There are several stages that precede the materialisation of an investment which include the stage of exchange of information, and due diligence, for properly evaluating the conditions surrounding an investment. From an investor's perspective, the most crucial stage is the due diligence stage, where the merits of the target (it could be investment in debt or equity securities, real estate or start-ups) are thoroughly examined. However, even before due diligence, an investor has to set the legal framework safeguarding the receipt and exchange of information while protecting the opportunity of the investment itself. It is at this stage, that the investor either receives or sends out their own confidentiality agreement for the counterparty's consideration, review and comments so that the exchange of information can commence within acceptable legal boundaries. Under Cypriot law, confidentiality agreements are governed under Contracts Law Cap.149 and while there's no monetary consideration exchanged between the parties, the promise to keep the information confidential and reliance on that promise represent adequate consideration rendering the agreement valid.

A confidentiality (or non-disclosure) agreement ("NDA") represents a contract between the party disclosing information ("Disclosing party") and the party receiving the information ("Recipient party"). Depending on the nature of the investment, the flow of information between the two parties could be mutual, which means they could each be a Disclosing and a Recipient party simultaneously. The length of the NDA is oftentimes indicative of the:

  1. nature of the investment or project;
  2. number of potential investors;
  3. attention placed on the processing of private data as per the EU General Data Protection Regulation (or equivalent for non-EU regions);
  4. requirement to address anti-bribery rules;
  5. volume and complexity of the information subject to be disclosed or exchanged.

The context in which an NDA is negotiated, will set the tone of the freedoms and restrictions governing the disclosure or exchange of information. For example, the NDA between an angel investor and a start-up (such as in the context of CYBAN may have more flexibility in clauses such as non-solicitation of employees, or the definition of representatives or affiliates given that the parties are rather specific and the risk of employee moving is minimal. An NDA between an institutional investor and several investment firms that will help finance a large scale, long-term and rather specific project, such as one of infrastructure, will require more robust clauses concerning the movement of employees, deals with financing sources, the timing of receiving bids, etc.

Having this differing context in mind, we highlight the following six (6) key issues when negotiating NDAs:

  1. What is an appropriate NDA duration?

The duration of an NDA can vary from a market standard two-year term to a more particular five-year term, depending on the volume, the sensitivity and the complexity of the information disclosed and the proposed investment. A few points to consider when evaluating the NDA's duration, include:

  1. The timeframe of materialising the proposed investment;
  2. Possible exchange or disclosure of trade secrets;
  3. Possibility of entering into a definitive agreement past due diligence stage;
  4. The legal framework of the jurisdiction where the proposed investment will be taking place.
  1. What constitutes confidential information?

The definition of confidential information is one of the most important terms of the NDA as it spells out what information is protected. On the disclosing side, parties prefer to have as wide a definition as possible, while on the receiving end, parties negotiate to narrower, more specific definitions. A key point to consider is whether information exchanged leading up to the signing of the NDA (such as "click-through" acknowledgements or information uploaded in data rooms) will be included. The usual carve-outs from the definition relate to information that's publicly available, already in the recipient party's possession or information that's developed by the recipient, as in the case of tech start-ups or private equity firms that receive information from a variety of sources on the same proposed investment.

  1. Announcements: Can we go public?

Frequently an agreed term, but still worth highlighting is whether or not the parties can announce the fact that they've signed an NDA or that they're considering the proposed investment. A key point is that parties' consent to any announcements is often the agreed way forward.

  1. Is a non-solicitation clause, relevant?

Yes. Restrictions to approaching an NDA counterparty's employees or clients are more relevant in NDAs between institutional investors and investment firms as each will try to safeguard the know-how behind the development of a proposed investment. A prudent approach would be to always include a non-solicitation clause which reflects the nature of the proposed investment and parties involved.

  1. Financing rounds -can we have an exclusivity over approached financing sources?

Depending on the scale of the proposed investment it is likely that the investor may want to share information with other potential financing sources either in the form of co-investors (equity financing) or lenders. Depending on the facts of the proposed investment, it may be relevant for the disclosing party to have some kind of control in the form of a prior consent, as to the debt or equity financing sources that may be approached.

  1. What about the processing of personal data?

In the aftermath of the application of the general data protection regulation in May 2018 throughout the EU ("GDPR"), persons are required to apply specific rules and processes that regulate among others, the storing, processing and sharing of personal data. Personal data as per the GDPR includes any information that relates to an individual who can be directly or indirectly identified. Regulating GDPR in an NDA is crucial because:

  1. It applies to non-EU as well as EU residents, provided the personal data processed or services/goods offered are to persons within the EU;
  2. The fines for breaches of the GDPR are very high. There are two tiers of penalties, at a maximum of €20 million or 4% of global revenue (whichever is higher), while persons whose personal data have been processed in breach of GDPR plus data subjects have the right to be compensated in damages.

The approach of "opting-out" of receiving personal data is often proposed in the course of negotiating the terms of an NDA. However, given the wide scope of GDPR, and the possible risk of breach, "opting-out" is almost impossible and certainly not advisable. The matter can be regulated by appropriate GDPR clauses taking into consideration the applicable law of the NDA, the jurisdiction of the proposed investment and the parties involved.

In conclusion:

When evaluating investment opportunities, it is important to have certainty over the exchange and disclosure of information. Ultimately, it is this information that will allow investment analysts and advisors to determine all the risks and decide whether to go ahead with an investment or not. As far as Cyprus is concerned, this is more relevant now in light of the recent approval by the European Commission of tax incentives to both private and corporate investors for investments in early stage, innovative small and medium sized enterprises. The tax incentives include a tax relief of up to 30% of the amount invested capped at 50% of the investors' total taxable income, and up to a maximum of EUR 150,000.00 per year and of EUR 750,000.00 within five (5) years from the investment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.