EPO - Data protection and privacy notice

The EPO is an international organisation established by the European Patent Convention (EPC) and, as such, is not subject to EU Regulation 2016/679 - General Data Protection Regulation (GDPR). On 30 June 2021, the EPO adopted a new data protection framework which is in line with best practices at European and international level. The Data Protection Rules (DPR) are the core of this new framework.

All personal data collected or managed by the EPO are processed in accordance with the Data Protection Rules, which aim at ensuring that the EPO's handling of data subjects' information meets the highest standards of protection. Processing operations carried out by the Administrative Council of the European Patent Organisation do not fall under these Rules. Additionally, Articles 49 to 52 DPR do not apply to the processing of personal data by the EPO Boards of Appeal in their judicial capacity.

The decision of the President of the European Patent Office (‘the President') dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings, complements the DPR.

For the processing of personal data by the EPO, the President acts as controller. The President is free to delegate the controllership to EPO operational units (Article 28(3) DPR), which then act as delegated controllers. For additional information on the delegated controllers, please refer to the decision of the President of the European Patent Office identifying the operational units of the Office acting as delegated controllers dated 17 May 2022.

For the processing of personal data by the EPO Boards of Appeal in their judicial capacity, the President of the Boards of Appeal acts as controller. With regard to the personal data processing operations carried out by the Boards of Appeal in the exercise of administrative functions and powers delegated to the President of the Boards of Appeal under the Act of Delegation, the President of the Boards of Appeal acts as controller and the deputy of the President of the Boards of Appeal acts as delegated controller. For additional information, please refer to the decision of the President of the Board of Appeal of 5 April 2022 appointing a delegated controller within the meaning of the Data Protection Rules. For all other processing activities carried out by the Boards of Appeal Unit, the President of the Boards of Appeal acts as delegated controller of the President of the EPO.

Article 32 DPR requires the EPO to keep a central register with records of its processing activities. Entries to this register will be progressively introduced within six months of the entry into force of the DPR. Records describing the processing of personal data of external data subjects are publicly accessible on the EPO website. External data subjects can consult these records to learn more about how the EPO processes their personal data.

The EPO's Data Protection Officer independently monitors the internal application of and compliance with the Data Protection Rules with respect to all processing operations carried out by the EPO. A Data Protection Board appointed by the President is mandated with an oversight and advisory function and has a role in the legal redress mechanism (Article 47 DPR).

Download EPO Data Protection Rules

This data protection and privacy policy ("policy") explains how personal data collected by the EPO is processed.

a. What information do we process?

Personal data means any information relating to any identified or identifiable natural person (also referred to as "data subject" or "individual"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity; personal data which have undergone pseudonymisation but could still be attributed to a natural person by the use of additional information are to be considered to be information relating to an identifiable natural person.

We classify personal data in two categories:

Mandatory personal data: this means the personal data necessary for (1) the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the EPO, which includes the processing necessary for the EPO's management and functioning, (2) compliance with a legal obligation to which the EPO is subject and (3) the performance of a contract to which the data subject is party.
- Examples include the personal data the EPO collects to fulfil its obligation to maintain a public patent register (see Rule 143 EPC and the related decision of the President) and the personal data it collects for login authentication and security purposes.
Non-mandatory personal data: this means personal data collected and processed on the basis of the data subject's consent. The specific rules on collecting consent are in Article 7 DPR.
- Examples include the personal data about dietary or mobility requirements that data subjects may provide when registering for an event and the contact data of professional representatives accessible via a searchable database on the EPO website.

For more information on the categories of personal data processed during patent-grant and related proceedings, see the decision of the President dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings.

Personal data collected by the EPO are adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed.

b. What do we use your personal data for?

"Processing" of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, storage, use, disclosure or erasure.

When you interact with the EPO, your personal data are collected for specific, explicit and legitimate purpose(s) and not further processed in a manner that is incompatible with the purpose(s) for which they were collected.

Our processing of personal data must follow a number of principles. These include that the processing must be lawful, fair and transparent to the data subject and ensure appropriate security of the personal data.

The purposes for which personal data are processed are set out in the relevant data protection statements and records made available to data subjects.

c. What is the legal basis for processing your personal data?

The EPO's processing operations are based on Article 5 DPR, which provides that we can collect personal data:

for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the EPO's management and functioning
for compliance with a legal obligation to which the controller is subject
for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
when the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
to protect the vital interests of the data subject or of another natural person

d. Who has access to your personal data and to whom is it disclosed?

Except where published in the European Patent Register (under Article 127 and Rule 143 EPC and the related decision of the President), your personal data are not made available to the public unless you have given your express consent.

Personal data may be accessed, disseminated and processed only on a strict need-to-know basis, by the authorised EPO staff and third-party service providers. Personal data are not disclosed to any other recipients. For more information on how we protect and safeguard your personal data, see point e. below.

e. How do we protect and safeguard your personal data?

We take appropriate technical and organisational measures to safeguard and protect personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

All personal data processed on systems hosted on the EPO premises are stored in secure IT applications in accordance with the security standards of EPO, which include the following measures:

User authentication: all workstations and servers require log-in, mobile devices require log-in to the EPO enclave, privileged accounts require additional and stronger authentication
Access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege): separation into administrator and user roles, users have minimum privileges, overall administrator roles are kept to a minimum
Logical security hardening of systems, equipment and network: 802.1x for network access, encryption of endpoint devices, antivirus on all devices
Physical protection: EPO access controls, additional access controls to datacentre, policies on locking offices
Transmission and input controls (e.g. audit logging, systems and network monitoring): security monitoring with Splunk
Security incident response: 24/7 monitoring for incidents, on-call security expert.

For personal data processed on systems not hosted on the EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations stemming from the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).

f. How long do we keep your personal data?

Personal data kept in a form which permits identification of data subjects will be stored only for the time needed to achieve the purposes for which it is processed.

In the case of personal data processed pursuant to Rule 143 EPC and the related decision of the President, the EPO is legally obliged to keep them indefinitely. Otherwise, specific retention periods are established for each specific processing of personal data.

For more information, data subjects may refer to the specific data protection statement or data protection record.

g. Social network features

The EPO uses social media to communicate its work and better engage with the public. We are on Facebook, Twitter, LinkedIn, Xing and YouTube and we encourage all individuals to share our content and take part in our discussions!

Our website uses social plug-ins of Facebook, Twitter, LinkedIn, Xing and YouTube ("social media providers"). If you are logged into your social network account with one of those social media providers when you visit the website, the social media provider might assign your visit to their network account. If you use the functions of the social plug-ins, this information will also be transmitted directly from your browser to the social media provider and may be stored there.

Each social media provider has its own policy on how it processes your personal data when you access its website. We therefore encourage you to refer to the various providers' privacy policies for more information on the purposes and scope of their processing of the personal data:

h. Changes to this policy

The EPO has always aimed to keep our data protection framework in line with the latest developments and best practices, and we will also update this policy accordingly. We therefore encourage you to consult it regularly.

You can find additional information about the processing of personal data for specific purposes below:

For carrying out the EPO's official activities and tasks

Decision of the President of the European Patent Office dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings

For the management of interactions with users contacting the EPO

For co-operation with other European institutions or international organisations

Data protection statement on the processing of personal data in the context of the PATLIB network and its centres

For organising events, training and meetings open to the public

For managing public procurement procedures

Access to the EPO premises

A "cookie" is a small piece of data that a website stores on the data subject's computer or mobile device.

a. First-party cookies

Strictly necessary cookies. We use cookies that are necessary for site usability and security. These cookies do not gather information about data subjects and they will not be used for marketing purposes or to collect information about your browsing behavious or preferences. They are set by default and cannot be disabled.

Analytical cookies. We use cookies to understand your preferences and track usage trends. We may collect data about your browsing behaviour, such as IP address, location, IP provider (if available), browser type, operating system, language and screen size, the visited pages and the time and date of the visits.

We use this information to gather aggregated and anonymous statistics with a view to improving our services and your experience. The data are collected, aggregated and anonymised in our datacentre under adequate security measures.

b. Third-party cookies

The audio-visual content displayed on our website is hosted on and processed by YouTube. By watching it, you accept YouTube's specific terms and conditions, including its cookies policy, which we have no control over.

c. Cookies used on the website

The following cookies are used on the epo.org websites:

Category	Cookie name	Source	Expiry	Purpose
Strictly necessary	AWSSESSION_ID	First party	Session	Platform session cookie, used to maintain an anonymous user session by the server.
Strictly necessary	AWSUSER_ID	First party	416 days	Used to identify user.
Strictly necessary	JSESSIONID	First party	Session	Platform session cookie, used to maintain an anonymous user session by the server.
Analytics	_pk_id	Third party	13 months	Used to store a few details about the user such as the unique visitor ID.
Analytics	_pk_ref	Third party	6 months	Used to store the referrer initially used to visit the website.
Analytics	_pk_cvar	Third party	30 minutes	Short-lived cookies used to temporarily store data for the visit.
Analytics	_pk_ses	Third party	30 minutes	Short-lived cookies used to temporarily store data for the visit.
Analytics	mtm_consent (or mtm_consent_removed)	First party	100 days	Used to remember that users visited the website and acknowledged the use of cookies (via the dedicated banner). This preference can be changed at any time by the user.

The following cookies are used on the new.epo.org website:

Category	Cookie name	Source	Expiry	Purpose
Strictly necessary	SESS[Unique ID]	First party	23 days	This cookie allows logging in and remembering which contact forms you have submitted. This cookie is essential for site functionality and the user experience.
Strictly necessary	cookie_agreed_version cookie_agreed	First party	100 days	Acceptance of cookies.
Analytics	_pk_id	Third party	393 days	Used to store a few details about the user such as the unique visitor ID.
Analytics	_pk_ref	Third party	6 months	Used to store the referrer initially used to visit the website.
Analytics	_pk_cvar	Third party	30 minutes	Used to temporarily store data for the visit.
Analytics	_pk_ses	Third party	30 minutes	Used to temporarily store data for the visit.

The following cookies are used on the EPO Bulk Data Distribution Service website:

Category	Cookie name	Source	Expiry	Purpose
Strictly necessary	JSESSIONID $	First party	Session	Platform session cookie, used to maintain user session by the server.
Strictly necessary	ambassador_session. NAME.SPACE	First party	Session	Platform session cookie, used to maintain user session by the server.
Strictly necessary	ambassador_xsfr. NAME.SPACE	First party	Session	Platform session cookie, used to maintain user session by the server (xsrf protection).

d. Technical information

Managing cookies?

You can manage/delete cookies as you see fit. You can find out more about how to do this at aboutcookies.org.

Removing cookies from your device

You can delete all cookies currently on your device by clearing your browsing history. This will remove all cookies from the websites you have visited.

Managing site-specific cookies

You can learn more about how to manage site-specific cookies by looking at the privacy and cookie settings of your browser.

Blocking cookies

You can select the Do Not Track (DNT) option in your web browser to prevent, as much as possible, cookies being placed on your device. However, some preferences may need to be adjusted every time you visit a site or page as some services and functionalities may not work properly.

If the DNT option is enabled in your browser, we will respect your choice and will not track your browsing behaviour on our website for our anonymised statistics. You can find instructions on how to activate the DNT option in some popular browsers below:

a. Your data protection rights

As a data subject, you have the following rights under the EPO Data Protection Rules:

Data subjects' rights	Description
Right to information (Articles 16 and 17 DPR)	Where personal data has not been obtained from the data subjects, the controller shall, at the time when personal data is obtained, provide data subjects with information on the categories of personal data concerned and the source of the personal data and, if applicable, whether it came from publicly accessible sources.
Right of access (Article 18 DPR)	Data subjects have the right to request confirmation as to whether or not their personal data is being processed, and, if so, to access the personal data easily and at reasonable intervals, to understand which data about them is processed, to verify the quality of their personal data, to verify the lawfulness of the processing and to exercise their other rights.
Right to rectification (Article 19 DPR)	Data subjects have the right to request the correction of inaccurate personal data concerning them.
Right to erasure (Article 20 DPR)	Data subjects have the right to request the erasure of their personal data under certain circumstances, e.g. if their personal data is no longer necessary for the purposes for which it was collected or if their personal data has been unlawfully processed.
Right to restriction of processing (Article 21 DPR)	Data subjects have the right to obtain from the EPO the restriction of processing of their personal data if the data is inaccurate, the EPO no longer needs it for the purposes of processing or the processing is unlawful, or, where they have already objected to processing, pending verification of their objection.
Right to data portability (Article 22 DPR)	When personal data is processed on the basis of Articles 5(c), 5(d) and 11(2)(a) DPR, data subjects have the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning them which they have provided to the controller and the right to transmit those data to another controller without hindrance from the controller to which the personal data were initially provided.
Right to object (Article 23 DPR)	Data subjects have the right to object, at any time, to the processing of their personal data under certain circumstances. The controller shall cease to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects.
Right to not be subject to a decision based solely on automated processing (Article 24 DPR)	Decisions based solely on automated processing are decisions made by machines, including profiling, which produce legal effects concerning or similarly significantly affecting data subjects. Data subjects have the right not to be subject to this kind of decision, except where the decision is necessary for entering into, or performance of a contract between them and the EPO, is authorised by a legal act or is based on their explicit consent.

b. Can your rights be restricted?

Data protection is not an absolute right. It always has to be balanced against other fundamental rights and so there may be circumstances where one or more of your rights may be restricted. If they are restricted, you will be informed of the main reasons for this and of your right to ask the Data Protection Officer to investigate and/or file a request for review with the delegated controller (see the procedure described below in d.).

These rights might be restricted on the legitimate grounds established by Article 25 of the EPO Data Protection Rules and the Circular No. 420 implementing Article 25 DPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

the European Patent Organisation's security, public security or defence of the contracting states
the prevention, investigation, detection and prosecution of criminal offences or the enforcement of criminal penalties, including the safeguarding against and the prevention of threats to public security and including cases in which Article 20 of the Protocol of Privileges and Immunities is applied
other substantial interests of the European Patent Organisation pertaining to its core mission, or in reason of obligations arising from the duty of co-operation with the contracting states, including monetary, budgetary and taxation matters, public health and social security
the internal security of the EPO, including of its electronic communications networks
the protection of judicial and quasi-judicial independence and judicial and quasi-judicial proceedings
the prevention, investigation, detection and sanction of breaches of ethics for regulated professions
a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority
the protection of the data subject or the rights and freedoms of others
the enforcement of civil law claims

For more information about restrictions, you can consult the related Circular No. 420 and the EPO's Data Protection Officer at DPOexternalusers@epo.org.

c. How to exercise your rights

If you would like to exercise your rights as a data subject, you can contact the delegated controller via email at DPOexternalusers@epo.org.

The delegated controller should respond without undue delay and in any event within one month of receipt of your request. This period may be extended by two further months where necessary in view of the complexity and number of the requests. In this case, the delegated controller must duly notify you of the extension and the reasons for the delay within one month of the EPO's receipt of the request.

When contacting the EPO to exercise your right(s), in order to enable us to respond more promptly and precisely to your request, you always need to provide certain preliminary information with the request. Therefore, we encourage you to fill in this form and submit it with your request.

d. What redress mechanisms are available?

If you consider that the EPO's processing of your personal data infringes your rights as a data subject, you can make use of the specific means of redress available to you under the DPR. Please note that access to these redress mechanisms is conditional on respecting the order of the steps described below.

Overview

The overview of the redress mechanisms below is intended as a user-friendly illustration, but its content is not legally binding. The Data Protection Rules and the Rules of Procedure of the Data Protection Board are the applicable and binding legal provisions.

Overview of the redress mechanisms

First step

Data subjects who consider that the processing of their personal data by the Office infringes the above-mentioned rights may request the delegated controller to review the matter and take a decision (Article 49 DPR). Where the processing is carried out by the EPO Boards of Appeal in the exercise of functions and powers under the Act of Delegation, please address your request for review to the President of the Boards of Appeal, who acts as controller of these activities.

Timeframe: You must submit your request for review no later than three months from the day on which you were informed or otherwise became aware of the processing of personal data allegedly infringing your rights.
How to file a request for review by the delegated controller? Data subjects should send their request by filling in the request for review form and sending it to: DPOexternalusers@epo.org.
Procedure:
- The delegated controller should respond without undue delay and in any event within one month of receipt of your request.
- This period may be extended by two further months where necessary, in view of the complexity and number of the requests. If so, the controller must duly notify the data subject of the extension and the reasons for the delay within one month of the EPO's receipt of the request.
- If the controller or the delegated controller fails to take any action by the end of a period of three months, this will be deemed to be an implicit rejection of your request.

Second step

If you are not satisfied with the delegated controller's decision or if the delegated controller fails to take action within three months of submission of your request, you can file a complaint with the Data Protection Board under Article 50 DPR. The Data Protection Board will handle your complaint in accordance with its Rules of Procedure.

Timeframe: You must file your complaint with the Data Protection Board within three months of receipt of the delegated controller's decision or, in the case of an implicit rejection, of the date of expiry of the time limit for replying to your request for review.
How to lodge a complaint with the Data Protection Board: By filling in the request form and sending it to dpbcomplaints@epo.org.
Procedure:
- The Data Protection Board invites the parties to set out in writing their position on the claims and facts at issue and to provide evidence or comments and arguments on evidence already at hand.
- Further, the Data Protection Board issues a reasoned opinion to the controller. If it is deemed necessary, it may recommend compensation for material and/or non-material damage.
- Once the opinion is communicated, the controller takes a final decision. If the controller does not follow the Data Protection Board's opinion, it must set out the reasons in writing.
- The controller notifies the parties, as well as the Data Protection Officer and the Data Protection Board, of the final decision and the conclusions of the Data Protection Board.

Third and last step

If you disagree with the controller's final decision on your complaint, you can ask the President of the Office for ad-hoc arbitration proceedings to resolve the dispute (Article 52 DPR).

Timeframe: You must submit your request for arbitration within three months of receiving the controller's final decision.
Contact: You must fill in the request form and send it, together with all the necessary documentation it asks you to provide, to the President of the EPO at president@epo.org.
Procedure:
- Arbitration takes place in The Hague (the Netherlands), with a qualified arbitrator appointed by the Secretary General of the Permanent Court of Arbitration.
- The law governing the arbitration is the EPC, the EPO Data Protection Rules, including any implementing legislation, the law of international organisations and the principles of public international law.
- The arbitration is confidential, and the result will be consolidated in the form of a written settlement (also called "arbitration award") which also fixes the costs of arbitration.
- The European Patent Organisation pays the arbitration fees, but each party pays his or her own costs of legal representation and expenses unless the arbitrator decides otherwise.

You can contact the relevant controller, the delegated controllers and the Data Protection Officer at DPOexternalusers@epo.org.

Data protection and privacy notice

Legal framework for the protection of personal data at the EPO

Data protection and privacy policy