29.10.2019 | KPMG Law Insights

The new Trade Secrets Act

The new Trade Secrets Act –
Need for action by research institutions and universities

The protection of entrepreneurial know-how has always been a high priority. Securing it has considerable economic significance and can bring a real competitive advantage. The new Trade Secrets Act (GeschGehG), which came into force on April 26 of this year, is intended to provide better protection for entrepreneurs against the unlawful acquisition of trade secrets and their unlawful use and disclosure. Under the premise: Only those who take appropriate protective measures themselves will benefit from the new legislation. There is a need for action in this matter not only among companies, but especially among research institutions and universities.

The Act was enacted in implementation of the requirements of Directive (EU) 2016/943 on the protection of confidential know-how and confidential business information (trade secrets) against unlawful acquisition and unlawful use and disclosure. Until now, the protection of trade and business secrets was scattered across various areas of law, and there was a lack of uniform legal definitions and defined rights for the owners of secrets in the event of infringement by third parties. In particular, trade secrets have so far been protected by the criminal provisions of Sections 17 and 18 of the German Unfair Competition Act (UWG). However, these presupposed a subjective interest in the betrayal of secrets, so that legal enforcement was often only possible with great forensic effort.

The new regulations
First of all, the GeschGehG contains pursuant to § 2 No. 1 a definition of the term “trade secret”. Accordingly, the term includes information that has a commercial value due to its unfamiliarity or inaccessibility to the general public, is the subject of appropriate secrecy measures and there is a legitimate interest in keeping it secret. For the existence of a trade secret, it is therefore no longer sufficient to have a sufficient subjective intention to maintain secrecy; instead, it must be possible to demonstrate that the know-how was (objectively) protected by appropriate secrecy measures. Which measures are to be considered “appropriate” will have to be judged with regard to the individual case. A significant change is that in the future the burden of proof will be shifted, i.e. the infringed party must be able to prove in the event of a legal dispute that the measures it took to protect its trade secrets were sufficient.
A special feature of the new Business Secrets Act is that § 3 GeschGehG specifies actions by which a business secret can be lawfully obtained. In particular, this includes: the independent discovery or creation and an observation, investigation, deconstruction or testing of a product or object that has been made publicly available or is in the lawful possession of the observer, investigator, deconstructor or tester and the latter is not subject to any obligation to restrict the acquisition of the trade secret. In other words, the mere lawful possession of an object (the ownership of which remains disregarded) allows the lawful acquisition of a trade secret, e.g. by reverse engineering, if there are no (contractual or legal) restrictions on the owner. In this respect, owners of secrets are now de facto forced to secure their trade secrets by means of appropriate protective measures.

Approaches for appropriate protective measures
The applicable standards are still unclear due to the broad wording and the lack of case law to date. It is therefore particularly important for universities and research institutions to analyze their organizational structure, determine their individual protection needs, and take appropriate measures in a timely manner commensurate with the value of the secrets.
There are no blanket solutions for choosing suitable and appropriate protective measures. Universities and research institutions must create these individually for their organizational structures, review them regularly and adapt them if necessary. Technical, organizational and legal measures must be interlinked. First, a risk assessment should identify and evaluate the information that needs to be kept confidential and the size- and industry-specific risks, and identify internal and external measures to mitigate the risks.
It will not be necessary to take equally strict secrecy measures for all information, but standards that are set too low will have far-reaching consequences: The information will then not be classified as a trade secret, so that the information owner would lose his ownership of the information and thus its economic value. In view of the lack of case law on the concept of reasonableness, particularly strict standards should therefore be applied initially.
Legal consequences in case of violation
Only if the owner of the secret has adequately protected its trade secrets is it entitled to far-reaching claims in the event of an infringement of rights by a third party pursuant to Sections 6 ff. GeschGehG: First, he can demand that the infringement cease and that the relevant documents be handed over or destroyed. Furthermore, he may take action against the distribution of infringing products (recall, cessation of supply, destruction) and he is entitled to information and damages. He may also request the publication of the judgment on the infringement at the expense of the infringer. If the action has been dismissed, however, this can also be demanded the other way around from the alleged infringer at the expense of the owner of the secret.
Violation of the law may result in criminal penalties: these may include imprisonment of up to five years (e.g. in the case of commercial activities). Against the background of the planned corporate criminal law (Association Sanctions Act), it should be noted above all that infringers can also be legal entities, including in particular universities, if they are not engaged in sovereign activities, e.g. in economic activities such as contract research.
Conversely, the company owner is also liable if the infringer is an employee or agent of his company. In addition to protecting his own trade secrets, the company owner must therefore ensure that no third-party trade secrets are infringed from within his company. It is precisely this obligation that now also applies to universities and publicly funded research institutions that frequently come into contact with other people’s secrets, for example in collaborations and joint research projects.
However, the new Trade Secrets Act provides for a statutory exception: Disclosure of trade secrets by whistleblowers is lawful if it leads to the disclosure of unlawful acts, professional or other misconduct and is suitable for protecting public interests (Section 5 No. 2 GeschGehG). With this far-reaching and contourless regulation, it remains to be seen how it will be interpreted and applied by the courts in the future.

Need for action at universities and research institutions
It is not only companies that need to take action as a result of the new legal regulations. Research institutions and universities are also required by the GeschGehG to take measures to protect trade secrets. This obligation applies to both the university’s own business secrets and those of third parties, knowledge of which may come to the university’s employees through cooperation with third parties. The protection of know-how is of great importance to universities and the companies that work with them. Acquired knowledge and research results cannot always be protected by other property rights (e.g. patents), but still require secrecy in order to maintain the competitive advantage and thus the economic value. The protection of this information is therefore imperative.
Possible measures can include access controls and technical protection measures, logging of calls, and contractual safeguards. In case of doubt, the owner of the secret must be able to prove that protective measures have been taken and that they are appropriate. This will only be possible on a regular basis if a functioning compliance system is implemented. The compliance system should be designed in such a way that it is also ensured that no third-party trade secrets are used unlawfully from within the university or research institution itself, so as not to run the risk of being held liable.

Consequences of non-compliance
Those who do not fully implement the new legal requirements of the Secrets Protection Act run the risk that their secrets are not effectively protected and are legally subject to free use and exploitation by others. However, this may not remain the only negative consequence – universities and research institutions that fail to act run the risk of becoming the addressees of claims by any competitors or future corporate penalties. The consequence can be considerable claims for damages against universities and research institutions, which should definitely be avoided by acting in time regarding the new legal regulations.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.