It’s the fear of many companies: the fruit of your labour ending up in the hands of a competitor. The protection of know-how, intellectual property and commercially sensitive information is vital for success. We explain how to effectively protect these assets under Dutch law in 5 essential steps.

Intellectual property (IP) rights should be the first layer of protection around your intellectual capital. Intellectual property rights are ownership rights and include a wide range of rights, under which patent rights, copyrights, trademark rights, design rights, tradename rights, and database rights.

An essential insight in IP management is understanding that patents, while significant, should not be regarded as the sole or ultimate objective. While patents are often celebrated as key symbols of innovation and legal protection, a balanced perspective is crucial. Firstly, obtaining a patent can be a costly endeavour. According to the Netherlands Enterprise Agency (RVO), the process involves expenses ranging from €25,000 to €50,000, covering application, attorney, and examination fees. Secondly, articulating the uniqueness of your invention is a complex task. It requires a strategic balance in presenting your innovation, ensuring that it is distinctive yet not excessively narrow in scope.

A few additional important things to keep in mind regarding IP rights:

• Ideas are difficult to monopolise. Mere ideas are not suitable for protection by IP rights. Only the actual execution or elaboration of an idea can qualify for protection under IP rights.
  
• Not all IP rights require registration. Patent rights require registration. However, this does not mean that you do not own any IP rights just because nothing was ever registered. Several IP rights, such as copyrights, do not require registration and emerge at the moment a work is created. This could be something as simple as writing a few lines of source code. EU case law sets a low threshold for copyright protection, extending even to works in progress.
  
• IP rights are not homogenous. While IP rights are often treated as a whole, each type operates within its unique legal framework. Copyrights and tradename rights, for instance, do not require formal registration or formality, in contrast to trademarks or patents, which mandate it. Design rights can be either unregistered, with up to 3 years of protection, or registered, extending protection to 25 years. Furthermore, whether people might confuse one work with another (known as ‘likelihood of confusion’) is irrelevant in relation to copyright infringement. However, this element is crucial for trademarks and tradenames. Novelty (how new and unique something is) is a relevant requirement for copyrights, patents and design rights, but plays a minor role in trademark rights.
  
• Know where your IP rights are. Each type of IP right has its own specific creation requirements, which can lead to IP rights being unintentionally distributed among various legal entities and individuals within a company or group. For example, copyrights to valuable software code might inadvertently remain with individual founders or external software developers. This will not immediately lead to problems in day-to-day business as long as the relationship between relevant stakeholders is good. However, it could become problematic if a founder or external developer leaves the company, especially under contentious circumstances. Therefore, it is essential to understand where the IP rights within your company reside, and you may want to centralise them in one legal entity.
  
• Who pays does not necessarily own. If IP rights are created by an employee, the rights will vest with the employer by operation of law save for specific circumstances. Conversely, when IP is developed by freelancers or external service providers, such as for design, software, writing, brand identity, the IP will in principle vest with the external company, even though you paid for it. Exceptions may apply, but in general transfer of IP rights will explicitly need to be agreed upon in writing – for instance in the services contract.
  
• Your IP infrastructure matters in M&A. For a company to appeal to investors and potential acquirers, and to achieve a high valuation, it is important to assess which IP rights are material to the company, whether all these IP rights are actually owned by the company, and if not, how this can be resolved.

While IP rights can cover much of a company’s data and know-how, they may also leave a wide range of potentially valuable trade secrets unprotected. Consider Coca Cola’s recipe: a meticulously guarded trade secret with enormous value but unprotected by IP law.

The Trade Secrets Act
Instead of protecting the information itself, like IP rights do, the Dutch Trade Secrets Act, which is the Dutch implementation of the EU Trade Secrets Directive (2016/943), protects the entrepreneur’s good faith commercial efforts to maintain confidentiality, provided that the entrepreneur has taken reasonable measures to ensure confidentiality.

The Trade Secrets Act protects against the acquisition, use, or disclosure of your trade secrets without your consent. You will have to tolerate the use and disclosure of trade secrets if someone else independently discovers or creates the same information or if the trade secret is discovered by way of reverse engineering.

Information or know-how is a trade secret if it ticks three boxes:

• The information, taken as a whole or in the precise composition, must be secret. This means that you have not shared the information with the outside world. 
• The information has commercial value because it is secret. 
• You have taken all the reasonable steps that could be expected of you to keep the information secret. This is the tricky part because it requires quite some effort. First, you will need to make sure that all relevant employees, suppliers, and external service providers are bound by confidentiality. Second, it is expected that you take organizational and technical measures to safeguard secrecy.

We will discuss confidentiality in employment relationships in Step 3. Technical measures will be discussed in Step 4.

NDAs and confidentiality clauses in B2B contracts
One of the conditions for enforcing your rights under the Trade Secrets Act is that you have taken reasonable action to protect trade secrets against unauthorized use or distribution. In B2B contractual relationships, the primary legal instrument for protecting such information is a Non-Disclosure Agreement (NDA) during the negotiation phase and the confidentiality clause in the negotiated commercial contract.

• Pre-contractual negotiation: NDA
  NDAs are standalone legal documents that outline the terms of confidentiality, including the scope of the confidential information and the duration of the obligation. These documents are typically used during the initial stages of negotiations between two parties. One-sided NDAs are used when only one party shares confidential information, with the other party agreeing to maintain its confidentiality, such as during the presentation of a novel product. In contrast, two-sided NDAs are used when both parties exchange confidential information, with each committing to its confidentiality, typical in scenarios like exploring a potential joint venture. An NDA provides independent and enforceable legal protection against the disclosure of confidential company information even if the negotiations do not result in a partnership. 
  
• Partnership agreement: confidentiality clause
  Once you decide to work together, a confidentiality clause in the commercial contract obliges the parties to keep specific information confidential. Typically, this clause is included in a broader agreement, such as a partnership, supply, or development agreement.

Content of the NDA/confidentiality clause
Under Dutch law, both confidentiality clauses and NDAs are commonly used. It’s essential to carefully include specific details and obligations to protect the confidential information. To craft an effective NDA, certain key elements should be included:

• Define ‘confidential information’. This seems obvious but requires quite some attention. The definition should be broad enough to cover all information that the parties wish to keep confidential, yet specific enough to prevent any misunderstandings about what information falls under the agreement.
  
• Determine how confidential information must be handled. For instance, define how confidential information will be stored, distributed and destroyed. You can also limit the group of recipients and stipulate under which circumstances information can be shared with outside parties, such as a regulator, court, or government authority. Include when and under what circumstances confidentiality obligations expire.
  
• Determine the consequence of a breach. In the absence of specific arrangements, the default statutory regulations for breach of contract under Dutch law will apply. This typically involves termination of the contract and potential claims for damages. However, given the practical challenges in quantifying the actual damages suffered from a breach of confidentiality, it is often advisable to include a contractual penalty clause. This clause would impose a predetermined fine on the breaching party, irrespective of the actual damages incurred, which can still be claimed separately if explicitly outlined in the contract.
  

Sooner or later, people will leave your organization. They will take valuable knowledge about your technology or business model with them. Incorporating specific clauses in employment contracts can help protect against that knowledge being used by competitors. These agreements form an important next layer of protection against both intentional and unintentional transfer of company know-how to competitors.

Confidentiality clause
A confidentiality clause in your employment agreements is required for successful redress under the Trade Secrets Act (see Step 2). Similar requirements apply: the confidentiality clause should include a definition of confidential information, how the information should be handled, and may include penalties for breaches.

Documents clause
A variation on the confidentiality clause is a so-named documents clause. This stipulates that employees can only keep company documents under possession for business reasons and must return or discard them immediately thereafter. Any copying or downloading of company documents during a holiday or after termination of employment, constitutes a breach of this clause, regardless of the use of the information.

Non-compete clause
A mere confidentiality clause might not be enough to fully protect your company know-how, as monitoring former employees who join a competitor, supplier or other business relation is challenging.

For this reason, including a non-compete clause in key staff contracts is advisable. This clause restricts employees from working with or for a competitor, and sometimes suppliers and business partners, for a limited period post-employment.

While common in the Netherlands, non-compete clauses must be drafted carefully, balancing the company’s need to protect its know-how and the employee’s right to work freely.

Key considerations in drafting non-compete clauses include:

• Make sure to get that signature. A non-compete clause must be agreed upon in writing, preferably, in the employment contract, with an old-fashioned wet-ink signature. A non-compete clause hidden away in a staff handbook, or a side letter may not be valid without a signature.
• Explain your business interests. For fixed-term contracts, the clause must explicitly state the company’s substantial competitive interests. Without this, the non-compete will be void and remains so even after the contract’s indefinite renewal. You think you’re well-protected, but instead you’ll be left with empty hands. The government has announced legislation that will make such explanation mandatory also in indefinite term agreements.
• Make sure the non-compete covers all your competition, now and in the future. Avoid limiting the clause to current competitors only; include potential future competition to ensure relevance.
• But: don’t overdo it. An example: your company develops AI-driven accountancy software and the non-compete prohibits the employee from working in the fields of AI, accountancy, or software ever again. This will not hold up in court. Narrow it down to your actual competition.
• Apply it for the right reasons Imagine your company develops car batteries and your key engineer announces a career switch to an e-bike battery manufacturer. While it’s tempting to invoke the non-compete clause to prevent the cherished talent from leaving, it’s not what a non-compete can be used for. Non-compete agreements should be enforced to safeguard your company’s vital competitive interests. In this case, your engineer’s move to the e-bike industry doesn’t necessarily threaten your business. Consider alternative incentives to keep them on board rather than relying on a non-compete clause.

Penalties
The employment agreement can impose a penalty for violating the obligations described under this Step 3. The purpose of the penalty is twofold. Firstly, it allows for financial compensation without having to demonstrate damages and causation. Secondly, it acts as a deterrent to employees who might assume you will not go through the trouble of court proceedings to prevent them from joining a competitor or breaching confidentiality agreements. Importantly, the collection of a penalty does not prevent you from simultaneously taking legal action to stop the infringement.

Congratulations on getting your paperwork in order! However, there’s more to do: implementing physical and digital security measures is essential for protecting your sensitive information. Focus on two main goals: securing your data and monitoring how it’s handled within your company. Keep the GDPR in mind, some employee-focused security measures require GDPR-compliance steps.

Physical and digital security measures
From a cybersecurity perspective, it may be challenging to prevent employees from unauthorized access to or disclosure of trade secrets, particularly if they have access to sensitive information in their day-to-day job. Here are several key security measures commonly adopted by companies to mitigate these risks:

• Access control. Limit access to sensitive information to only those who need it for their work. Implementing passwords, two factor authentication, VPNs and other security measures help in controlling access. Virtual access controls, like those of offered by Citrix, Zscaler, Fortinet and F5, can be effective. 
  
• Data loss prevention (DLP). Use DLP strategies to prevent unauthorized data transfer. Monitoring and controlling the movement of sensitive information outside the company network can prevent leaks via email, USBs, or cloud services. 
  
• Access logs review. Regularly check access logs for signs of unauthorized entry to sensitive areas. Look for red flags like access during non-business hours, from an unusual location or abnormal data transfers, in file size/or in numbers of files. Document management systems such as iManage and NetDocuments and cloud cooperation solutions such as Google Drive often have activity logging as a standard or optional feature. For more high risk cases, implement real-time access log reviews.
  
• Employee training. Educate your team on the significance of safeguarding trade secrets and the repercussions of unauthorized access or disclosure. Training should encompass information security best practices, including password management, phishing awareness and clean desk policies. 
  
• Evaluate regularly. Continually reassess your security systems and keep up with new technology developments. Keeping your systems current not only enhances security but also discourages employees with bad intentions.

Note: implement security measures within the boundaries of the GDPR
Certain security measures, such as methods like DLP and access log reviews (see above) involve the monitoring of employees’ digital behaviour. Although such measures have become more common in many workplaces, they involve legal risks, especially from a privacy-perspective. 

When conducting employee monitoring activities, it is essential to comply with the European Union's General Data Protection Regulation (GDPR). The GDPR governs the processing of personal data within the EU and imposes strict requirements on employee monitoring, as it is considered an intrusive measure affecting employees’ right to privacy.

Key considerations for GDPR-compliant employee monitoring to prevent theft or leaking of trade secrets include:

• Perform a Data Protection Impact Assessment (DPIA). Prior to implementing a monitoring system, a DPIA is required to assess GDPR-compliance as well as the risks to the rights of the employees, and whether any actions can be taken to mitigate or reduce the scale and impact of the monitoring. An important aspect of the DPIA is to ensure the monitoring is limited to what is strictly necessary for the purpose of protecting trade secrets. For example, preventive monitoring of the e-mail content of specific employees is not proportionate if the same result can be achieved by limiting the logging to suspicious traffic data on an aggregated basis. Only in the event of a specific pre-defined trigger, individual monitoring may be considered necessary. Moreover, blocking (prevention) is often considered more proportionate than monitoring (detection). To get a complete picture of the monitoring activity, ensure to align the DPIA with the right business-stakeholders, such as the privacy, legal, security and HR departments. 
• Employees have a right to privacy, also at work. The basic premise is that employees’ privacy is protected also in the workplace, and any limitation on that right to privacy must be justified by reasonable business interests. Moreover, monitoring of private emails is considered utmost intrusive and should be avoided as much as possible.
• Inform your employees. Inform employees in advance about the monitoring, either through a readily accessible, clear and accurate acceptable use and monitoring policy, a code of conduct, or another specific policy. Such document should outline the permissible use of your companies' assets, the specific reasons and purposes for monitoring, the safeguards to protect employee privacy, the consequences and procedures following any violation by employees and the opportunities for employees to respond to claims against them. Additionally, in the case of possible trade secrets theft, it is practical to immediately prompt information to employees warning them of their potential misconduct (i.e. by a pop-up informing employees on detected and unauthorized sending of confidential documents to an external e-mail address). Lastly, reinforce awareness by periodically reminding employees about existing policies in place to protect company know-how.
• Not everybody needs to know. Ensure that only a well-defined and select group of individuals has access to employee data collected through the monitoring (access on a need-to-know basis). The more private the data, the more carefully it should be handled. Access should be based on checks and balances, including through HR and the legal or privacy team. Smaller organisations should work with effective chinese walls.
• Discard personal data after use. Personal data collected during monitoring should be kept only as long as necessary. If it’s found to be irrelevant for the purpose of protecting trade secrets, it should immediately be discarded. 
• Don’t forget the works council. Your works council should be involved and most of the time give prior consent for the implementation, amendment, or termination of any employee monitoring system. This consultation can help gather insights from employees and build support for protecting company know how.
  

Actions against competitors or (former) business partners: IP enforcement
In the realm of IP enforcement, you have several options to protect your assets. This involves taking legal action against any entity that infringes upon your IP rights. The scope of these actions can range from cease-and-desist orders to pursuing litigations for infringement. The key is to identify the infringement promptly and respond decisively, utilizing the full extent of IP law to safeguard your interests. This could include filing for injunctions, seeking damages, and enforcing any IP agreements or licenses that have been violated.

Actions against competitors or (former) business partners: Trade Secrets Act
If you believe that your trade secrets have unlawfully been used or distributed, there are three options of redress under the Trade Secrets Act, which can be pursued simultaneously, consecutively, or selectively. Each option requires a prior court order.

You can prohibit someone who unlawfully acquired your trade secrets to use or disclose the trade secrets or to design, produce or market goods based on those trade secrets. A court may also order a recall of products, destruction of documentation or data with your trade secrets, or a public admission of their unlawful use.
You can seize infringing products to prevent their market entry.

A cautionary note: enforcing your rights in court proceedings under the Trade Secrets Act may require you to further disclose the trade secrets to the court and to the other party or parties. After all, you will need to prove that the information is indeed a trade secret and that it was unlawfully obtained, used, or disclosed. Also, this information may end up being used in the judgment. This means that you may end up in a tighter spot than before. Against this background, additional measures to safeguard confidentiality have been introduced in the proceedings. These may include the use of confidentiality clubs, where only a limited group of people (such as lawyers and experts) are granted access to the confidential information. Additionally, courts can issue confidentiality orders and conduct parts of the proceedings in a closed setting to prevent disclosure.

Actions against (former) employees
The intentional distribution of confidential company information can be a ground for (immediate) dismissal and is also a criminal offense punishable by up to six months of imprisonment.

In addition, you can bring a claim before a civil court for breach of a confidentiality or a non-compete obligation. Your claim can consist of the following elements:

• An order to cease the infringement immediately, subject to a court-ordered penalty.
• A prohibition to further work for the competitor or business relation or to use or distribute the confidential information.
• An order to return or destroy confidential documents in the employee’s possession.
• An order to disclose all individuals with whom the confidential information was shared, in preparation of actions against such third parties.
• Enforcement of a contractual penalty, if included in the employment agreement
  

Unfair competition claims
As a last resort, if you are completely left unprotected by IP law, the Trade Secrets Act, NDAs or non-compete clauses, you can assert your rights through an unfair competition lawsuit. This involves arguing in court that a former employee or competitor has illegally obtained, used, or disclosed confidential information and you suffer damages as a result. The court’s assessment is rigorous, focusing on the legality of the actions, the confidentiality of the information, the harm caused and the parties’ conduct. The court may impose restrictions on the further use of the information and/or award damages. However, an unfair competition claim should be seen as a final option, not a primary strategy. Instead, implementing the previously discussed measures can greatly improve your chance of success in court.