While most companies nowadays comply with the technical and organizational requirements of data protection law, the protection of their trade secrets often still ekes out a shadowy existence in practice. This is particularly true for smaller companies and start-ups, which are often unaware that the protection of such secrets under the German Trade Secrets Protection Act is subject to specific requirements. Find out here what these requirements are and how you can ensure they are met by using the synergy effects of your data protection organization.
What does the German Trade Secrets Protection Act regulate and what is it important for?
A company’s know-how is of decisive importance for its value and for the price it can charge on the market for its services. However, large parts of this knowledge (e.g. customer and supplier lists, cost information, business strategies, company data, market analyses) typically do not meet the requirements to be protected as industrial property rights (patent, utility model, registered design), trademarks (trademark, company signs, titles of work) or copyrights. A company can therefore regularly only obtain the legal right to exclude third parties from using this knowledge under the conditions of the German Act on the Protection of Trade Secrets (GeschGehG).
The GeschGehG grants the owner of the trade secret very extensive protection. If a trade secret is unlawfully obtained, used, or disclosed, the company has claims for removal and injunction, destruction, surrender, and recall, information, and damages (Sec. 6 to 10 GeschGehG). In the course of enforcing such claims, the secrets can be protected from disclosure to the public by secrecy orders issued by the court (Sec. 16 GeschGehG). And since the GeschGehG is the implementation of EU Directive 2016/943, these rights as well as the requirements for protection are very similar, if not identical, in other EU member states (see for example here).
Under what conditions is a trade secret protected?
In order to be able to assert these rights, the following conditions must be met (and, if necessary, proven by the company) according to Sec. 2 No. 1 GeschGehG:
- The information must be secret, i.e. neither generally known nor otherwise readily accessible;
- The secret information must have an economic value;
- The owner must take reasonable measures to maintain secrecy
- and the owner must have a legitimate interest in keeping the information secret (which may be lacking primarily in cases of lawful whistleblowing, cf. Sec. 5 GeschGehG).
What does this have to do with data protection in the company?
At first glance, the protection of trade secrets and data protection are two different areas of law that do not overlap either in terms of the requirements for protection or the obligations of the “bearer of secrets” and the consequences of a violation of the law. Data protection law does not protect companies, but natural persons (“data subjects”), and its subject matter – regardless of its economic value – is only personal data, i.e., data relating to a specific, at least identifiable person.
Upon closer examination, however, one quickly realizes that there are in fact numerous overlaps between (i) the technical-organizational measures that a company must take pursuant to Art. 32 GDPR to protect personal data and (ii) the appropriate secrecy measures that are a prerequisite for the protection of a trade secret pursuant to Sec. 2 No. 1 GeschGehG. Therefore, if your company already has a lived data protection organization, you can use these organizational structures to ensure the protection of its trade secrets at the same time.
Practical tips for companies
Do you oblige your employees to maintain data confidentiality and conclude Data Processing Agreements with your service providers? Great – but remember to also conclude confidentiality agreements on this occasion.
When doing so, make sure to describe the subject of the activity or cooperation as precisely as possible and avoid so-called catch-all clauses. In case of doubt, an NDA that has as its subject a comprehensive confidentiality without any exception and with regard to all information disclosed to the contractual partner is invalid pursuant to Sec. 138 or Sec. 307 of the German Civil Code (“BGB”), and this invalidity may result in the very absence of appropriate confidentiality measures. Instead, agree on a mode for regular concretizing additions to the agreement in order to be able to take account of changes or expansions in the scope of activities of your contractual partner. Use your processes for maintaining and updating your data protection records of processing activities to anticipate the need for such supplements to your non-disclosure agreements at an early stage.
Do you have a data protection authorization concept and centralized authorization management by your IT department? Very good – but apply the same principles (which employee really has a need-to-know?) and the same IT infrastructure to your trade secrets!
If you’re using popular hyper-scale cloud services, there are plenty of ways to classify classified information as such, enforce your access policy via technical policies, and prevent the unintentional leakage of information through data loss prevention software.
Are you using providers based in third countries outside the European Economic Area (especially the U.S.) and are already looking into implementing additional protection measures to be able to justify such data transfers in accordance with the ECJ’s Schrems case law? Excellent – but continue down this path should the EU Commission issue the new adequacy decision for data transfers to the U.S..
Many U.S. providers are already moving toward giving customers the option of encrypting their data with their own customer key (bring your own key-encryption, “BYOK”). Despite the associated costs, you should consider such BYOK encryption for particularly important trade secrets – also because U.S. providers do not accept any contractual penalty provisions in their NDAs.
TOM concepts and TOM lists
Do you already have a TOM concept and a TOM list to document the measures you have taken to protect personal data? Very good, because the subject matter of such TOMs will typically include safeguards against unauthorized physical access to your business premises and data processing systems, which are also to be counted among the appropriate protective measures as defined by the GeschGehG.
You should subject these TOM to a regular review anyway – in doing so, you can then also check whether they are (still) sufficient to protect your trade secrets.
Costs and economic value
The GeschGehG only protects information with economic value. There is no specific value limit for this, so that information with only a low economic value is also protected. However, at the latest when you actually have to assert claims for damages, it is of considerable importance to be able to justify the value of your trade secret.
A value-determining factor can be the investment in protecting your trade secret from access by third parties. In practice, therefore, it may be useful to already consider these interrelationships when accounting for such costs or trade secrets in your balance sheet.