Key Takeaways
- You cannot usually use GDPR to have an NDA wiped entirely, but you may have the right to request erasure of personal data held within the agreement.
- In the UK, your right to erasure under GDPR does not override an enforceable NDA if a valid legal reason exists to keep processing your data.
- Key NDA clauses—including confidentiality and protected disclosure—may be affected by GDPR rights and new legislation such as the Victims and Prisoners Act 2024.
- Mistakes with NDAs can lead to legal disputes, data exposure, or financial loss.
- If your NDA contains personal data, you can request erasure, but the other party can refuse if legally obliged to retain information.
- The right to be forgotten is limited where it conflicts with business interests or legal requirements.
- Recent UK cases show GDPR challenges rarely void NDAs unless ordered by a court or new law.
- Our tools and expert templates help you review, amend, or challenge NDAs with confidence.
- Go-Legal AI is rated Excellent on Trustpilot with over 170 five-star reviews.
Can I Use GDPR to Have an NDA Wiped in the UK?
If you are a founder, freelancer, or small business owner in the UK, you might wonder whether you can use GDPR to “have NDA wiped”. The short answer? GDPR does not make non-disclosure agreements automatically void, even if they contain some of your personal data.
What GDPR does provide is the right to request the erasure of personal data—your name, contact details, or signature—from an organisation’s records. However, this right is subject to several conditions. The NDA, as a legally binding contract, almost always remains in place unless there are other legal grounds to set it aside (such as fraud, duress, or invalidity). Most businesses also have valid reasons—such as legal compliance or protecting commercial confidential information—to retain some details.
What Is a Non-Disclosure Agreement (NDA) and How Does It Protect Confidential Information?
A Non-Disclosure Agreement (NDA) is a legal contract where the parties promise not to share, reveal, or misuse information exchanged during their business relationship. NDAs are used to protect sensitive details—such as business plans, product designs, customer lists, or internal strategies—from being leaked to competitors, the public, or other third parties.
Companies, startups, and freelancers often use NDAs before sharing proprietary information. This is especially important during early-stage pitches, personnel onboarding, or collaboration with external contractors.
How Does GDPR Apply to NDAs in the UK?
NDAs and GDPR cover different but sometimes overlapping legal ground. GDPR regulates how organisations collect, store, and use personal data related to individuals. An NDA, meanwhile, controls how confidential business information is kept and used—which may sometimes include personal data.
If your personal data is included within an NDA, GDPR gives you the right to request erasure—but only if strict criteria are met. Organisations can lawfully refuse an erasure request if they need your data to fulfil legal or contractual duties, defend themselves from claims, or comply with regulatory requirements.
Can the GDPR Right to Erasure (“Right to Be Forgotten”) Remove NDA Data?
You can use GDPR to request the erasure of personal data held within an NDA, but this is usually limited and not guaranteed. The organisation must erase the data only if:
- It is no longer needed for the original purpose,
- You withdraw your consent (where relevant) and no other legal ground exists,
- The data was processed unlawfully,
- No overriding legitimate or legal basis exists to retain it.
Requests are reviewed on a case-by-case basis. Where obligations under the NDA or other laws exist, your data may be retained.
What Counts as “Personal Data” in an NDA?
Personal data is any information that can identify an individual, such as:
- Name
- Address
- Telephone number
- Email address
- Physical or electronic signature
- Job title or employment details
Commercial information—such as a product design or business method—is not personal data unless directly linked to you.
Steps to Request Data Erasure Under GDPR
- Review your NDA: Identify where your personal data appears.
- Check the grounds for holding your data: Look for retention and compliance clauses.
- Write your data erasure request: Specify what information you want erased and why.
- Send the request: Contact the business’s data protection officer or GDPR contact via email or tracked post.
- Keep all records: Save correspondence and responses for future reference.
- Respond if refused: If erasure is refused, request a clear written reason.
Key NDA Clauses That Affect Your GDPR Data Rights
When considering a GDPR erasure request, it’s crucial to check these NDA clauses:
| Clause/Component | What It Means | Why It’s Important |
|---|---|---|
| Confidentiality | Restricts disclosure of shared information | Protects trade secrets—even where GDPR applies |
| Personal Data Definition | Explains what is classed as ‘personal data’ | Helps clarify which data you can request to be erased |
| Data Retention | States how long information is kept and why | Impacts how long your information can be lawfully held |
| Legal Compliance | Requires following UK law, GDPR, and new rules | Affects how organisations handle erasure requests |
| Protected Disclosure | Allows safe reporting of wrongdoing (protected acts) | May override NDA terms in whistleblowing or criminal cases |
Each clause influences to what extent, and how, your GDPR erasure rights apply.
Step-by-Step Guide: How to Request Erasure of NDA Data in the UK
If you need to remove your personal data from an NDA under GDPR, follow this process:
- Identify the data controller: This is usually the company or client holding your NDA.
- Review the NDA: Check clauses related to personal data, legal compliance, and data retention.
- Draft a formal written request: Clearly state what data you want deleted and reference your rights under GDPR Article 17.
- Send securely: Deliver your request to the company’s GDPR contact or data protection officer.
- Log all correspondence: Save emails and responses for evidence.
- Wait for a reply: The business must respond within one month (they may extend by up to two months for complex cases).
- Assess their response: If refused, review the legal reasons given.
- Escalate if necessary: If you believe erasure was unfairly refused, complain to the Information Commissioner’s Office (ICO).
⚡ Get legal tasks done quickly
Create documents, follow step-by-step guides, and get instant support — all in one simple platform.
🧠 AI legal copilot
📄 5000+ templates
🔒 GDPR-compliant & secure
🏅 Backed by Innovate UK & Oxford
What Happens When GDPR and NDA Confidentiality Obligations Conflict?
When you request erasure of personal data in an NDA, the business must balance your rights under GDPR with its legitimate business interests or legal obligations. More often than not, NDA contracts will remain enforceable unless there are court orders or new statutory exceptions.
Organisations may lawfully refuse to erase data if they need it to:
- Enforce your confidentiality obligations,
- Defend against future legal claims,
- Meet tax, anti-fraud, or other regulatory requirements.
You are entitled to a clear written explanation if your request is denied. If you believe the refusal is invalid, you may escalate the dispute to the ICO or use mediation or court action, but successful full NDA erasure is rare.
The Victims and Prisoners Act 2024: Changes to NDA and Data Rights
The Victims and Prisoners Act 2024 introduces stronger protection for so-called “protected disclosures.” From October 2025, NDAs cannot be used to block individuals from reporting:
- Criminal offences,
- Discrimination, harassment, or select civil claims,
- Serious misconduct.
This new law allows for whistleblowing and protected reports, even if an NDA is in place—yet, it does not erase the NDA itself. Your right under GDPR to request data erasure remains subject to the usual limits and legal grounds.
Common Mistakes When Trying to Void or Amend an NDA Using GDPR
Avoid these pitfalls when trying to change or challenge an NDA by relying on GDPR:
| Mistake | Why It’s a Problem | How to Avoid It |
|---|---|---|
| Believing GDPR overrides all NDAs | Failing to understand legal grounds for data holding | Always check contract and law |
| Confusing data rights with confidentiality | NDA commitments may remain after erasure requests | Separate data vs. confidentiality |
| Not using a written records trail | Losing evidence weakens your challenge | Use templates and document steps |
| Ignoring new UK regulations | Missing out on broader protection or exceptions | Stay updated using expert services |
Real-World Scenarios: Entrepreneurs Challenging NDAs Using GDPR
Scenario 1:
Peter, a freelance web designer, requests that old agreements and data with a former client agency be deleted. The agency removes unnecessary notes, but retains the NDA, client correspondence, and some payment records to comply with UK tax law and for possible contract enforcement.
Scenario 2:
Leah, a tech co-founder, tries to argue her NDA should be entirely erased under GDPR. Her request is partially granted—the company deletes feedback and HR notes, but confirms that Leah’s NDA obligations still apply and the full agreement remains enforceable.
How Go-Legal AI Simplifies NDA and GDPR Compliance
Using the right legal tools makes navigating NDA and data protection issues much easier. Our platform provides:
- AI-powered NDA review: Instantly highlight GDPR issues, risky clauses, or gaps in your NDA.
- Template-driven requests: Draft erasure or amendment requests with expert-backed, custom templates.
- NDA compliance check: Receive a clear risk report showing if your NDA complies with UK law and GDPR standards.
- Expert access: Tap into advice from UK-qualified legal professionals when you need deeper insight.
Frequently Asked Questions
Can GDPR invalidate an NDA in the UK?
No. GDPR allows you to request erasure of personal data, but the NDA itself almost always remains in force unless a court or the parties agree to set it aside.
What counts as personal data in an NDA?
Names, addresses, emails, job titles, and other identifying information related to a living person. Company or product details alone do not count.
What if a business refuses my erasure request?
If legal or regulatory grounds exist, the business can refuse. You must receive a written explanation, and you can escalate to the ICO for a ruling.
Is the right to be forgotten automatic in NDAs?
No. The right to erasure has exceptions where confidentiality, regulatory, or contractual duties exist.
Does the Victims and Prisoners Act 2024 affect NDA enforceability?
From October 2025, NDAs cannot bar protected disclosures, but the agreement and most of its terms remain intact unless otherwise stated.
Can I amend or exit an NDA due to data rights?
You may request removal of unneeded personal data. However, amending or exiting an NDA usually requires mutual agreement or another legal justification.
Do I need a lawyer for GDPR-NDA issues?
Our AI-powered templates and guides can handle common requests. For complex cases, access one of our on-demand legal experts via the platform.
Will a data erasure request breach confidentiality?
No. Submitting a GDPR request does not break NDA terms, but avoid sharing additional confidential or sensitive business info in the process.
What happens if a business wrongfully refuses erasure?
If refusal is unlawful, the company may face ICO enforcement, compensation claims, or reputational harm. Always document and clarify grounds for refusal.
How do I check if my NDA is still binding after a GDPR request?
Unless a court rules otherwise, the NDA continues to apply. Use our risk checker to confirm if your contract is still enforceable after GDPR changes.
Protect Your Confidentiality and Data Rights with a Custom, Compliant NDA
The relationship between GDPR and NDAs is complex but crucial for protecting your business and personal information. Relying on outdated forms or DIY approaches can expose you to legal and commercial risks. Recent legal developments—including the Victims and Prisoners Act 2024—add further urgency for businesses to keep their NDAs compliant.
With Go-Legal AI’s platform, you gain access to expert-reviewed templates, AI-driven review tools, and immediate guidance for creating or challenging NDAs that reflect UK data protection law. Ensure your contracts are robust, your compliance is up-to-date, and your interests are protected—every step of the way.
Ready to future-proof your contracts? Draft, review, or challenge your NDA in minutes using our AI-powered platform.
⚡ Get legal tasks done quickly
Create documents, follow step-by-step guides, and get instant support — all in one simple platform.
🧠 AI legal copilot
📄 5000+ templates
🔒 GDPR-compliant & secure
🏅 Backed by Innovate UK & Oxford
Access to legal templates (3 downloads/month)
