Basson v Chilwan. In practice, however, standalone NDAs are easier to enforce because the definitions and remedies are negotiated with the single purpose of protecting confidentiality.
Interdict applications under the common law (Setlogelo v Setlogelo 1914 AD 221) require a prima facie right, a well-grounded apprehension of harm, the balance of convenience, and no alternative remedy. Plaintiffs relying on standalone NDAs typically satisfy these requirements more easily because the NDA itself demonstrates the commercial value of the information and the parties\' shared understanding of its sensitivity. Plaintiffs relying on embedded clauses must often first prove that the host contract is valid and that the clause survives termination — an additional evidentiary burden. For this reason, transactional lawyers routinely recommend a standalone NDA even where a host contract already exists, whenever the confidentiality exchange is commercially significant.
An NDA is a contract about secrets. A confidentiality clause is a secret kept inside another contract — which is why it lives and dies with that contract.
The statutes involved
Protection of Personal Information Act 4 of 2013
Regulates the processing of personal information by public and private bodies in South Africa.
Consumer Protection Act 68 of 2008
Protects consumer rights in transactions for goods and services within South Africa.
Electronic Communications and Transactions Act 25 of 2002
Governs electronic transactions, digital signatures, and e-commerce in South Africa.
Frequently asked questions
Is a standalone NDA stronger than a confidentiality clause in a host contract?
As a matter of strict contract law the two are equally enforceable — South African courts apply the same common-law principles to both. In practice, however, a standalone NDA is usually easier to enforce because it is negotiated specifically to protect confidential information, with clear definitions, duration, return-of-information obligations, and remedies. An embedded clause is frequently treated as boilerplate, borrows definitions from elsewhere in the host contract, and may die when the host contract is terminated unless an express survival clause is included. Where the disclosure is commercially significant (M&A data, source code, client lists), the marginal cost of a separate NDA is small and the enforcement advantage material. Where the disclosure is incidental to an already-documented relationship (routine client data under an MSA), an embedded clause is usually sufficient.
Does a confidentiality clause survive termination of the host contract?
Only if the host contract says so. South African contract law operates on the principle that rights and obligations under a contract cease on termination unless they are expressly stated to survive. The FirstRand v Wright decision confirms that confidentiality obligations are not implied to survive in perpetuity — they bind only for the stated period or, if no period is stated, for a reasonable time. Best practice is an express survival clause: "The obligations of confidentiality in this clause X shall survive termination of this Agreement for a period of [five] years." Without such wording, a party who terminates the host agreement may find that the recipient is, at law, entitled to use the information freely after a reasonable winding-down period. Standalone NDAs avoid this ambiguity because their entire purpose is to state the confidentiality term expressly.
Does POPIA require a standalone NDA or is an embedded clause enough?
POPIA does not prescribe a form — it prescribes substance. Section 19 requires a responsible party to secure personal information by appropriate technical and organisational measures, and section 21 requires a written operator agreement where personal information is processed by a third party. Either a standalone NDA or a confidentiality clause can satisfy these requirements provided the substantive conditions (security safeguards, purpose limitation, sub-processor consent, cross-border transfer controls under section 72) are all present. In practice, operator agreements are typically standalone precisely because they have to cover the full POPIA section 21 matrix — incident notification, audit rights, return of data on termination, and liability allocation. A confidentiality clause is rarely granular enough to discharge POPIA obligations in full, so where personal information is involved the market default is a Data Processing Addendum that sits alongside the host contract.
How long should confidentiality obligations last?
South African courts will not enforce a perpetual confidentiality obligation unless the information qualifies as a trade secret with independent commercial value that does not diminish with time. For ordinary commercial information — pricing, client lists, business plans — 3 to 5 years post-termination is market standard and has been accepted as reasonable in restraint-of-trade jurisprudence (Basson v Chilwan 1993). For technical trade secrets (formulae, source code, proprietary algorithms), indefinite protection is defensible provided the information remains genuinely secret. The drafter should distinguish between the two in a tiered confidentiality clause: category A (trade secrets) — indefinite; category B (commercial information) — 5 years; category C (information already partially in the public domain) — limited or excluded. A flat "perpetual confidentiality" obligation across all categories is liable to be read down by a court.
Can a mutual NDA bind disclosures we made before signing it?
Only if the NDA expressly says so. South African law does not imply retrospective effect into contracts. The default position is that an NDA binds disclosures made from the effective date forward. To capture earlier disclosures, the drafter must include an "effective date" clause that predates signature or a standalone recital acknowledging that the parties have already exchanged information and that such information is deemed Confidential Information for the purposes of the agreement. Without such wording, a party who disclosed sensitive information in an earlier pitch meeting may find that the subsequently-signed NDA does not cover it. This is a common oversight in fast-moving M&A and VC processes where information flows before the NDA is finalised.
Is a one-way (unilateral) NDA better than a mutual NDA?
The choice is commercial, not legal. A unilateral (one-way) NDA binds only the receiving party and is appropriate where information flows in one direction — for example, an employer onboarding a contractor, or a company sharing product roadmap with a prospective customer. A mutual (bilateral) NDA binds both parties and is appropriate where information will flow both ways — JV discussions, strategic partnerships, M&A negotiations where both sides share sensitive commercial data. South African courts enforce both on identical principles. The practical risk of a mutual NDA is that it imposes symmetrical obligations on the disclosing party even where the disclosure is predominantly one-way — which can catch out a company that later wants to freely use information casually shared by the counterparty. Best practice is to choose the form that matches the actual information flow, and to define "Confidential Information" with reference to marking or identification at the time of disclosure.
This nda vs confidentiality clause in south africa page answers
- Do I need a separate NDA if my employment contract has a confidentiality clause?
- Does a confidentiality clause survive termination of the contract in South Africa?
- Is an NDA enforceable in South Africa without consideration?
- What makes information "confidential" under South African law?
- Can I interdict a former employee for breaching a confidentiality clause?
- What is the difference between an NDA and a non-compete in South Africa?
- Does POPIA replace the need for an NDA?
- How long can a South African NDA last?
- Is a verbal NDA enforceable in South Africa?
- Who owns the information disclosed under an NDA?