There is a new law. Certainly, this would not be worth mentioning if it did not concern the handling of trade secrets and if it did not result in so many changes to the old legal situation.
The Trade Secrets Protection Act implements an EU directive and has been in force since 26 April 2019. The Act regulates the protection of confidential information in companies uniformly and comprehensively. The previous regulations on the criminal law protection of trade secrets has been abolished.
As Dr. Martin Schirmbacher, lawyer of the Online Print Initiative and specialist lawyer for IT law at HÄRTING Rechtsanwälte, explains in the following article, the new law affects online printers from two perspectives. On the one hand, anyone who wants to continue to effectively protect their own trade secrets must act. On the other hand, many customers will urge the conclusion of new confidentiality agreements.
Information protected as a trade secret
§ 2 No. 1 GeschGehG defines (only) which information is protected as a trade secret. According to this, information that is protected:
– is not generally known or readily accessible to individuals in those circles who normally deal with this type of information,
– is of economic value,
– is subject to appropriate confidentiality measures by its lawful holder under the circumstances, and
– who have a legitimate interest in confidentiality.
The main difference to the previous legal framework is that it is no longer sufficient (and necessary) to have a “will to secrecy” that is somewhat difficult to grasp, but instead appropriate secrecy measures must be taken. The lawful owner of the secret must take appropriate – in case of doubt verifiable – secrecy measures in order to claim the protection of the trade secret. If these are missing, there is also no legal protection against access. Then, in case of doubt, the information is not protected against takeover.
Appropriate confidentiality measures
Since the existence of adequate protective measures is a prerequisite for protection as a trade secret and the burden of proof for their existence lies with the company in case of doubt, the measures must not only be present but also sufficiently documented. There are three types of confidentiality measures:
– Contractual measures (e.g. confidentiality agreements)
– Organizational measures (e.g. determination of responsible persons, authorization concept) and
– Technical and physical protection devices (e.g. firewall, safe, password protection).
The assessment of the appropriateness of a confidentiality measure is not based on rigid categories, but on a case-by-case consideration of various factors:
– Value of the information,
– Degree of competitive advantage from the secret information
– Any confidentiality difficulties that may exist; and
– Concrete danger to the information.
Strictly speaking, a risk assessment must then be carried out for each confidential piece of information and protective measures must be defined, implemented and documented in contractual, organizational and technical terms.
Need for a concept for the protection of secrets
This is hardly feasible even for medium-sized companies. Rather, it is advisable to classify the cases on the basis of their frequent occurrence. The result is a (small) secure protection concept.
It is recommended to first collect all business secrets in the entire chain of the value creation process (development, marketing, sales, customer service, management), categorize them (according to topic and worthiness of protection) and then set up an internal authorization and action concept.
The concept should, for example, also define the personnel responsible for establishing appropriate confidentiality measures for the individual categories of trade secrets. Furthermore, the establishment of regular control measures by the responsible person is also conceivable, such as in the form of regular evaluations of the necessary protection (before and after market placement, exploration of new trade secrets in the respective department, etc.).
Violations of trade secrets and consequences
The authoritative prohibition norm of the GeschGehG is § 4 GeschGehG. Accordingly, the acquisition of trade secrets through unauthorized access or in any other way is prohibited (para. 1). The use or disclosure of inadmissibly obtained information is also prohibited (para. 2 no. 1). The same applies to the use of trade secrets which have been obtained in a permissible manner (e.g. by employees or service providers), but which are used in breach of a confidentiality obligation (para. 2 no. 2).
§ Section 4 (3) extends the prohibition to persons who do not themselves commit a breach of a secrecy obligation, but to those who have obtained or disclosed the information in the course of an infringement by the owner and who knew or should have known about the information. The most frequent application is likely to be the use of trade secrets of competitors following unauthorized acquisition by service providers or employees.
If a prohibited act is committed, various claims can be considered, depending on the act of infringement: these range from injunctive relief to destruction claims to damages.
Three examples of cases of application under the new law
Three practical examples will serve to illustrate the effects of the new law.
Example 1: Online marketers with access to the customer list
A large online printer commissions an online marketing agency to evaluate newsletter openings, website calls and to determine correlations with orders, sales and margins. Full access to all relevant data is granted in order to derive concrete conclusions for further marketing and sales measures. If no further confidentiality agreements are made, neither the agency nor its employees, freelancers or interns violate the secrecy law if the information is passed on to competitors. Even the competitor who uses the information in its marketing strategy does not violate the law because the information lacks adequate protective measures and confidentiality was not agreed upon, even though it was a matter of significant company insight.
Example 2: Internal procedures and processes as business secrets
Many online printers consider their internal processes to be particularly unique and therefore worthy of protection. But under the new law, anyone who wants to defend themselves against know-how theft must do something:
– In contractual terms, it must be ensured that employees who have an overview of all processes are obliged to maintain confidentiality. Confidentiality agreements must also be concluded with external consultants or others who gain insight into the process structure.
– From an organizational point of view, it must be ensured that as few employees as possible receive a complete overview at all. Important details must be protected by an authorization concept.
– From a technical point of view, the organizational concepts must also be implemented. In particular, this means that technical security measures must be taken to prevent the outflow of know-how.
Example 3: Printing documents from customers
Many online printers – whether intentionally or not – come into contact with their customers’ trade secrets. Packaging printers, for example, know for months about the customer’s start of a new packaging design. Even the printing of annual reports is often subject to secrecy. Even with seemingly harmless advertising flyers for new products, the confidentiality issue arises.
Customers who take the protection of their confidential information seriously cannot avoid concluding comprehensive confidentiality agreements with their service providers that take the new legal situation into account. Ultimately, these agreements must, in particular, prohibit the disclosure of information and its use.
From the service provider’s point of view, this means, on the one hand, that such confidentiality agreements must be closely examined. Despite all understanding for the legitimate needs of customers, it must also be possible to comply with the contracts in practice. Otherwise, there is a risk of violation of the GeschGehG and, ultimately, serious consequences. Once concluded, confidentiality agreements must therefore be rigorously adhered to. If the agreement stipulates that all employees must be instructed separately on secrecy, this must also be done. If an employee violates this, this is a violation of the new law in case of doubt.
The new Trade Secret Protection Act requires action by the online print industry to be taken. On the one hand, this concerns confidential information such as customer lists, sales figures or other company key figures, but it also affects internal processes. In case of doubt, a secret protection policy, its implementation and documentation in practice is necessary. On the other hand, customers must adapt confidentiality agreements with printing companies in order to reliably protect their artwork from premature disclosure. However, online printers should not blindly sign everything as the consequences could be serious.