A Warsaw-based technology company discovers that a former senior engineer has joined a direct competitor – and brought with him detailed product specifications, client lists, and internal pricing models. The company has no signed confidentiality agreement, no documented information-security policy, and no record of what was classified as confidential. The window for interim injunctive relief is closing fast.

Polish law protects trade secrets under the Act on Combating Unfair Competition, which transposes the EU Trade Secrets Directive into national law. A trade secret qualifies for protection only when three conditions are met simultaneously: the information has commercial value, it is not publicly known, and the holder has taken reasonable steps to keep it confidential. Failure to satisfy all three conditions forfeits legal protection entirely – even if the information was genuinely sensitive.

This alert explains what changed when the Directive's transposition took effect, which businesses are most exposed, and what concrete steps must be taken now to preserve enforceable rights. The structure follows the ALERT format: what changed, who is affected, and what to do immediately.

What did the EU Trade Secrets Directive change for Polish businesses?

The transposition of EU Directive 2016/943 into Polish law introduced a uniform, three-part definition of a trade secret that replaced the previous, narrower statutory language. The change matters because it raised the evidentiary threshold. Courts now require documented proof that the holder actively maintained confidentiality – not merely an assumption that sensitive data was treated as such. The deadline for full transposition passed in June 2018, meaning businesses that have not updated their internal frameworks since then are already operating with outdated protection.

The new framework aligns Polish law with standards applied across the EU single market. This is directly relevant for cross-border disputes: a Polish company seeking enforcement in Germany or the Netherlands must satisfy the same three-part test. For businesses operating across multiple jurisdictions – a common profile among clients advised by our IP protection strategy team working with Swiss tech companies in Poland – the harmonised definition creates both opportunity and risk. Opportunity, because a well-documented Polish trade secret programme is portable. Risk, because a gap in documentation invalidates protection everywhere simultaneously.

One underappreciated change concerns the definition of "reasonable steps." Polish courts have interpreted this to require a combination of contractual, organisational, and technical measures. A non-disclosure clause alone is insufficient. The holder must demonstrate a coherent system: access controls, classification policies, and employee training records. Companies relying solely on employment contracts with confidentiality clauses should treat this as an immediate red flag.

  • Confidentiality must be actively maintained – passive secrecy is not enough
  • Courts require documentary evidence of protective measures taken before the breach
  • The three-part test applies retroactively to information held before transposition
  • Cross-border enforcement depends on the same Polish documentation standards

Which companies face the highest exposure under current Polish rules?

Exposure is highest where information value is greatest and documentation is weakest. Technology companies, pharmaceutical firms, and financial institutions processing proprietary algorithms or client data carry the most concentrated risk. Under GDPR Poland rules, personal data processed as part of a trade secret – such as a client database – adds a second layer of liability. A breach that compromises both trade secrets and personal data can trigger parallel proceedings before the District Court and the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO), with fines reaching EUR 20 million or 4 percent of global annual turnover.

Foreign investors entering Poland face a specific gap. They often import internal IP policies drafted for their home jurisdiction without verifying compatibility with Polish evidentiary standards. We secured interim measures protecting proprietary software worth over PLN 8m for a technology client in the Mazowieckie region (spring 2025) – but only because the client had maintained a documented access-log system from day one. Without that log, the application for interim relief would have failed at the threshold stage.

Businesses subject to DORA compliance obligations – primarily financial entities and their critical ICT providers – face an additional dimension. DORA requires documented ICT risk management frameworks that overlap directly with trade secret protection requirements. A DORA-compliant ICT policy that maps information assets, classifies them by sensitivity, and records access controls simultaneously satisfies a significant portion of the "reasonable steps" requirement under Polish unfair competition law. Companies that have not yet integrated these frameworks are missing a compliance dividend worth capturing now.

The AI Act Poland obligations, which apply to providers and deployers of high-risk AI systems, introduce similar documentation requirements for training data and model architecture. Where that data constitutes a trade secret, the AI Act's transparency and record-keeping obligations can either support or undermine protection – depending on how the documentation is structured. IP lawyers in Warsaw are already seeing disputes where AI Act compliance disclosures have inadvertently placed proprietary model details in the public domain.

What immediate steps must businesses take to secure protection?

The most time-sensitive action is an information audit completed within 30 days. The audit must identify which assets meet the three-part statutory test, document the commercial value of each asset, and record the measures already in place. Assets that cannot be documented as confidential at the time of a future breach will not receive judicial protection – regardless of their actual sensitivity. This is the irreversible consequence that most businesses underestimate until it is too late.

We obtained a court order preventing a former employee from using client contact data for a professional services firm in Małopolska (winter 2025). The application succeeded because the firm had conducted an information audit six months earlier and could produce timestamped classification records. The court granted interim relief within 48 hours of the application. Without the audit trail, the same application would have required a full evidentiary hearing – adding weeks and allowing the competitor to consolidate its position.

For businesses with cross-border data flows, the interaction between trade secret protection and data transfer rules deserves specific attention. The legal mechanisms governing data transfers from Poland to the UAE illustrate how information classified as a trade secret in Poland may lose that status if transferred to a jurisdiction without equivalent protection standards. The transfer mechanism chosen – standard contractual clauses, binding corporate rules, or an adequacy decision – affects the enforceability of the secrecy obligation at the destination.

Immediate action checklist:

  • Complete an information asset audit within 30 days – document commercial value and existing controls
  • Update employment and contractor agreements to include explicit trade secret classification schedules
  • Implement technical access controls with timestamped logs for all classified information
  • Review DORA and AI Act documentation for overlap with trade secret protection requirements
  • Assess cross-border transfer mechanisms for information classified as a trade secret

Businesses exposed to sanctions-related information flows should also review their position. The EU sanctions framework's impact on Polish businesses creates scenarios where information about sanctioned counterparties may itself become subject to confidentiality obligations – or, conversely, where disclosure obligations under sanctions law override trade secret protection. The intersection is narrow but the consequences of misreading it are severe.

A specific note on trademark and trade secret overlap: where a brand element – a product name, a distinctive process label – is both a registered trademark and a trade secret, the protection regimes interact. Registration of a trademark at the Patent Office of the Republic of Poland (Urząd Patentowy Rzeczypospolitej Polskiej, UPRP) creates a public record that can extinguish trade secret status for that specific element. IP lawyers advising on brand protection must map this boundary explicitly before filing.

For a tailored strategy on trade secret protection and immediate risk assessment, reach out to info@kordeckipartners.com.

Frequently asked questions

Q: How long does a Polish court take to grant interim relief in a trade secret case?

A: A well-prepared application supported by documentary evidence of the three-part test can result in an interim order within 48 to 72 hours. Courts have discretion to act without hearing the opposing party where delay would cause irreversible harm. The quality of the documentation – particularly the pre-breach classification records – is the single most important factor in the timeline.

Q: Is a standard NDA sufficient to establish "reasonable steps" under Polish law?

A: No. This is the most common misconception among businesses entering Poland. A non-disclosure agreement is one element of a protection system, not a substitute for the whole. Polish courts require evidence of organisational measures (classification policies, training), technical measures (access controls, logs), and contractual measures working together. A standalone NDA without supporting infrastructure will not satisfy the statutory threshold.

Q: What is the cost of a trade secret audit for a mid-sized technology company?

A: The scope – and therefore cost – depends on the number of information assets, the complexity of existing IT infrastructure, and whether the audit is integrated with DORA or AI Act compliance work. A standalone audit for a company with 50 to 200 employees typically takes four to six weeks of legal and technical work. Integrating it with existing compliance programmes reduces duplication and overall cost materially.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to IP, technology law, AI regulation, and DORA compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.