The European Patent Office ("EPO") is committed to ensuring that it observes the fundamental rights of natural persons ("data subjects") to privacy and to the protection of their personal data processed by it when performing its tasks and providing its services.
The EPO is an international organisation established by the European Patent Convention (EPC) and, as such, is not subject to EU Regulation 2016/679 - General Data Protection Regulation (GDPR). On 29 June 2021, it adopted a new data protection framework which is in line with best practices at European and international level. The Data Protection Rules (DPR) are the core of this new framework.
All personal data collected or managed by the EPO is processed in accordance with the Data Protection Rules, which aim to ensure that the EPO's handling of data subjects' information meets the highest standards. Processing operations carried out by the Administrative Council of the European Patent Organisation do not fall under these Rules. Additionally, Articles 49 to 52 DPR do not apply to the processing of personal data by the EPO Boards of Appeal in their judicial capacity.
Article 32 DPR requires the EPO to keep a register with its records of processing activities. Entries to this register will be progressively introduced within the six months of the entry into force of the DPR. Records involving personal data of external data subjects are publicly accessible on the EPO website. External data subjects can consult these records to learn more about how the EPO processes their personal data.
The EPO's Data Protection Officer independently monitors the internal application of and compliance with the Data Protection Rules with respect to all processing operations carried out by the EPO. The EPO President has also appointed a Data Protection Board, which is mandated with an oversight and advisory function and has a role in the legal redress mechanism (Article 47 DPR).
This data protection and privacy policy ("policy") explains how personal data collected by the EPO is processed.
Personal data means any information relating to any identified or identifiable natural person (also referred to as "data subject" or "individual"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity; personal data which have undergone pseudonymisation but could still be attributed to a natural person by the use of additional information are to be considered to be information relating to an identifiable natural person.
We classify personal data in two categories:
For more information on the categories of personal data processed during patent-grant and related proceedings, see the Memorandum on the use of personal data in the patent granting procedure (PGP), published in the December 2021 issue of the Official Journal of the EPO.
We also collect personal data when providing our services. Personal data collected are adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed.
"Processing" of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, storage, use, disclosure or erasure.
When you interact with the EPO, your personal data are collected for specific, explicit and legitimate purpose(s) and not further processed in a manner that is incompatible with the purpose(s) for which they were collected.
Our processing of personal data must follow a number of principles. These include that the processing must be lawful, fair and transparent to the data subject and ensure appropriate security of the personal data.
The purposes for which personal data are processed are set out in the relevant data protection statements and records made available to data subjects.
You can find additional information about the processing of personal data for specific purposes below:
The EPO's processing operations are based on Article 5 DPR, which provides that we can collect personal data:
Except where published in the European Patent Register (under Article 127 and Rule 143 EPC and the related decision of the President), your personal data are not made available to the public unless you have given your express consent.
Personal data may be accessed, disseminated and processed only on a strict need-to-know basis, by the authorised EPO staff and third-party service providers. Personal data are not disclosed to any other recipients. For more information on how we protect and safeguard your personal data, see point e. below.
We take appropriate technical and organisational measures to safeguard and protect personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
All personal data processed on systems hosted on the EPO premises are stored in secure IT applications in accordance with the security standards of EPO, which include the following measures:
For personal data processed on systems not hosted on the EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations stemming from the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).
Personal data kept in a form which permits identification of data subjects will be stored only for the time needed to achieve the purposes for which it is processed.
In the case of personal data processed pursuant to Rule 143 EPC and the related decision of the President, the EPO is legally obliged to keep them indefinitely. Otherwise, specific retention periods are established for each specific processing of personal data.
For more information, data subjects may refer to the specific data protection statement or data protection record.
The EPO uses social media to communicate its work and better engage with the public. We are on Facebook, Twitter, LinkedIn, Xing and YouTube and we encourage all individuals to share our content and take part in our discussions!
Our website uses social plug-ins of Facebook, Twitter, LinkedIn, Xing and YouTube ("social media providers"). If you are logged into your social network account with one of those social media providers when you visit the website, the social media provider might assign your visit to their network account. If you use the functions of the social plug-ins, this information will also be transmitted directly from your browser to the social media provider and may be stored there.
Each social media provider has its own policy on how it processes your personal data when you access its website. We therefore encourage you to refer to the various providers' privacy policies for more information on the purposes and scope of their processing of the personal data:
The EPO has always aimed to keep our data protection framework in line with the latest developments and best practices, and we will also update this policy accordingly. We therefore encourage you to consult it regularly.
A "cookie" is a small piece of data that a website stores on the data subject's computer or mobile device.
Strictly necessary cookies. We use cookies that are necessary for site usability and security. These cookies do not gather information about data subjects and they will not be used for marketing purposes or to collect information about your browsing experience or preferences. They are set by default and cannot be disabled.
Analytical cookies. We use cookies to understand your preferences and track usage trends. We may collect data about your browsing experience, such as IP address, location, IP provider (if available), browser type, operating system, language and screen size, the visited pages and the time and date of the visits.
We use this information to gather aggregated and anonymous statistics with a view to improving our services and your experience. The data are collected, aggregated and anonymised in our datacentre under adequate security measures.
The audio-visual content displayed on our website is hosted on and processed by YouTube. By watching it, you accept YouTube's specific terms and conditions, including its cookies policy, which we have no control over.
You can manage/delete cookies as you see fit. You can find out more about how to do this at aboutcookies.org.
You can delete all cookies currently on your device by clearing your browsing history. This will remove all cookies from the websites you have visited.
You can learn more about how to manage site-specific cookies by looking at the privacy and cookie settings of your browser.
You can select the Do Not Track (DNT) option in your web browser to prevent, as much as possible, cookies being placed on your device. However, some preferences may need to be adjusted every time you visit a site or page as some services and functionalities may not work properly.
If the DNT option is enabled in your browser, we will respect your choice and will not track your browsing experience on our website for our anonymised statistics. You can find instructions on how to activate the DNT option in some popular browsers below:
The infographic below is designed to give a clear and simple overview of your rights under the EPO Data Protection Rules, how to exercise them and what redress mechanisms are available. For more detailed information, we recommended that you also refer to the full explanations in the next sections.
As a data subject, you have the following rights under the EPO Data Protection Rules:
|
Data subjects' rights |
Description |
|
Right to information (Articles 16 and 17 DPR) |
Where personal data has not been obtained from the data subjects, the controller shall, at the time when personal data is obtained, provide data subjects with information on the categories of personal data concerned and the source of the personal data and, if applicable, whether it came from publicly accessible sources. |
|
Right of access (Article 18 DPR) |
Data subjects have the right to request confirmation as to whether or not their personal data is being processed, and, if so, to access the personal data easily and at reasonable intervals, to understand which data about them is processed, to verify the quality of their personal data, to verify the lawfulness of the processing and to exercise their other rights. |
|
Right to rectification (Article 19 DPR): |
Data subjects have the right to request the correction of inaccurate personal data concerning them. |
|
Right to erasure (Article 20 DPR) |
Data subjects have the right to request the erasure of their personal data under certain circumstances, e.g. if their personal data is no longer necessary for the purposes for which it was collected or if their personal data has been unlawfully processed. |
|
Right to restriction of processing (Article 21 DPR) |
Data subjects have the right to obtain from the EPO the restriction of processing of their personal data if the data is inaccurate, the EPO no longer needs it for the purposes of processing or the processing is unlawful, or, where they have already objected to processing, pending verification of their objection. |
|
Right to data portability (Article 22 DPR) |
When personal data is processed on the basis of Articles 5(c), 5(d) and 11(2)(a) DPR, data subjects have the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning them which they have provided to the controller and the right to transmit those data to another controller without hindrance from the controller to which the personal data were initially provided. |
|
Right to object (Article 23 DPR) |
Data subjects have the right to object, at any time, to the processing of their personal data under certain circumstances. The controller shall cease to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects. |
|
Right to not be subject to a decision based solely on automated processing (Article 24 DPR) |
Decisions based solely on automated processing are decisions made by machines, including profiling, which produce legal effects concerning or similarly significantly affecting data subjects. Data subjects have the right not to be subject to this kind of decision, except where the decision is necessary for entering into, or performance of a contract between them and the EPO, is authorised by a legal act or is based on their explicit consent. |
Data protection is not an absolute right. It always has to be balanced against other fundamental rights and so there may be circumstances where one or more of your rights may be restricted. If they are restricted, you will be informed of the main reasons for this and of your right to ask the Data Protection Officer to investigate and/or file a request for review with the delegated controller (see the procedure described below in d.).
These rights might be restricted on the legitimate grounds established by Article 25 of the EPO Data Protection Rules and the Circular No. 420 implementing Article 25 DPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
For more information about restrictions, you can always consult the related Circular No. 420 and the EPO's Data Protection Officer at DPOexternalusers@epo.org.
You can contact the Data Protection Officer at any time on any matter concerning the interpretation or application of the Data Protection Rules. No-one is to suffer prejudice on account of bringing an alleged infringement of these Rules to the attention of the Data Protection Officer.
When contacting the EPO to exercise your right(s), in order to enable us to respond more promptly and precisely to your request, you always need to provide certain preliminary information with the request. Therefore, we encourage you to fill in this form and submit it with your request.
Please note that in order to have access to the redress mechanisms described below, you first need to have filed a request for review with the delegated controller as per the procedure described in point d. above How to exercise your rights.
If you consider that the EPO's processing of your personal data infringes your rights, you can ask the delegated controller to review the matter and take a decision (Article 49 DPR).
If you are not satisfied with the delegated controller's decision or if the delegated controller fails to take action within three months of submission of your request, you can file a complaint with the Data Protection Board under Article 50 DPR. It will review your complaint in accordance with its Rules of Procedure.
If you disagree with the controller's final decision on your complaint, you can ask the President of the Office for ad-hoc arbitration proceedings to resolve the dispute (Article 52 DPR).
You can contact the controller, the delegated controllers and the Data Protection Officer at DPOexternalusers@epo.org.
If you wish to lodge a complaint with the Data Protection Board, write to dpbcomplaints@epo.org. Please bear in mind, however, that you first need to file a request for review with the delegated controller before you can lodge a complaint with the Board.
