Labour law Technology- & IT-Law

Who owns customer data and contacts under German law?

“Who owns the customer data?” – a question that is not as modern as it seems at first glance. However, it can be seen that the question has become massively more acute in this day and age.

Where once there might have been a customer file on the desk or recorded in a central registry, today there are immediate contacts in personal networks such as LinkedIn and data storage on smartphones. Theoretically, it is conceivable that an employee or subcontractor could end the business relationship overnight – and have access to all important customer data without entering the office again.

A problem that is still underestimated – especially also in terms of criminal law, as our everyday life shows. Because increasingly, employees are confronted with the accusation of having “stolen” customer data.

Protect your customer data.

On the positive side, companies are becoming increasingly aware of this. More and more often, I’m tasked with drafting contractual agreements that ensure that, in individual cases, you don’t have to watch your own customer data being dug up or walking out the office door. But it can only be said clearly in advance: Protect your customer data! Do not underestimate the problem, which in my experience does not only affect “larger companies”, but also small and medium-sized enterprises.

Customer data are trade secrets

It should come as no surprise that customer data are classified as trade secrets. The Regional Court of Cologne (31 O 678/09) put it succinctly a few years ago:

The (…) listed data constitute business and trade secrets within the meaning of Section 17 (2) UWG. According to this, any fact related to a business which is not obvious but only known to a narrowly defined group of persons constitutes a business and trade secret if the fact is to be kept secret according to the expressed will of the business owner based on economic interests. Customer data of a company are business and trade secrets if they concern customers with whom a business relationship already exists and they are therefore already possible future customers of the product offered. (cf. BGH, Judgment of February 26, 2009, Case No. I ZR 28/06).

This decision was made before the creation of the Business Secrets Protection Act, which imposes further requirements. The Düsseldorf Regional Labor Court (12 SaGa 4/20, here at our website) has commented on this in an instructive manner, which nicely sums up the essential principles.

Thus, the LAG also clarified that, even since the GeschGehG came into force, customer data is (of course) just as much a trade secret as sales volumes. However, according to the GeschGehG, the necessity of appropriate confidentiality measures applies. Without these, a trade secret does not exist – since the GeschGehG came into force, the focus has therefore been on the question of whether appropriate confidentiality measures can be assumed in relation to the employee.

Such measures may also exist if contractual agreements have been made between the employer and the employee, whether before, during or even after the establishment of an employment relationship. An agreement that attempts to establish all matters and processes that become known in the course of employment as being subject to secrecy is not sufficient in this respect.

The qualification as a trade secret has tangible legal consequences: This is where the protection of secrets comes into play, which not only provides for injunctive relief, but also gives rise to criminal liability if such data is stolen.

Customer theft: forms of appearance.

We are all familiar with the press reports about large companies where someone copied customer data with a USB stick. Smaller companies do not think about such a thing in view of the scenario described. The following randomly selected examples from my practice are intended to illustrate how immense the problem has become:

  • Example fitness club: An employee on a mini-job basis, who was active in the area of personal customer care, leaves the company and switches to a competing company in the same region. This suddenly offers a special offer for “changers”, while the employee writes to the customers and points out his change. .
  • Example software manufacturer and construction industry: A general contractor employs subcontractors. The general contractor takes care of the processing and passes on the orders for execution to the subcontractors, who naturally come into direct contact with the customer. Now the subcontractor appeals to the customers that they can save X percent if they hire the subcontractor directly.
  • Example advertising agency I: The previous employee leaves – and with him only 2 of 50 customers, but the 2 customers accounted for 20% of sales.
  • Example advertising agency II: A new employee comes with new customer data, after 1 year they part – and the employee wants to take his customers with him again. Of course, nothing was agreed upon in the contract, because we liked each other at the beginning of the employment.

And then of course the classic, which you read about a lot, but which I have not yet had in practice: An employee has all of the company’s customers as contacts in his LinkedIn profile, and after termination they argue about the profile.

What is generally allowed when using customer data?

In short: Anyone who handles customer data without permission may be liable to prosecution under §17 UWG or §§43 II No.1, 44 BDSG. In addition, the unauthorized use of customer data may constitute a violation of competition law, if necessary not only with regard to the former employee but also with regard to the company for which he works. But not every taking away is a violation!

The German Federal Court of Justice (I ZR 47/61, I ZR 2/97, I ZR 153/99 and I ZR 28/06) has ruled that an employee may use knowledge acquired during the period of employment without restriction even at a later date, provided that the employee is not subject to a non-competition clause – but only for information that is

  • he preserved in his memory or,
  • which he can access on the basis of other sources to which he has authorized access.

However, the latter does not apply to information that is still known only because (private) written records are used that were made during the period of employment (BGH, I ZR 119/00). This also applies to electronic records, for example if a file is available on the private laptop (BGH, I ZR 126/03). With the BGH it is thus to be seen that just customer lists have a special secret content (BGH, I ZR 126/03) and the employee may not fall back even on private records to act here to the detriment of its former employer.

The insight at this point: The BGH – rightly – doesn’t care whether the data originates from private notes, ultimately it is data of such importance that no consideration is given to it. Especially since the origin of the data is ultimately the business relationship with the employer anyway, this is not softened by writing it down on one’s private notepad. The discussions regarding the question of whether it was a private or business LinkedIn account in which the data is stored are therefore invalid for me, since the person concerned must hand over the data in any case and may not use it. Of course, you don’t have to hand over the access data to your LinkedIn account, but then just an export list (cleansed of contacts that do not belong to it).

Property rights at a glance

We advise on all aspects of intellectual property rights, especially trade secrets, copyright, competition law and trademark law – supporting companies in the enforcement and defense of their intellectual property rights, specifically in the protection of technologies such as software.


By the UrhG own creations are protected (no ideas)

  • Protection of works
  • personal intellectual creation
  • Protection of concrete expression, but no protection against parallel creations

Trademark law

Protection of marks used to distinguish goods or services.

  • Protection of the distinctive function of signs
  • Distinction is necessary.
  • Protection against unauthorized use of the trademark


Protection of external appearance, primarily under design law, but also under competition law

  • 2D/3D shape of an object or a part of it or its decoration is protected
  • Indigeneity and novelty of the design are necessary.
  • Protection of the exclusive right of use including manufacturing and placing on the market
  • In the UWG according to §4 No.3 UWG.

Secret protection

Protecting valuable information of an operation.

  • Protection of information with value that is not generally known
  • Necessary are economic value, protective measures and legitimate interest
  • Protection against unauthorized dissemination or obtaining of the information


protecting technical innovation.

  • Protection of an invention
  • There must be both an “invention” in the legal sense but also as a novelty
  • Comprehensive protection against any use

Example: Interim injunction of the Regional Court of Cologne against a commercial agent

The Cologne Regional Court (31 O 678/09) also has information on this topic – a temporary injunction was successfully applied for here:

The defendant also procured the business and trade secret without authorization within the meaning of Sec. 17 (2) No. 2 UWG. The Federal Court of Justice has stated the following in this regard:

“It is true that an employee who has left the company may use the knowledge acquired during the period of employment without restriction at a later date if he is not subject to a non-competition clause (see BGHZ 38, 391, 396 – Industrieböden; BGH, Urt. v. 3.5.2001 – I ZR 153/99, GRUR 2002, 91, 92 = WRP 2001, 1174 – Spritzgießwerkzeuge). However, this only applies to information which he retains in his memory (BGH, Urt. v. 14.1.1999 – I ZR 2/97, GRUR 1999, 934, 935 = WRP 1999, 912 – Weinberater) or which he can access on the basis of other sources to which he has authorized access. The right to use acquired knowledge after termination of the employment relationship also to the detriment of the former employer, on the other hand, does not refer to information which is still known to the employee who has left the company only because he can fall back on written documents which he prepared during the period of employment (BGH, Urt. v. 19.12.2002 – I ZR 119/00, GRUR 2003, 453, 454 = WRP 2003, 642 – Verwertung von Kundenlisten). If such written documents – for example in the form of private records or in the form of a file stored on a private notebook – are available to the employee who has left the company and if he extracts a trade secret of his former employer from them, he thereby procures this trade secret without authorization within the meaning of Section 17 (2) No. 2 UWG (BGH GRUR 2006, 1004 para. 14 – Kundendatenprogramm, with further references).

Such a prohibition of exploitation with regard to trade and business secrets is subject not only to employed commercial agents within the meaning of § 84 (2) HGB, but also to commercial agents who exercise a self-employed activity (§ 84 (1) sentence 2 HGB). Pursuant to § 90 HGB, the (self-employed) commercial agent may not exploit or disclose to others business and trade secrets entrusted to him or which have become known to him as such through his work for the principal, even after termination of the contractual relationship, insofar as this would contradict the professional view of a prudent businessman according to the overall circumstances. (…) The prohibition of exploitation according to § 90 HGB basically concerns all business and trade secrets that have become known to the exiting commercial agent during the contractual relationship. (…)”

The problem of the burden of proof should not be underestimated, as an example from 2002 shows: A commercial agent is entitled to injunctive relief for the exploitation of any customer data if, after leaving the company, he exploits customer lists of his former company which he has obtained without authorization. This was decided in the case of the owner of a wine shop who used to work as a commercial agent for a distribution company for wines and spirits. In a preliminary investigation by the public prosecutor’s office, customer lists of the distribution company were found in his business premises. Claiming that the wine merchant was exploiting these customer lists, the distribution company sued the latter for injunctive relief.

The Saarbrücken Higher Regional Court (OLG) pointed out that the commercial agent is prohibited from exploiting records from the customer file of his former company in competition. In the present case, however, actual exploitation or imminent exploitation had not been proven. The OLG therefore rejected the injunctive relief as follows: The exploitation of customer data goes beyond “mere knowledge”. It requires economic use for the purpose of generating profit or reducing costs. This presupposes that the customer data was fed into the company’s own customer list or that concrete contacts were initiated with the customers to conclude transactions. The sales company was unable to prove this to the commercial agent (OLG Saarbrücken, judgment dated July 24, 2002).

And what about the release?

If the employee does not use the customer data once – but on the other hand squats on it and does not hand it over extensively, does one have to put up with that? With the BGH (I ZR 294/90) probably also not, in any case with commercial agents he saw it as a core element of the contractual settlement that he has to hand over the data at termination. I see it in the same way for employees: they have to return work equipment etc. to the employer upon termination of the employment relationship, including existing customer data. The fact that the data may be stored on a private laptop or in a private LinkedIn account does not hurt (see above).

Judgement: XING contacts are trade secrets.

It should then come as no surprise that the Hamburg Labor Court (29 Ga 2/13) has ruled that XING contacts qualify as trade secrets under Section 17 II of the German Unfair Competition Act (XING is a German business network that was at least once comparable to LinkedIn). Anyone who, as a former employee, obtains or secures this data without authorization and then acts selfishly with it can be sued for injunctive relief. But: This is not a foregone conclusion! In Hamburg, the employer was ultimately defeated because it was unable to prove that the contacts in dispute arose in the course of the former employee’s business activities. If, for example, private contacts are made, perhaps also occasionally – but not on the occasion of! – of a business activity, these are not necessarily protected customer data. The details make the difference.

What companies do most wisely…

… is a clear contractual agreement. Anything else is simply stupid. In this respect, one can contractually include confidentiality obligations, protective measures such as insurances and competition protection/competition clauses, and then garnish this with contractual penalty clauses if necessary. When dealing with employees, it is advisable to regulate everything clearly before a dispute arises in order to protect both sides. Separate from the legal considerations above, you can contractually agree that there is a business and a private LinkedIn account, whereby customer contacts are only permitted via the business account. Particularly in the case of employees, the problem will quickly arise of formulating the agreements made in accordance with the law on general terms and conditions. Here, not everything that is desired can be seamlessly adopted as a GTC, just as excessive contractual penalties will not last long with employees. What is required here is a consideration of the individual case, whereby §90a of the German Commercial Code (HGB) must be observed in the case of commercial agents, including the above decision of the Federal Court of Justice (BGH).

German Lawyer at Law Firm Ferner Alsdorf
I am a specialist lawyer for criminal law + specialist lawyer for IT law and dedicate myself professionally entirely to criminal defence and IT law, especially software law. Before becoming a lawyer, I was a software developer. I am an author in a renowned commentary on the German Code of Criminal Procedure (StPO) as well as in professional journals.

Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
German Lawyer Jens Ferner (Criminal Defense & IT-Law)