The European Patent Office ("EPO") is committed to ensuring respect for the fundamental rights of natural persons ("data subjects") to privacy and to the protection of their personal data processed by it when performing its tasks and providing its services.
The EPO is an international organisation established by the European Patent Convention (EPC) and, as such, is not subject to EU Regulation 2016/679 - General Data Protection Regulation (GDPR). On 30 June 2021, the EPO adopted a new data protection framework which is in line with best practices at European and international level. The Data Protection Rules (DPR) are the core of this new framework.
All personal data collected or managed by the EPO are processed in accordance with the Data Protection Rules, which aim at ensuring that the EPO's handling of data subjects' information meets the highest standards of protection. Processing operations carried out by the Administrative Council of the European Patent Organisation do not fall under these Rules. Additionally, Articles 49 to 52 DPR do not apply to the processing of personal data by the EPO Boards of Appeal in their judicial capacity.
The decision of the President of the European Patent Office (‘the President') dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings, the decision of the President of the European Patent Office dated 7 December 2022 concerning the processing of personal data in proceedings related to European patents with unitary effect and the decision of the President of the European Patent Office dated 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data complement the DPR.
For the processing of personal data by the EPO, the President acts as controller. The President is free to delegate the controllership to EPO operational units (Article 28(3) DPR), which then act as delegated controllers. For additional information on the delegated controllers, please refer to the decision of the President of the European Patent Office identifying the operational units of the Office acting as delegated controllers dated 17 April 2023.
For the processing of personal data by the EPO Boards of Appeal in their judicial capacity, the President of the Boards of Appeal acts as controller. With regard to the personal data processing operations carried out by the Boards of Appeal in the exercise of administrative functions and powers delegated to the President of the Boards of Appeal under the Act of Delegation, the President of the Boards of Appeal acts as controller and the deputy of the President of the Boards of Appeal acts as delegated controller. For additional information, please refer to the decision of the President of the Board of Appeal of 5 April 2022 appointing a delegated controller within the meaning of the Data Protection Rules. For all other processing activities carried out by the Boards of Appeal Unit, the President of the Boards of Appeal acts as delegated controller of the President of the EPO. Please note that the decision of the President of the European Patent Office dated 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data applies by analogy to all the aforementioned processing operations.
Article 32 DPR requires the EPO to keep a central register with records of its processing activities. Entries to this register will be progressively introduced within six months of the entry into force of the DPR. Records describing the processing of personal data of external data subjects are publicly accessible on the EPO website. External data subjects can consult these records to learn more about how the EPO processes their personal data.
For the safety and security of its buildings, assets, staff and visitors, the EPO operates a video surveillance system. For more information, please refer to Circular No. 421, EPO video surveillance policy.
The EPO's Data Protection Officer independently monitors the internal application of and compliance with the Data Protection Rules with respect to all processing operations carried out by the EPO. A Data Protection Board appointed by the President is mandated with an oversight and advisory function and has a role in the legal redress mechanism (Article 47 DPR).
This data protection and privacy policy ("policy") explains how personal data collected by the EPO is processed.
Personal data means any information relating to any identified or identifiable natural person (also referred to as "data subject" or "individual"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity; personal data which have undergone pseudonymisation but could still be attributed to a natural person by the use of additional information are to be considered to be information relating to an identifiable natural person.
We classify personal data in two categories:
For more information on the categories of personal data processed during patent-grant and related proceedings, see the decision of the President dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings.
Personal data collected by the EPO are adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed.
"Processing" of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, storage, use, disclosure or erasure.
When you interact with the EPO, your personal data are collected for specific, explicit and legitimate purpose(s) and not further processed in a manner that is incompatible with the purpose(s) for which they were collected.
Our processing of personal data must follow a number of principles. These include that the processing must be lawful, fair and transparent to the data subject and ensure appropriate security of the personal data.
The purposes for which personal data are processed are set out in the relevant data protection statements and records made available to data subjects.
The EPO's processing operations are based on Article 5 DPR, which provides that we can collect personal data:
Except where published in the European Patent Register (under Article 127 and Rule 143 EPC and the related decision of the President), your personal data are not made available to the public unless you have given your express consent.
Personal data may be accessed, disseminated and processed only on a strict need-to-know basis, by the authorised EPO staff and third-party service providers. Personal data are not disclosed to any other recipients. For more information on how we protect and safeguard your personal data, see point e. below.
We take appropriate technical and organisational measures to safeguard and protect personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
All personal data processed on systems hosted on the EPO premises are stored in secure IT applications in accordance with the security standards of EPO, which include the following measures:
For personal data processed on systems not hosted on the EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations stemming from the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).
If you become aware of a personal data breach (meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data) which affects personal data transmitted, stored or otherwise processed by the EPO, please report it as soon as possible to DPOexternalusers@epo.org.
Personal data kept in a form which permits identification of data subjects will be stored only for the time needed to achieve the purposes for which it is processed.
In the case of personal data processed pursuant to Rule 143 EPC and the related decision of the President, the EPO is legally obliged to keep them indefinitely. Otherwise, specific retention periods are established for each specific processing of personal data.
For more information, data subjects may refer to the specific data protection statement or data protection record.
The EPO uses social media to communicate its work and better engage with the public. We are on Facebook, Twitter, LinkedIn, Xing and YouTube and we encourage all individuals to share our content and take part in our discussions!
Our website uses social plug-ins of Facebook, Twitter, LinkedIn, Xing and YouTube ("social media providers"). If you are logged into your social network account with one of those social media providers when you visit the website, the social media provider might assign your visit to their network account. If you use the functions of the social plug-ins, this information will also be transmitted directly from your browser to the social media provider and may be stored there.
Each social media provider has its own policy on how it processes your personal data when you access its website. We therefore encourage you to refer to the various providers' privacy policies for more information on the purposes and scope of their processing of the personal data:
The EPO has always aimed to keep our data protection framework in line with the latest developments and best practices, and we will also update this policy accordingly. We therefore encourage you to consult it regularly.
You can find additional information about the processing of personal data for specific purposes below:
Data protection statement on the processing of personal data in the context of Splunk
Data protection statement on the processing of personal data in the context of EPO smart cards
Data Protection Statement for Identity Management through AD and Azure
Data protection statement on the processing of personal data in the context of the EPO Mail Service
Data protection statement on the processing of personal data within the framework of (OPS)
Data protection statement on the processing of personal data in Microsoft 365
Data protection statement on the processing of personal data in the context of the EPO podcast
Data protection statement on the processing of personal data for the EPO's Patent Knowledge News
Data protection statement on the processing of personal data by the EPO's Academy E-learning centre
Data protection statement on the processing of personal data for Bot Protection Service
Data protection statement on the processing of personal data for mass email distribution list
A "cookie" is a small piece of data that a website stores on the data subject's computer or mobile device.
Strictly necessary cookies. We use cookies that are necessary for site usability and security. These cookies do not gather information about data subjects and they will not be used for marketing purposes or to collect information about your browsing behavious or preferences. They are set by default and cannot be disabled.
Analytical cookies. We use cookies to understand your preferences and track usage trends. We may collect data about your browsing behaviour, such as IP address, location, IP provider (if available), browser type, operating system, language and screen size, the visited pages and the time and date of the visits.
We use this information to gather aggregated and anonymous statistics with a view to improving our services and your experience. The data are collected, aggregated and anonymised in our datacentre under adequate security measures.
The audio-visual content displayed on our website is hosted on and processed by YouTube. By watching it, you accept YouTube's specific terms and conditions, including its cookies policy, which we have no control over.
The following cookies are used on the epo.org websites:
Category | Cookie name | Source | Expiry | Purpose |
---|---|---|---|---|
Strictly necessary |
AWSSESSION_ID |
First party |
Session |
Platform session cookie, used to maintain an anonymous user session by the server. |
Strictly necessary |
AWSUSER_ID |
First party |
416 days |
Used to identify user. |
Strictly necessary |
JSESSIONID |
First party |
Session |
Platform session cookie, used to maintain an anonymous user session by the server. |
Analytics |
_pk_id |
Third party |
13 months |
Used to store a few details about the user such as the unique visitor ID. |
Analytics |
_pk_ref |
Third party |
6 months |
Used to store the referrer initially used to visit the website. |
Analytics |
_pk_cvar |
Third party |
30 minutes |
Short-lived cookies used to temporarily store data for the visit. |
Analytics |
_pk_ses |
Third party |
30 minutes |
Short-lived cookies used to temporarily store data for the visit. |
Analytics |
mtm_consent (or mtm_consent_removed) |
First party |
100 days |
Used to remember that users visited the website and acknowledged the use of cookies (via the dedicated banner). This preference can be changed at any time by the user. |
The following cookies are used on the new.epo.org website:
Category | Cookie name | Source | Expiry | Purpose |
---|---|---|---|---|
Strictly necessary |
SESS[Unique ID] |
First party |
23 days |
This cookie allows logging in and remembering which contact forms you have submitted. This cookie is essential for site functionality and the user experience. |
Strictly necessary |
cookie_agreed_version |
First party |
100 days |
Acceptance of cookies. |
Analytics |
_pk_id |
Third party |
393 days |
Used to store a few details about the user such as the unique visitor ID. |
Analytics |
_pk_ref |
Third party |
6 months |
Used to store the referrer initially used to visit the website. |
Analytics |
_pk_cvar |
Third party |
30 minutes |
Used to temporarily store data for the visit. |
Analytics |
_pk_ses |
Third party |
30 minutes |
Used to temporarily store data for the visit. |
The following cookies are used on the EPO Bulk Data Distribution Service website:
Category | Cookie name | Source | Expiry | Purpose |
---|---|---|---|---|
Strictly necessary |
JSESSIONID $ |
First party |
Session |
Platform session cookie, used to maintain user session by the server. |
Strictly necessary |
ambassador_session. NAME.SPACE |
First party |
Session |
Platform session cookie, used to maintain user session by the server. |
Strictly necessary |
ambassador_xsfr. NAME.SPACE |
First party |
Session |
Platform session cookie, used to maintain user session by the server (xsrf protection). |
You can manage/delete cookies as you see fit. You can find out more about how to do this at aboutcookies.org.
You can delete all cookies currently on your device by clearing your browsing history. This will remove all cookies from the websites you have visited.
You can learn more about how to manage site-specific cookies by looking at the privacy and cookie settings of your browser.
You can select the Do Not Track (DNT) option in your web browser to prevent, as much as possible, cookies being placed on your device. However, some preferences may need to be adjusted every time you visit a site or page as some services and functionalities may not work properly.
If the DNT option is enabled in your browser, we will respect your choice and will not track your browsing behaviour on our website for our anonymised statistics. You can find instructions on how to activate the DNT option in some popular browsers below:
As a data subject, you have the following rights under the EPO Data Protection Rules:
Data subjects' rights |
Description |
Right to information (Articles 16 and 17 DPR) |
Where personal data has not been obtained from the data subjects, the controller shall, at the time when personal data is obtained, provide data subjects with information on the categories of personal data concerned and the source of the personal data and, if applicable, whether it came from publicly accessible sources. |
Right of access (Article 18 DPR) |
Data subjects have the right to request confirmation as to whether or not their personal data is being processed, and, if so, to access the personal data easily and at reasonable intervals, to understand which data about them is processed, to verify the quality of their personal data, to verify the lawfulness of the processing and to exercise their other rights. |
Right to rectification (Article 19 DPR) |
Data subjects have the right to request the correction of inaccurate personal data concerning them. |
Right to erasure (Article 20 DPR) |
Data subjects have the right to request the erasure of their personal data under certain circumstances, e.g. if their personal data is no longer necessary for the purposes for which it was collected or if their personal data has been unlawfully processed. |
Right to restriction of processing (Article 21 DPR) |
Data subjects have the right to obtain from the EPO the restriction of processing of their personal data if the data is inaccurate, the EPO no longer needs it for the purposes of processing or the processing is unlawful, or, where they have already objected to processing, pending verification of their objection. |
Right to data portability (Article 22 DPR) |
When personal data is processed on the basis of Articles 5(c), 5(d) and 11(2)(a) DPR, data subjects have the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning them which they have provided to the controller and the right to transmit those data to another controller without hindrance from the controller to which the personal data were initially provided. |
Right to object (Article 23 DPR) |
Data subjects have the right to object, at any time, to the processing of their personal data under certain circumstances. The controller shall cease to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects. |
Right to not be subject to a decision based solely on automated processing (Article 24 DPR) |
Decisions based solely on automated processing are decisions made by machines, including profiling, which produce legal effects concerning or similarly significantly affecting data subjects. Data subjects have the right not to be subject to this kind of decision, except where the decision is necessary for entering into, or performance of a contract between them and the EPO, is authorised by a legal act or is based on their explicit consent. |
Data protection is not an absolute right. It always has to be balanced against other fundamental rights and so there may be circumstances where one or more of your rights may be restricted. If they are restricted, you will be informed of the main reasons for this and of your right to ask the Data Protection Officer to investigate and/or file a request for review with the delegated controller (see the procedure described below in d.).
These rights might be restricted on the legitimate grounds established by Article 25 of the EPO Data Protection Rules and the Circular No. 420 implementing Article 25 DPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
For more information about restrictions, you can consult the related Circular No. 420 and the EPO's Data Protection Officer at DPOexternalusers@epo.org.
If you would like to exercise your rights as a data subject, you can contact the delegated controller via email at DPOexternalusers@epo.org.
The delegated controller should respond without undue delay and in any event within one month of receipt of your request. This period may be extended by two further months where necessary in view of the complexity and number of the requests. In this case, the delegated controller must duly notify you of the extension and the reasons for the delay within one month of the EPO's receipt of the request.
When contacting the EPO to exercise your right(s), in order to enable us to respond more promptly and precisely to your request, you always need to provide certain preliminary information with the request. Therefore, we encourage you to fill in this form and submit it with your request.
Please note that the EPO will not process or handle requests to exercise data subject rights which are sent via and/or received from software used to generate automated requests (such as Mine, deseat.me, JustDelete.me, Removaly).
If you consider that the EPO's processing of your personal data infringes your rights as a data subject, you can make use of the specific means of redress available to you under the DPR. Please note that access to these redress mechanisms is conditional on respecting the order of the steps described below.
The overview of the redress mechanisms below is intended as a user-friendly illustration, but its content is not legally binding. The Data Protection Rules and the Rules of Procedure of the Data Protection Board are the applicable and binding legal provisions.
Data subjects who consider that
the processing of their personal data by the Office infringes the
above-mentioned rights may request the
delegated controller to review the matter and take a decision (Article 49
DPR). Where the processing is carried out by the EPO
Boards of Appeal in the exercise of functions and powers under the Act
of Delegation, please address your request for review to the President of
the Boards of Appeal, who acts as controller of these activities.
If you are not satisfied with the delegated controller's decision or if the delegated controller fails to take action within three months of submission of your request, you can file a complaint with the Data Protection Board under Article 50 DPR. The Data Protection Board will handle your complaint in accordance with its Rules of Procedure.
If you disagree with the controller's final decision on your complaint, you can ask the President of the Office for ad-hoc arbitration proceedings to resolve the dispute (Article 52 DPR).
You can report a personal data breach or contact the relevant controller, the delegated controllers and the Data Protection Officer at DPOexternalusers@epo.org.