Password
Passing on
in the Group.
Password
Passing on
in the Group.
from
Can the subsidiary simply use the parent company’s account for an expensive database if you are already working in a joint team? Or does this infringe the provider’s trade secrets? A recent decision by the Higher Regional Court of Nuremberg shows that the fun stops for the courts when it comes to passwords within a corporate group.
Trust is good, license is better
Specialized information systems are indispensable in the modern corporate world. But while IT departments around the world are trying to secure access to sensitive data, pragmatic but legally risky solutions often creep into everyday working life: Sharing access data with colleagues at affiliated companies. What appears to be efficient collaboration is often a costly breach of contract in legal terms and a violation of the protection of business secrets.
Just logged in briefly
An information system provider sells a database for health policy analyses. The licenses are exclusive and expensive, up to €12,000 per year for a small user group. A pharmaceutical company had acquired such a license. The catch: one employee passed on her personal access data to two colleagues who worked in the same project team but were formally employed by another subsidiary. For the pharmaceutical company, this was efficient teamwork; for the database operator, it was illegal access by third parties.
No pardon for password sharing
The OLG Nuremberg in its Reference decision of 09.09.2025 – Ref. 3 U 158/25 clearly sided with the operator and confirmed the first-instance conviction of the company.
The court found that the disclosure of the passwords constituted a clear infringement of the contractual agreements. Since the license terms explicitly stipulated that only employees in the direct employment of the licensee were entitled to access the software, colleagues from subsidiaries or sister companies were considered “third parties”.
Both the access data and the database itself are trade secrets, taking into account the established circumstances; the value and the secret nature of the contents result from the collection and structuring, which can only be achieved with considerable effort.
Interestingly, the court rejected claims under copyright law . As the passwords were only passed on to two people, the “publicity” required for copyright law was lacking. The database was also not reproduced in its essential part.
Instead, the leverage lay in the trade secret: as the provider had taken technical protective measures (individual logins), both the passwords and the structured data collection were protected secrets. Anyone who shares these without authorization is liable for injunctive relief, information and damages.
This is particularly bitter for the company: The provider’s right to information can even extend to periods of time that lie far before the actual infringement discovered if there is a suspicion of further “core-like” infringements.
Conclusion
The Nuremberg Higher Regional Court judges make it clear: a database is more than the sum of its (often public) information. Its structure and secure access can turn it into a trade secret.
Companies that pass on passwords to such databases without authorization risk not only the termination of the corresponding services, but also expensive claims for damages.
We are happy to
advise you about
KNow-How protection!
