GeschGehG — Trade Secrets Act

A machine-builder sues a former developer who moved to a competitor with detailed CAD data. The court dismisses the claim — the data lay unprotected on a network drive accessible to 60 employees, there were no NDAs, and there was no classification in place. Without documented reasonable confidentiality measures the statutory protection falls away, even where the theft is obvious.

The Trade Secrets Act (GeschGehG) replaced the old rules in the UWG in 2019 and transposed EU Directive 2016/943 into German law. It protects trade secrets under civil law, but it ties protection to an active safeguarding effort by the rights holder — making information security a precondition for legal protection.

Who is affected?

Every organisation that wants to keep economically valuable information secret. The law addresses every holder of a trade secret across industries:

Industrial companies — design data, production processes, material formulas, supplier conditions.
Software and tech companies — source code, algorithms, training datasets, roadmaps.
Consulting and service firms — methodologies, client data, pricing calculations.
Research institutions — unpublished research results, experimental designs.
Sales organisations — structured customer data, CRM analytics, pipeline data.

Whistleblowers are also covered — Section 5 GeschGehG protects the disclosure of unlawful practices or professional misconduct. Whistleblower protection has been further specified by the HinSchG (Whistleblower Protection Act) since 2023.

What does the law require?

The GeschGehG is strikingly short, yet powerful. The points central to information security:

Definition (Section 2) — information is a trade secret if it is secret, has economic value, is protected by reasonable measures and there is a legitimate interest in its secrecy. All four conditions must be met cumulatively.
Acts of infringement (Section 4) — unauthorised acquisition, use or disclosure. Acquisition with knowledge of a prior infringement is also covered.
Permitted acts (Section 3) — independent discovery, reverse engineering of lawfully acquired products, acquisition in the context of information or consultation rights of employee representatives.
Whistleblower protection (Section 5) — disclosure of unlawful practices to safeguard legitimate interests is permissible.
Claims (Sections 6-8) — removal, injunction, destruction, information, damages. Confidentiality during proceedings is safeguarded via Sections 16 et seq.
Criminal liability (Section 23) — intentional infringement carries up to three years of imprisonment, up to five years in particularly serious cases.

The requirement of “reasonable confidentiality measures” is the information security lever. Without it, no single claim is available.

In practice

A trade-secret register is a mandatory artefact. A blanket claim that “all internal data is confidential” will not hold up in court. Proven in practice: a register of concretely named trade secrets with classification level, affected systems, circle of persons with access and documented protective measures. The register is reviewed at least once a year.

Maintain NDAs as a living inventory. Confidentiality agreements with employees, service providers, customers and partners form the legal component of reasonable protective measures. The agreements must be current, countersigned and findable. An NDA that nobody can locate is worthless in a dispute.

Drive off-boarding with a confidentiality focus. By far the most frequent infringement case: departing employees take data with them. Structured off-boarding processes with equipment return, account deactivation, data-carrier audit and a formal reminder of post-contractual confidentiality are the most important operational measure.

Mapping to ISO 27001

ISO 27001 Annex A covers the GeschGehG protection concept almost in full. An organisation running a certified ISMS and documenting the protective measures has largely produced the evidence of reasonable confidentiality measures.

Directly relevant controls:

A.5.10 — Acceptable use of information and other associated assets: usage rules as an organisational protective measure.
A.5.11 — Return of assets: off-boarding discipline.
A.5.12 — Classification of information: prerequisite for an appropriate level of protection.
A.5.13 — Labelling of information: visible classification as evidence.
A.5.14 — Information transfer: protection when transferring to third parties.
A.5.15 — Access control: restricting access to authorised persons.
A.5.18 — Access rights: granting and revoking access in a traceable manner.
A.5.19 — Information security in supplier relationships: contractual safeguards with service providers.
A.5.20 — Addressing information security within supplier agreements: NDAs and confidentiality clauses.
A.5.32 — Intellectual property rights: general protective framework.
A.6.2 — Terms and conditions of employment: confidentiality obligation in the employment contract.
A.6.3 — Information security awareness, education and training: training on how to handle secrets.
A.6.5 — Responsibilities after termination or change of employment: post-contractual confidentiality.
A.6.6 — Confidentiality or non-disclosure agreements: direct bridge; NDAs as a protective measure.
A.8.10 — Information deletion: secure destruction of sensitive data.
A.8.11 — Data masking: pseudonymisation as a protection level.
A.8.12 — Data leakage prevention: DLP as a technical protective measure.
A.8.24 — Use of cryptography: encryption as the central technical measure.

Typical audit findings

No trade-secret register — the organisation cannot name which information it specifically wants to protect. In a dispute, the basis for any claim is missing.
NDAs are outdated or unfindable — old standard agreements, no central repository, no systematic upkeep at contract renewal.
Classification is unsystematic — sensitive documents are not marked “confidential” or “secret”; a classification policy is missing.
Unjustifiably broad access rights — sensitive data areas are accessible to entire departments without business-specific justification.
Off-boarding with gaps — equipment is not returned, accounts stay active, USB transfers before departure are not checked.
Training obligation ignored — employees do not know that a trade-secret concept exists, let alone what falls under it.

Sources

GeschGehG full text (gesetze-im-internet.de) — official version
Directive (EU) 2016/943 — European source for the GeschGehG
BMJ — background on the GeschGehG — reasoning and materials from the legislative procedure
BGH case law on trade secrets — interpretation of reasonable confidentiality measures
Whistleblower Protection Act (HinSchG) — complementary protection for whistleblowers

ISO 27001 Controls Covered

A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.12 Classification of information A.5.13 Labelling of information A.5.14 Information transfer A.5.15 Access control A.5.18 Access rights A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.32 Intellectual property rights A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.5 Responsibilities after termination or change of employment A.6.6 Confidentiality or non-disclosure agreements A.8.10 Information deletion A.8.11 Data masking A.8.12 Data leakage prevention A.8.24 Use of cryptography

Frequently asked questions

What is a trade secret under GeschGehG?

Information that is not generally known or easily accessible, that has economic value (precisely because it is secret), that is the subject of reasonable confidentiality measures and in whose secrecy there is a legitimate interest (Section 2(1) GeschGehG). All four conditions must be met. If reasonable confidentiality measures are missing, there is no legal protection -- even where theft is obvious.

What are reasonable confidentiality measures?

The law does not name a catalogue. Case law follows a multi-layered model: classification of the information, access control, contractual safeguards (NDAs, non-compete clauses), technical protective measures, awareness and training, provability. What is reasonable depends on the value of the information and the industry -- protective measures for a pharmaceutical formula are higher than those for a customer list.

What about reverse engineering?

Section 3 GeschGehG expressly permits reverse engineering of lawfully acquired products. This is the biggest practical change compared with the old UWG (Unfair Competition Act) legal position. An organisation that does not want a product insight disclosed through reverse engineering must safeguard it contractually (NDA, licence) or technically (encryption, tamper resistance).