Non-compete and confidentiality with employees and freelancers in Spain: legal limits and best practices to prevent information leaks
Legal

Non-compete and confidentiality with employees and freelancers in Spain: legal limits and best practices to prevent information leaks

Non-compete and confidentiality with employees and freelance contractors: legal limits and best practices (Spain)

In startups and tech companies, information leaks rarely happen as a single dramatic event. More often, they start with small friction points: access granted too broadly, documentation shared without permission rules, repositories with weak governance, a client list sent to a personal email, or a freelance contractor reusing deliverables because "it is basically the same".

The typical reaction is to overprotect everything with harsh clauses. That approach often fails for two reasons: if you push too far, the clause becomes invalid or difficult to enforce; if you are too light, the protection is theoretical and collapses when you actually need it.

A practical principle helps: confidentiality is the main pillar (and often enough if designed properly and supported operationally). Post-termination non-compete is a secondary tool and, in employment, it is legally sensitive and tightly constrained.

1) What exactly are you protecting (before drafting anything)?

To make clauses enforceable and operational, define the asset. In real disputes, it is much easier if you distinguish:

  • Trade secrets: information that (i) is not generally known or readily accessible, (ii) has commercial value because it is secret, and (iii) has been subject to reasonable steps to keep it secret. Reference: Spain's Trade Secrets Act, Ley 1/2019.
  • Confidential information that is not a trade secret: internal documentation, pricing, processes, strategy, roadmaps, metrics, proposals, drafts, internal materials.
  • Personal data: here you also need to align with data protection confidentiality duties and incident response duties if there is a breach. Reference: Spain's data protection act, LOPDGDD.

If you cannot describe it cleanly, the clause tends to become a broad "catch-all" that is hard to implement and even harder to prove later.

2) Employees (employment relationship): what you can require and where the legal limits are

2.1 Employment confidentiality: it exists even without a clause, but you must make it operational

Employees are subject to general duties of good faith and diligence under Spanish employment law. That helps, but it does not replace clear policies and an explicit confidentiality framework if your goal is to prevent leaks in practice. Reference: Spanish Workers' Statute (Estatuto de los Trabajadores).

If employees handle personal data, confidentiality is also reinforced by Spanish data protection law. Reference: LOPDGDD.

What typically works operationally:

  • Define "Confidential Information" by categories (product, code, business, customers, finance, security), with concrete examples.
  • Include reasonable exclusions (public information, already known, independently developed, required by law).
  • Set clear obligations: do not disclose, do not use outside work, protect credentials, do not forward externally, do not copy to personal devices without approval.
  • Implement return, deletion, and handover obligations at termination (with an offboarding checklist).
  • Align employment documentation with internal policies (device use, corporate environments, access controls) and a minimum onboarding process.

If you want to rely on trade secret protection, the decisive point is this: a signature is not enough. You must be able to show reasonable steps were in place. Reference: Ley 1/2019.

2.2 Non-compete during employment: loyalty and exclusivity (if you pay for it)

During employment, the general framework includes duties of loyalty. You can also agree full-time dedication (exclusivity), but this is typically linked to explicit compensation under the Workers' Statute framework. Reference: Estatuto de los Trabajadores.

From a leak-prevention perspective, exclusivity should be used selectively for genuinely sensitive roles and only when paid appropriately. As a default clause, it creates friction and is rarely enforced effectively.

2.3 Post-termination non-compete: valid only with strict legal requirements

A post-termination non-compete for employees is valid only if it meets specific legal conditions:

  • Maximum duration: up to 2 years for technical roles, and up to 6 months for other employees.
  • Effective industrial or commercial interest: it must exist and be justifiable.
  • Adequate financial compensation: it is mandatory.

Reference: Article 21 of the Workers' Statute.

In practice, the most frequent weak point is "adequate". Token amounts paired with meaningful restrictions increase the risk of invalidity. A useful doctrinal reference with case-law discussion is available here: BOE Legal Library commentary.

How to structure it so it makes business sense (and is more defensible):

  • Narrow the scope of activity precisely (role, functions, segment).
  • Set the duration to the real risk window (do not default to the maximum).
  • Document the business interest (access to know-how, strategy, customers, security, development).
  • Align the compensation with the real sacrifice and record your rationale internally.
  • Avoid disproportionate penalties that are disconnected from the likely harm.

3) Freelancers and contractors (commercial relationship): more flexibility, different risks

A common mistake is copying employee clauses into a contractor agreement. With freelancers you can impose confidentiality and some restrictions, but two recurring risks appear: disproportionality (overly broad restrictions) and misclassification risk (the relationship looks too much like employment).

3.1 Contractor confidentiality: your contract needs to be more operational, not just legal

Freelancers often work with their own devices and tools, serve multiple clients, and operate independently. Your goal is not just "prohibit", but to control the perimeter.

Clauses that reduce leak risk in practice:

  • NDA inside the agreement (or as an annex) with category-based definitions and a "need to know" approach.
  • Obligations to use client-controlled environments: corporate accounts, client repositories, internal channels, password managers.
  • Clear prohibition on reusing deliverables if they embed the client's confidential information (internal templates, architecture, prompts, documentation).
  • Subcontracting either prohibited without written approval, or allowed only with mirror obligations (equivalent NDA and access controls).
  • Immediate incident notification (if there is unauthorized access or a security incident).

If you want trade secret protection, the same point applies: reasonable steps matter. Reference: Ley 1/2019.

3.2 Non-compete with freelancers: possible, but avoid broad "ban to work" clauses

Commercial agreements do not automatically follow employment limits, but that does not mean "anything goes". If you restrict a professional's ability to operate in their market, you increase the risk of invalidity and you often create a negotiation problem.

A practical rule: if your clause effectively blocks the freelancer from meaningful work, narrow it significantly and consider a real counter-performance, even if not strictly required in the same way as employment law.

As a prudence marker, EU law is cautious about post-termination non-competes in vertical agreements, typically tolerating them only in narrow settings and with limited duration when protecting know-how. Reference: Regulation (EU) 2022/720.

Operational alternative that often works better for startups:

  • non-solicitation (customers, employees, suppliers),
  • reinforced non-use and non-disclosure,
  • conflict-of-interest management during the project (list direct competitors, require disclosure),
  • an authorization mechanism for borderline situations.

4) If a leak happens: legal levers that actually work

When there is a leak, success is rarely about vague threats. It is about moving through clear channels with strong evidence.

4.1 Civil actions based on trade secrets (when the information qualifies)

If what was leaked qualifies as a trade secret, Ley 1/2019 provides tools to stop the harm (injunctive relief, prohibition of use, measures affecting documents and materials) and to claim damages. The core is evidentiary: show secrecy status and reasonable steps. Reference: Ley 1/2019.

4.2 Criminal route (serious cases)

In serious scenarios, revealing company secrets while being bound by confidentiality may trigger criminal liability. Reference: Spanish Criminal Code.

4.3 Employment route (employees)

If the responsible party is an employee, you may also have disciplinary avenues within the employment framework, depending on facts and evidence. Reference: Workers' Statute.

5) Practical comparison focused on leak prevention (employee vs freelancer)

Confidentiality

Employee

  • There is a legal framework based on good faith duties, reinforced by data protection confidentiality where applicable.
  • Typical risk: relying on legal duties but failing to implement access controls and offboarding.

Freelancer

  • Contract terms must be more operational: tools, environments, subcontracting, incidents, return and verifiable deletion.
  • Typical risk: information drifting outside the corporate perimeter because the contractor works in external infrastructure.

Non-compete

Employee

  • Strict statutory limits (duration and mandatory adequate compensation, plus a real business interest). Reference: Article 21 ET.
  • If drafted poorly, it collapses and you lose leverage.

Freelancer

  • More contractual flexibility, but a higher risk of disproportionate restrictions.
  • Often better replaced by conflict-of-interest clauses, non-solicitation, and strong confidentiality.

6) Best practices that actually reduce leaks

Clauses help, but leak reduction comes from a minimal system that people can follow.

6.1 Minimum steps if you want trade secret protection

If you want to defend the trade secret status, build evidence of reasonable steps:

  • classification (public, internal, confidential, secret),
  • role-based access (need to know) with periodic reviews,
  • repositories and documentation with permissions, logs, and traceability,
  • controlled exports and copies in critical assets,
  • short recurring training with documented onboarding and refreshers.

Reference: Ley 1/2019.

6.2 Contracting levers that reduce risk

  • NDA with usable definitions, examples, exclusions, and operational obligations.
  • IP ownership and deliverables regime (especially for software and product assets).
  • access lifecycle governance (onboarding, changes, termination),
  • offboarding checklist (return, deletion, credential rotation, written confirmation),
  • incident protocol (notice, evidence preservation, containment).

6.3 Operational habits that prevent big incidents

  • corporate accounts and multi-factor authentication,
  • shared password manager (avoid messaging credentials),
  • clear BYOD policy if personal devices are allowed,
  • environment separation (dev, staging, production) with rotatable credentials,
  • access reviews at project closure and on departures (a frequent failure point).

FAQ

Can I force an employee not to work for a competitor after they leave?

Yes, but only through a valid post-termination non-compete that meets statutory limits (maximum duration), a real business interest, and adequate compensation. Reference: Article 21 ET.

What does "adequate compensation" mean in a post-termination non-compete?

There is no fixed percentage in the statute. Adequacy is assessed proportionally (duration, restriction intensity, and amount). Token payments paired with meaningful restrictions increase invalidity risk. Reference: BOE Legal Library commentary.

Can I impose a non-compete on a freelancer without paying them?

You can agree restrictions, but if the clause meaningfully blocks the freelancer from operating in their market, it becomes fragile and often impractical. In many cases, conflict-of-interest controls during the project, non-solicitation, and reinforced confidentiality are more effective.

Is an NDA enough to prevent information leaks?

It helps, but it is not enough by itself. If you want trade secret protection, you need reasonable steps (access control, classification, policies, training) and you must be able to prove them. Reference: Ley 1/2019.

Is there criminal liability if someone leaks company secrets?

In serious cases, yes. Unlawful disclosure of company secrets while being bound by confidentiality can trigger criminal issues. Reference: Spanish Criminal Code.

My employees process personal data. Do I need specific confidentiality commitments?

Yes. Spanish data protection law includes confidentiality duties for anyone involved in processing, and you should translate that into onboarding, policies, and internal controls. Reference: LOPDGDD.

What is usually more effective for startups: non-compete or non-solicitation?

For leak prevention, a combination of strong confidentiality, operational controls, and non-solicitation is often more defensible and more effective. Post-termination non-compete should be reserved for truly critical roles with serious compensation.

Need help with this topic? At Legal Core Labs we can support you in drafting and implementing confidentiality and non-compete frameworks for employees and freelancers, with a practical leak-prevention approach (policies, access governance, offboarding, and trade secret protection), so what you sign is enforceable and works day to day.

Related Articles

Voting thresholds in Spanish SL shareholder meetings: ordinary, qualified and minority rights (with practical cases)
Legal

Voting thresholds in Spanish SL shareholder meetings: ordinary, qualified and minority rights (with practical cases)

Practical guide to voting thresholds in Spanish private limited companies (SL): what passes with ordinary majority, what needs over 50% or 2/3, key minority rights (1%, 5%, 25%) and how to align bylaws and shareholder agreements without creating gridlock.

Read more →
Landing Pages and Data Protection: Common Mistakes That Can Cost You
Legal

Landing Pages and Data Protection: Common Mistakes That Can Cost You

Is your landing page GDPR compliant? Avoid legal penalties: discover the most common mistakes and how to capture leads while complying with the regulations.

Read more →
Insider Trading and Market Abuse in Cryptocurrencies: How MICA Regulates It
Legal

Insider Trading and Market Abuse in Cryptocurrencies: How MICA Regulates It

What is insider trading in cryptocurrencies and how is market abuse combated in Spain? Discover how MICA regulates it and what obligations it imposes on platforms and issuers.

Read more →