The enactment of both the new Spanish Data Protection Act (DPA) and the — first — Spanish Trade Secrets Act (TSA) has resulted in substantial changes regarding privacy and secrecy from a legal standpoint. These changes are very relevant for any kind of company doing business in Spain, given that they concern a wide range of aspects (rights over intangible assets, relationships with employees, procedural rules, etc.). This brief article intends to provide useful recommendations for adapting and getting the most out of these legal developments.
With the TSA the right over trade secrets is legally recognized — before the TSA trade secrets were protected by dispersed rules, but not defined by law —. Moreover, the TSA contains specific substantive and procedural rules for trade secrets protection aiming to increase legal certainty for trade secrets holders — the former system did not provide as much guarantees as desirable —. With the TSA:
- An economic right over information — whatever its nature — is possible, if such information (i) is secret — i.e., it is not generally known among or readily accessible to persons within the circles that normally deal with such kind of information —; (ii) has or may have commercial value due to its secret condition; and (iii) is adequately protected to remain secret. Therefore, trade secrets may cover know-how, business, financial, scientific and technological information — such as sales methods, distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients, manufacturing processes, etc. — if the mentioned requirements are met and such information is not trivial.
- Among the limitations to this right it must be highlighted that it cannot hinder employees’ mobility and use of experience and skills honestly acquired in the normal course of their employment. The TSA prevents from imposing provisions in employment contracts on trade secrets protection sole basis — such provisions must be covered by the law —, so employers should act under the umbrella of employees’ duty of good faith and loyalty when amending employment contracts for ensuring trade secrets protection. Regarding external partners and self-employed workers, non-disclosure agreements — with non-competition covenants — are of the essence to adequately protect trade secrets.
- Trade secrets may be assigned and licensed and can also be also co-owned. In this case, all co-owners must authorize any transaction over the trade secret —unless a court understands otherwise — but each co-owner can exploit it on his/her own, subject to prior notification to the other co-owners. Thus, for minimizing risks of loss, it is highly advisable to have clear rules set among co-owners for trade secrets exploitation.
- In case of trade secret infringement, several issues must be born in mind:
- Civil actions can be taken not only against trade secret infringer(s) but also against third party purchaser(s) in good faith — i.e., those who, at the time of the trade secret acquisition or use, did not know neither ought to have known that it had been obtained from a trade secret infringer —. This makes crucial to warn prospective employees and external collaborators — in writing, at the very beginning — against disclosing former employers’ trade secrets, in order to avoid harmful consequences for the company.
- Instead of filing an action for damages against third-party purchasers in good faith — which is not exercisable because it requires negligent or willful behavior — it is possible to request a pecuniary compensation up to the amount of royalties which would have been due, had the authorization been requested. In any case, having trade secrets pricing or licensing policies clearly defined and regularly applied will be of great help to have the amount granted at court — regardless the action —.
- The statute of limitations is three years since the trade secret holder becomes aware of the violation — i.e., half of the maximum period allowed by the European directive but also three times the one-year period granted by Spanish unfair competition rules before the TSA —.
- Filing trade secret(s) action(s) in an abusive way may entail fines up to a third of the amount in dispute, along with the dissemination of the ruling — with the corresponding reputational consequences for the company —.
With respect to data protection and privacy — aside from General Data Protection Regulation provisions — the DPA provides for several issues to be considered when doing business in Spain:
- Prior to any marketing campaign it is mandatory to verify if future recipients have included their data on what is termed a ‘Robinson list', so that advertising material shall not be sent to them — unless the company has their express consent to do so —.
- Personal data belonging to individual entrepreneurs or persons providing services for companies can be lawfully processed only for establishing professional contact, or for maintaining contact with the organization the data holder provides services for.
- The minimum age for consenting data protection processing is 14 years old — i.e., lower than the age of 16 years set forth in the General Data Protection Regulation —. This is especially relevant for companies operating online platforms, who shall implement mechanisms to avoid minors’ — unlawful — personal data processing.
- It is possible to anonymously report acts of noncompliance with laws and regulations through internal complaints channels — before the DPA anonymous complaints were not admitted —.
- Rules for employees’ privacy and intimacy protection are set in the DPA, so employers shall perform different actions — many of them along with worker’s representatives — to avoid being heavily fined. Among other actions, clear and objective criteria must be laid down regarding the use of company electronic devices. Employees’ right to intimacy must be respected, so monitoring activities by companies must be previously notified and can only be carried out within certain limits — such as granting employees’ new right to “digital switch-off” outside office hours —. Consequently, providing employees with an acceptable use policy and training them on data protection issues has become indispensable to running a fully compliant enterprise in Spain.