Increased requirements for owners of trade secrets - international protection concept required

Written By

artur wypych module
Dr. Artur-Konrad Wypych

Partner
Germany

As a Partner in our International HR Services practice group in Düsseldorf, I advise our domestic and international clients on all aspects of individual and collective employment law and social security law.

Even five years after the introduction of the Trade Secrets Protection Act by the German legislator, there is still legal uncertainty in practice as to when a company sufficiently protects its trade secrets within the meaning of Section 2 No. 1 b) of the German Trade Secret Protection Act (GeschGehG) or Art. 2 of the European Trade Secrets Directive (2016/943).

In recent years, civil and labour court rulings in Germany and other European countries have attempted to establish standards that owners of secrets can use as a guide when drawing up a protection concept. This also applies to the Labour Court of Aachen (judgement of 13 January 2022, ref. no. 8 CA 1229/20, see "Risks of the employer in the event of a lack of a confidentiality concept" (in German)), in which a filling machine manufacturer sought an injunction against the disclosure of performance data and process parameters by its former employee pursuant to Section 6 para. 1 GeschGehG. The employee was previously employed in the research and development department and had sent emails about performance data and parameters to a competitor company while still working for the employer. The disputed issues in the proceedings included whether the information as a whole or in the exact arrangement and composition of its components was generally known or readily accessible to persons in the circles that normally deal with this type of information and therefore of commercial value, and whether the manufacturer had taken appropriate measures to protect its secrets. It was particularly difficult for the plaintiff employer to prove the measures it had cited. The judgment was confirmed in full by the Cologne Regional Labour Court (judgment of 28 September 2022, ref. no. 11 SA 128/22); however, it is not yet legally binding and it remains to be seen whether the judges at the Federal Labour Court (appeal pending at the Federal Labour Court under ref. no. 8 AZR 172/23) will take the opportunity to specify the requirements for the protection concept.

All of this raises the following question for entrepreneurs: 

"How can I protect my trade secrets appropriately and with legal certainty and how can I demonstrate and prove this in appropriate court proceedings in order to effectively assert claims for injunctive relief or damages?"

First step: Creation of an overall protection concept

Companies must develop an appropriate protection concept. Although this does not have to guarantee perfect protection, case law does not consider a minimum of protective measures to be sufficient either (Higher Regional Court in Hamm, 15 September 2020, ref. no. I-4 U 177/19). To develop a concept, all trade secrets and the respective storage locations and access authorisations must first be identified. The measures developed in the concept must be appropriate for each secret according to its importance. Therefore, at the beginning of the development of a protection concept, the information should be categorised; the more important a trade secret is, the more extensive its protection measures must be. The type and usefulness of the information could be used to determine the importance of a trade secret. The explanatory memorandum to the law provides further information, according to which the value of the trade secret and development costs, the nature of the information, the importance for the company, the size of the company, the usual confidentiality measures in the company, the type of labelling of the information and agreed contractual regulations with employees and business operations are important (BT-Drucks 19/4724, p. 24 f.).

An overall concept should cover the entire lifecycle of an employee in the company, from recruitment through to termination and the subsequent obligations arising from the employment relationship.

Mix of different, graduated (protective) measures makes sense

Ideally, a concept should be based on technical and organisational measures and also be backed up by labour law measures. The following measures can be considered:

Carrying out background checks

Employers are able to carry out background checks on potential employees before hiring them, as long as they remain within the scope permitted by the GDPR and Section 26 Federal Data Protection Act (BDSG). For example, it is permissible to obtain information that the applicant has uploaded independently and is generally accessible. The Regional Labour Court (LAG) Düsseldorf recently confirmed (judgement of 12 April 2024, ref. no. 12 Sa 1007/23) that ‘googling’ a candidate may be permissible as part of an appointment procedure.

Training courses

Employers can also require participation in mandatory training (especially as part of the onboarding process) to educate and raise awareness among employees regarding the handling of sensitive personal data.

Need-to-know principle

According to the need-to-know principle, employees should only come into contact with information that is relevant to them in order to reduce (unnecessary) access to information. The Higher Regional Court of Stuttgart (judgement of 19 November 2020, ref. no. 2 U 575/19) has declared this, among other things, to be the absolute minimum standard for an appropriate concept.

IT measures

In the area of IT measures, access controls to data or premises are permissible, in particular so that it can be ensured that employees are to apply this need-to-know principle. In addition, employees could be reminded of the confidentiality of a file before it is opened. Systems should also be adequately secured against access by third parties.

Access controls

Controlled access to the company premises and the employer's premises through access controls and camera surveillance should not be neglected; sensitive areas should be further secured.

Special hazards when working remotely

Employers face particular challenges with the now-widespread use of location-independent working (e.g. teleworking, working from home or in a café) by employees. Many of these employer (protective) measures are difficult to implement, making it all the more important to train employees in the independent handling of sensitive data and taking any relevant technical and organisational measures. These include, for example, a ban on sending files to private devices or private email accounts or checking current systems and tools used and, if necessary, switching to a more secure system, as the risk of external access to internal systems increases through the use of private or public Wi-Fi.

Offboarding procedure

In addition to measures as part of the onboarding process, an offboarding procedure could also be introduced. This serves to safeguard business secrets after employees leave the company. Offboarding policies could explicitly define the procedure for returning all documents and data belonging or relating to the employer along with any work equipment in the employee's possession. In addition, employees could also be reminded of their confidentiality and non-competition obligations, if any.

Procedure for the disclosure of trade secrets ("crisis strategy")

If sensitive information is made public despite the measures taken above, employers should have a "crisis strategy" ready. The review should include an assessment and action to minimise any internal and external impact. There should also be a clear process for investigating and obtaining evidence of possible employee misconduct.

Non-disclosure clause/non-disclosure agreement

When concluding the employment contract, a corresponding (separate) non-disclosure agreement should be agreed, or even included in, the employment contract. Caution is advised when formulating such clauses. So-called ‘catch-all clauses’ are invalid (pursuant to Sections 305, 307 German Civil Code) as they are not transparent (Section 307 para. 1 sentence 2 German Civil Code) and violate an employee's freedom of occupation pursuant to Article 12 of the German Constitution. With regard to the GeschGehG in particular, case law requires that these are related to specific information; general and sweeping designations are not possible and do not provide protection under the GeschGehG. It should be clear to the employee which information is protected. Some courts, on the other hand, allow a mere description of the protected information to be sufficient (see Labour Court in Hamburg, judgement of 27 January 2022, ref. no. 4 CA 356/20). This poses problems in practice. Trade secrets and their meaning often change, and listing them in the employment contract is difficult due to the often large amounts of protected information. Whether simply paraphrasing is sufficient or a detailed description of the content is necessary can only be assessed on a case-by-case basis of the trade secret. If a description of the content is necessary, the trade secrets could, for example, be identified with a reference to appropriate labelling. Employers in particular who still use catch-all clauses in their employment contracts therefore need to take action in order to be able to adequately protect their secrets in future.

Further, the question often arises as to what extent employees can be obliged to maintain confidentiality after leaving the company. In principle, employees may not continue to use business secrets after they have left the company. This follows from the employee's duty of loyalty (Section 241 para. 2 German Civil Code). These must be distinguished from the experience acquired by the employee, who must be allowed to continue using this. This was also of importance in the case of the Aachen Labour Court; the court expressly did not agree with the opinion sometimes expressed in literature that a mere secondary obligation is sufficient to be part of an appropriate protection concept. For reasons of transparency, employees must be able to recognise to what extent and for how long they are subject to a duty of confidentiality.

Post-contractual non-competition clause

If employers want to prevent employees from using their accumulated experience for competitors, they must include an additional non-competition clause Section 110 German Industrial Code (GewO) in conjunction with Section 74 et seq. Section 74 f. of the German Commercial Code must be agreed. Clauses/agreements can be safeguarded by introducing contractual penalties.

Instructions

Confidentiality could be protected by issuing binding instructions to the employee within the meaning of Section 106 GewO by obliging the employee to handle sensitive information in a certain manner. However, employers must respect the scope of their right to issue such instructions and take this into account when doing so.

Company agreements

In addition to individual measures, employees could also be obliged to maintain confidentiality under collective agreements. In doing so, employers must observe the principles of transparency and certainty. Note, when introducing monitoring measures, the co-determination rights of the works council pursuant to Section 87 para. No. 1 and No. 6 Works Constitution Act (BetrVG) as well as information obligations pursuant to Section 90 para. 1 No. 2, 3, 4 BetrVG must be taken into account. Works agreements have the advantage that not all employment contracts of the employees concerned have to be amended individually.

Monitoring of measures and compliance

Such measures should be flanked by continuous monitoring of compliance with these measures, a review of the effectiveness of the protection concept and any necessary adjustments. To this end, employers could appoint a responsible person to monitor compliance with these measures and participation in the training courses, and flagging any violations.

The burden of proof regarding the protection concept lies with the owner

The protection concept and the measures taken must be evidenced by its owner. The employer's burden of proof includes, on the one hand, the existence of the measures as such and, on the other hand, that they apply to the trade secret in question. However, generalised references are not sufficient; the employer must be able to substantiate how it has protected this information. How such proof is to be provided depends on the respective measure, e.g. training courses could be evidenced by confirming successful participation. A blanket reference to access controls and other IT security systems is not sufficient. In the event of a security breach, for instance, employers must be able to list which affected information was accessible to which employee following any measures taken. This is another reason why employers should take a close look at their security concept so that they are not left empty-handed when claims are later asserted despite any security measures in place.

Europe-wide protection concept needed

Further challenges arise for international employers who operate across Europe, for example. Due to the implementation of the Trade Secrets Directive, employers are faced with the challenge of creating a Europe-wide protection concept.

Many legislators, like the German legislator, have not defined the term "adequate safeguards" in detail, leaving it to the national courts to interpret and, if necessary, develop the law around this. This could lead to different requirements in various countries not in the least because the European legislator has failed to create criteria for standardised requirements in the recitals to the directive. National courts are therefore free to interpret the laws as they see fit. We can breathe a sigh of relief that large parts of national case law to date apply criteria similar to those in Germany. For example, the Bulgarian Commission for the Protection of Competition (judgment of 24 February 2022, ref. no. K3K-873) ruled that catch-all clauses are not sufficient as a measure. On the other hand, the Barcelona Court of Appeal (judgement of 20 May 2022, ref. no. 853/2022) ruled, contrary to prevailing case law, that the mere agreement of a non-disclosure agreement is sufficient as a protection concept. This illustrates how vague Europe-wide case law can be and how individual cases can be decisive.

Consequently, it will remain relevant in the future to maintain an overview of applicable case law and, if necessary, to adapt one country's own concept to specific countries. The only certainty is that the requirements for protection concepts have increased in all member states.

Employers must be able to implement a Europe-wide appropriate protection concept and these methods throughout Europe, in particular, lawful contractual clauses which must be carried out in compliance with respective national laws.

Further information on this topic:

Latest insights

More Insights
featured image

Employers in a tighter straitjacket with the new Belgian Act on private investigations

5 minutes Dec 18 2024

Read More

GLOBAL INCENTIVES INSIGHT SERIES: UK – Beyond salary freezes: can equity awards beat the cashflow crisis for companies?

Dec 12 2024

Read More
EU Flag

EU Whistleblower Directive – Prepare for Potential Policy Adjustments

Dec 10 2024

Read More