Download our FREE ebook on GDPR compliance. Download Now

All You Need to Know about Spain’s New Trade Secrets Act

Earlier this year, the Spanish Senate approved a new Trade Secrets Act (TSA) which came into force on 13 March 2019. The act was a delayed transposition into Spanish law of the EU Directive 2016/943 on Trade Secrets which aims to protect undisclosed know-how and business information against their unlawful acquisition, use and disclosure. Through it, valuable business information is legally recognized as equivalent to intellectual property in the EU.

The Trade Secrets Directive aims to harmonize regulations on the protection of trade secrets across the EU and through it, encourage cross-border business in the field of innovation and transfer of innovative knowledge.

What is a trade secret?

The definition given by the TSA of trade secrets is intentionally very broad so it can be applied to all types of information or know-how, but it must fulfil three basic requirements: it must be secret, have business value and reasonable measures must have been taken to maintain its secrecy.

This means that anything from financial information to blueprints and algorithms can fall within the incidence of the TSA, but that companies failing to protect information that they consider secret will not have recourse to legal action.

Lawful and unlawful acquisition of information

The TSA specifies what is lawful and unlawful when it comes to acquisition, use or disclosure of trade secrets. There are a number of circumstances under which the acquisition of information is considered lawful: when it results from an independent discovery, reverse engineering, the exercise of workers’ rights or any other action conforming to fair commercial practices.

On the other hand acquisition is considered unlawful when trade secrets were obtained without the authorization of the owner. Any unlawful acquisition extends to the information’s use and disclosure. Should trade secrets obtained in a lawful manner be used or disclosed in breach of contractual or other obligations, they would also qualify as infringements of the TSA.

Liability under the TSA

One important thing to keep in mind is that, under the TSA, third parties that acquire, use or disclose trade secrets while being aware or, more notably, should reasonably have been aware, that they acquired the information from a party that uses or discloses it unlawfully are also liable for infringement. This objective liability also extends to companies marketing, producing or offering goods that incorporate trade secrets used unlawfully.

Recourse to action under the TSA

The TSA has made it much easier for companies to seek action against both direct trade secret infringers and third party purchasers of unlawfully acquired information.

In case of infringement, organizations are given several options: they can declare the infringement, request the cessation, prohibition or removal of effects, demand damages or the publication of the judgement. The TSA also includes more specific remedies such as the destruction or delivery to the plaintiff of documents, objects, materials, substances or electronic files containing the trade secret, or the recall of infringing goods.

Companies have three years from the moment they become aware of the person carrying out the infringement to file a legal action before the statute of limitation expires, which is two years longer than prescribed by previous Spanish laws.

The TSA also stipulates that companies filing trade secret actions in an abusive way may be fined up to a third of the amount in dispute. The ruling would also be published which can have dire consequences on a company’s reputation.

In conclusion

The TSA allows companies to protect the information they consider vital to their business and take action when its secrecy is violated. However, they must first take measures to ensure that its secrecy is maintained. In the digital age, this means that trade secrets must be protected with the same diligence accorded to sensitive data falling under the incidence of the GDPR.

Badly protected information, that falls victim to data breaches or leaks due to either outside interference or inside negligence cannot be considered secret anymore. After all, if information is made public, against the wishes of a company, not through a breach of good faith, but a clumsy email or forgotten removable device, it can no longer be reasonably considered a secret.

explainer-c_compliant-industry

Download our free ebook on
GDPR compliance

A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.

In this article:

    Request Demo
    check mark

    Your request for Endpoint Protector was sent!
    One of our representatives will contact you shortly to schedule a demo.

    * Your privacy is important to us. Check out our Privacy Policy for more information.