Trade Secrets Act

Trade Secrets Act and organizational precautions

1. Introduction

The Trade Secrets Act (GeschGehG) came into force at the end of April 2019. The law was enacted in implementation of an EU directive on the protection of know-how and trade secrets.
Know-how was previously considered inadequately protected. This was intended to be changed by the Trade Secrets Act.
While under previous law, the violation of know-how protection was only insufficiently prosecutable, the new law aims to tighten possible sanctions.
However, this additional protection comes at the cost of a change in the concept of protected trade secrets: While previously, know-how could be secured simply by concluding confidentiality agreements with contractual partners, the GeschGehG sets significantly higher requirements for the existence of a trade secret.
Under previous law, information was already considered a trade secret if it was “obviously in need of confidentiality”; a factual intention to maintain secrecy was sufficient. If, in addition, protection in the form of a confidentiality agreement/NDA/CDA was concluded, one could sue for injunctive relief and damages with relative certainty. However, regarding the claim for damages, there was the difficulty of having to prove the actual damage incurred, which was often extremely difficult without contractual penalty provisions.

2. The new regulation

The Trade Secrets Act now provides a definition of trade secrets. Section 2 (1) No. 1 of the GeschGehG defines a trade secret as follows:
1. The information is neither generally known nor readily accessible, either in its entirety or in the precise configuration and assembly of its components, to persons within the circles that normally deal with this kind of information.
2. Because the information is secret, it has commercial value.
3. The information has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
4. There is a legitimate interest in maintaining secrecy.
Organizational requirements are imposed on companies by points 3 and 4, particularly under 3.
This regulation is understood by many as a tightening compared to the previous legal situation.

3. Appropriate confidentiality measures

What are “appropriate confidentiality measures”? a) Confidentiality agreements with suppliers or customers as well as other contractual partners are practically mandatory. Without corresponding agreements, there is no enforceable violation of the Trade Secrets Act under the new legal situation.
An exception applies here for persons who are already obliged to maintain confidentiality due to legal regulations, such as lawyers, tax consultants, auditors, etc.
b) All employees must be contractually obligated accordingly. If this is not yet the case in individual employment contracts, a corresponding clause must be included, whereby the employee explicitly undertakes to maintain confidentiality regarding all information that comes to their knowledge.
Such clauses in employment contracts are actually part of “best practice”. Nevertheless, one should check whether this really applies to all employees and has been observed. A review of all contracts is likely to be necessary. A note about these review measures should also be made in order to be able to prove that everything has been done to effectively protect trade secrets.
c) Furthermore, it is argued with good reasons that in addition to these general measures (confidentiality agreements with contractual partners and with all employees, but also, for example, with managing directors and supervisory board members), technical measures must also be implemented.
In particular, this involves granting rights for relevant folders or hard drives. Why should an accounting employee have access to development work that belongs to the essential trade secrets of a company? However, it can also be approached much more granularly: Does a sales employee need to have insight into development documents? Are employees of group companies allowed to view documents of other group companies without further ado? Since the law is still quite new, there is no case law on this yet. However, from the previous commentaries, it is clear that every company should at least think about the security architecture of the IT system and possible access rights or restrictions thereof. The more clearly defined within the company why which employees or which departments are allowed to access which content, the easier it will be to enforce rights in the event of a violation of trade secrets by third parties.
One must also not be satisfied with measures regarding IT. Manufactured samples, probes, printed or drawn designs, written documents, etc. must also be protected from unauthorized access. This can be done by using lockable cabinets, subjecting certain rooms or building wings to access restrictions, etc. Depending on the case, a certain degree of creativity is absolutely necessary here. To be checked: Which information, objects, production facilities, etc. require confidentiality?

How can these be reasonably protected from unauthorized access – including from own employees?
Because an attacked third party who allegedly uses trade secrets can claim that the information in question is not a trade secret and that no rights under the Trade Secrets Act have been violated, as the affected company has not taken sufficient protective measures for precisely these trade secrets that the attacked third party is using.
The more clearly the affected company can demonstrate that and which measures have been taken to protect trade secrets, the easier and more likely successful the enforcement of rights will be.

4. Lack of implementation: Personal liability of management conceivable

Every management is urgently advised to take care of the organizational implementation of the regulations. Due to the importance of trade secrets for business success, it must be assumed that ensuring the implementation of the legal requirements of the Trade Secrets Act is an essential duty of management. Then, the failure to implement or inadequate implementation can result in recourse claims by the company or shareholders against the responsible managing director(s)/board member(s).

5. Conclusion

The new Trade Secrets Act provides a relatively well-functioning system of sanctions in case of violation of trade secrets by employees or third parties, provided all its prerequisites are met. However, this requires that the company takes sufficient measures to both identify and protect trade secrets. These measures must not be limited to confidentiality agreements/NDAs/CDAs with customers or suppliers on the one hand, and confidentiality agreements with employees or management, a possible advisory board or supervisory board, etc. on the other. Rather, additional measures must be taken to protect trade secrets. This includes, in particular, access restrictions for folder contents in IT systems or lockable cabinets for printouts/physical documents/samples and drafts, or access restrictions for certain parts of buildings. Competent advice is necessary for implementing the required measures, as well as for defending rights: Contact us.