Abstract
Databases are at the center of business processes: from data brokers that market them to companies that collect production, customer, and supplier data to feed their CRM, pricing, and sales and distribution channels.
This information base is an underestimated intangible asset capable of generating competitive advantage and operational continuity. For that reason, protecting databases requires distinguishing among different forms of protection, including those specifically provided under Italian law ad hoc.
Database: the strategic asset at risk
Within a business, the database is part of the information base that makes it possible to manage price lists, pipelines, offers, customer history, and operating metrics, even when the business does not “sell data.” It is this structured set of information that determines speed of execution and forecasting capacity, more than reports or business plans scattered across repositories.
Under Italian law, a database is a collection of elements “arranged systematically or methodically” and individually accessible. Exclusive rights arise in the database as a whole as such—or in “parts” of it—but do not extend to the individual data, names, or contact details, which may remain free for use or protected by other rights.
It is easy to appreciate the concrete risk this asset faces when one considers how coveted it is by competitors. But the main risk is internal: shareholders, directors, managers, and employees are the parties for whom internal misappropriation is easiest because they have “natural” access to CRM systems and reports; and exfiltration can occur through exports, mass downloads, copies to private drives, or personal email accounts (wrongful conduct also discussed in this article: Corporate confidentiality: Employee duties and legal consequences, by Arlo Canella)
The tendency—even in litigation—is to frame the wrongdoing as an attack on corporate know-how under Article 98 of the Italian Industrial Property Code (Codice della Proprietà Industriale), but those strategies often fail because protection for confidential information requires a series of measures suitable to protect the information asset (Commercial Know-How: How to Protect It and Respond in the Event of “Theft”). Measures that must be adopted from the outset, but are often missing.
The result may be an inadequate litigation strategy and the disappearance of the expected protections and damages.
The database protected by copyright
Copyright protects databases when, by reason of the selection or arrangement of the material, they constitute an intellectual creation (Article 2, no. 9, of the Italian Copyright Law). The focus is the structure of the database and the rules used to create it: selection criteria, taxonomies, relationships among fields, and methods of organization and presentation.
Copyright protection is very strong protection: it arises without registration and without particular formalities other than the creation of the work itself. For that reason, the work—the database—must meet a very high threshold in this area: above all, creativity.
Obviously, creativity is not expressed in the data collected—which as such will rarely be capable of exclusive proprietary protection—or in the fanciful names given to files within the database. Creativity lies in choosing certain data, in selecting it, indexing it or dividing it into subclasses, and organizing it.
As in any copyright case, however, the creative character is subject to judicial assessment: the court will determine whether the compilation of the database was carried out mechanically, as a mere compilation, or whether the selection of the data and contacts was made with sufficient discernment to satisfy the statutory requirements.
But behind every collection and structure of a database there is an investment of time and money by the company, and that investment must be protected as such. For this reason, the legislature has provided an additional right, sui generis.
The sui generis database right
On the one hand, copyright presupposes originality; on the other, the sui generis right is designed to protect the result of a substantial investment, even when the database does not reach the creative threshold (Article 102-bis of the Italian Copyright Law).
The logic is to protect the investment in obtaining, verifying, or presenting the contents, rather than the creative “form”. In this way, the evidentiary burden is limited to proving, through objective data, the costs incurred and the investments made, without having to persuade the court of the creative originality expressed in producing the work.
Protection extends both to cases involving extraction of the entire database and to a substantial part of it. But the rules also capture “death by a thousand cuts” depletion.
Repeated and systematic extraction or re-use of insubstantial parts is not permitted when it entails acts contrary to the normal exploitation of the database or causes unjustified prejudice to the maker.
In business practice, this is the typical scenario involving people who have unrestricted access to the database: the sales employee who takes a screenshot of the CRM, the logistics employee who makes many small extractions from the data warehouse, or managers who replicate automated reports. A host of small acts that often come to light only when it is too late and the database has already been replicated by a former employee in a newco.
For that reason, legal analysis must be combined with technical proof: access traceability, export logs, API monitoring, and role governance, because that is where the line is drawn between lawful use and “industrial-scale” misappropriation.
But be careful: protecting also means enhancing value.
Protecting the database in order to give it value
The value of a database is often best appreciated through very concrete examples:
- CRM systems with a history of offers and actual terms;
- price and margin databases by area/customer;
- IoT datasets and predictive maintenance;
- supplier scoring and delivery performance;
- ticket history and recurring failures.
These assets enable better and faster decisions and can become monetizable or increase the company’s balance-sheet value, precisely because they are identifiable and under control.
Keeping them under control also—and above all—means monitoring them constantly, so as to prevent violations and, if they nonetheless occur, to act promptly with the proper evidence in court. It means maintaining access logs, adopting appropriate policies for database management and export, and implementing data and role governance capable of controlling who may access them.
After analyzing the scope of legal protectability, it is possible to proceed to a full economic valuation of the asset, much as one would for real property or a depreciable piece of machinery.
A valuation practice may combine methods based on profitability, costs, and empirical data; approaches based on discounting assumed royalties and on incremental income may also be used.
In this way, solidity can be given to an asset that is often overlooked.
Reviewed by: Pablo Lo Monaco Dominguez
Publication date: 13 April 2026
© Canella Camaiora S.t.A. S.r.l. - All rights reserved.
Textual reproduction of the article is permitted, even for commercial purposes, within the limit of 15% of its entirety, provided that the source is clearly indicated. In the case of online reproduction, a link to the original article must be included. Unauthorised reproduction or paraphrasing without indication of source will be prosecuted.
Gabriele Rossi
Laureato in giurisprudenza, con esperienza nella consulenza legale a imprese, enti e pubbliche amministrazioni.