The German Trade Secrets Act (GeschGehG), which came into force on 26 April 2019, is intended to strengthen the position of trade secret holders by providing a precise definition of a trade secret, determining acts of infringement and limitations, granting new claims to trade secret holders and regulating dispute resolution. The law is based on a draft directive of the European Commission.
What is a trade secret?
The new law contains a definition of a trade secret for the first time. Trade secrets are now defined as any information that:
not generally known among people in the circles that usually deal with this type of information, nor readily accessible to them, either in its entirety or in the precise arrangement and composition of its components; and
have commercial value because they are secret; and
The subject matter is subject to reasonable steps under the circumstances by the person lawfully in control to keep it secret; and
there must be a ‘legitimate interest’ in maintaining confidentiality.
What exactly does this mean?
Furthermore, both technical know-how (e.g. processes, construction plans, algorithms, prototypes, recipes) and business information (e.g. customer lists, business plans, advertising strategies) are protected.
The information must have commercial value. This is the case if the unauthorised use or disclosure of the information is likely to harm the owner by undermining its scientific or technical potential, commercial or financial interests, strategic position or competitiveness. This may also include information that incriminates the owner of the information (e.g. information about production problems or impending insolvency).
Furthermore, the information is only protected by law if it is adequately protected from disclosure. What is appropriate depends on the value of the secret as a whole, the size of the company, and the costs and customary nature of the measures.
The criterion of ‘legitimate interest’ is intended to ensure that information that would, for example, protect criminal offences is not covered by the protection of secrecy.
What steps should organisations take now to ensure that their information is protected by the law?
In order to get an overview of the information requiring confidentiality and its value, and to then define appropriate protective measures, companies should first identify their information and classify it according to the value of the secret and the risks of disclosure within the company.
Subsequently, it is recommended that a specific and comprehensive protection concept be developed and implemented for the introduction of necessary confidentiality measures at the organisational, technical and legal level.
Various protective measures are available here:
Labelling of the information as confidential
Contractual confidentiality agreements with employees and business partners
Restricting access to the information to employees who require this information for their work
Introduction of technical security systems, such as passwords or IT protection against hackers and viruses
This protection concept should be reviewed and updated at regular intervals. In the second part of our article, we will deal with the question of when trade secrets are infringed and how companies can protect themselves against this.
What attacks on trade secrets can a company defend itself against?
The following actions are considered to be a violation of trade secrets:
Industrial espionage, i.e. the unauthorised access, appropriation and copying of trade secrets,
unauthorised use or disclosure of trade secrets;
the acquisition, use or disclosure of a trade secret if the information was acquired from a third party who obtained the information without authorisation and the acquiring party knows or should have known about it.
The following actions, however, are not considered a violation of trade secrecy:
the independent discovery or creation of the information,
observing, examining, disassembling and testing (so-called reverse engineering), provided that the product has been made publicly available and is in the lawful possession of the analyst;
obtaining, using or disclosing information, provided that it is permitted by law or legal transaction;
the acquisition, use or disclosure of information by investigative journalists and whistleblowers (informants for the purpose of exposing criminal or other misconduct).
The last exception exposes the companies concerned to the risk of a whistleblower's false interpretation of the regulation leading to reputational risks. On the other hand, the regulation may lead to the disclosure to the public of (in themselves) legal actions and the associated trade secrets. However, it will be possible to require that employees must first contact a whistleblower hotline internally.
What claims can a company make in the event of its trade secrets being violated?
In the event of a trade secret being violated, the company can claim that the violation be stopped and remedied. Among other things, the company is entitled to destroy documents and files and to recall, destroy and withdraw the infringing product from the market.
The above-named claims must, however, be proportionate, whereby the decision on proportionality must take into account, in particular, the value of the secret, the confidentiality measures taken, the behaviour of the infringer, the consequences of the unlawful use, the legitimate interests of both parties and the public interest.
In addition, the company is entitled to claim damages. In this case, the company has the right to choose between compensation for the actual damage incurred, the surrender of the infringer's profit and the calculated amount that the infringer would have had to pay as reasonable compensation if he had obtained a licence to use the trade secret.
Finally, there is the possibility of criminal sanctions against both the (original) violator of the secret and the user of a trade secret unlawfully obtained by another person. These sanctions can result in substantial fines for companies.
How can a company ensure that it does not violate the trade secrets of others?
On the one hand, the managing director must ensure that he does not order any violations of the law, but also that his company is organised and supervised in such a way that no such violations occur.
For this reason, the company needs a compliance organisation geared to loss prevention and risk control, whereby the type, size and organisation of the company, the regulations to be observed, the geographical presence and the suspected cases from the past are crucial for the scope in detail. In this context, it makes sense to draft guidelines for employees on how to handle confidential information from business partners or other market participants.
On the other hand, when acquiring trade secrets from third parties who are obviously not their owners, the company should check the permissibility of the acquisition.
If you have any questions about the topics above, please feel free to contact us – we look forward to hearing from you.