https://www.epo.org/en/node/data-protection-and-privacy

Data protection and privacy notice

The European Patent Office ("EPO") is committed to ensuring respect for the fundamental rights of natural persons ("data subjects") to privacy and to the protection of their personal data processed by it when performing its tasks and providing its services.

Legal framework for the protection of personal data at the EPO

The EPO is an international organisation established by the European Patent Convention (EPC) and, as such, is not subject to EU Regulation 2016/679 - General Data Protection Regulation (GDPR). On 30 June 2021, the EPO adopted a new data protection framework which is in line with best practices at European and international level. The Data Protection Rules (DPR) are the core of this new framework.

All personal data collected or managed by the EPO are processed in accordance with the Data Protection Rules, which aim at ensuring that the EPO's handling of data subjects' information meets the highest standards of protection. Processing operations carried out by the Administrative Council of the European Patent Organisation do not fall under these Rules. Additionally, Articles 49 to 52 DPR do not apply to the processing of personal data by the EPO Boards of Appeal in their judicial capacity.

The decision of the President of the European Patent Office (‘the President') dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings, the decision of the President of the European Patent Office dated 7 December 2022 concerning the processing of personal data in proceedings related to European patents with unitary effect and the decision of the President of the European Patent Office dated 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data complement the DPR.

For the processing of personal data by the EPO, the President acts as controller. The President is free to delegate the controllership to EPO operational units (Article 28(3) DPR), which then act as delegated controllers. For additional information on the delegated controllers, please refer to the decision of the President of the European Patent Office identifying the operational units of the Office acting as delegated controllers dated 17 April 2023.

For the processing of personal data by the EPO Boards of Appeal in their judicial capacity, the President of the Boards of Appeal acts as controller. With regard to the personal data processing operations carried out by the Boards of Appeal in the exercise of administrative functions and powers delegated to the President of the Boards of Appeal under the Act of Delegation, the President of the Boards of Appeal acts as controller and the deputy of the President of the Boards of Appeal acts as delegated controller. For additional information, please refer to the decision of the President of the Board of Appeal of 5 April 2022 appointing a delegated controller within the meaning of the Data Protection Rules. For all other processing activities carried out by the Boards of Appeal Unit, the President of the Boards of Appeal acts as delegated controller of the President of the EPO. Please note that the decision of the President of the European Patent Office dated 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data applies by analogy to all the aforementioned processing operations.

Article 32 DPR requires the EPO to keep a central register with records of its processing activities. Entries to this register will be progressively introduced within six months of the entry into force of the DPR. Records describing the processing of personal data of external data subjects are publicly accessible on the EPO website. External data subjects can consult these records to learn more about how the EPO processes their personal data.

For the safety and security of its buildings, assets, staff and visitors, the EPO operates a video surveillance system. For more information, please refer to Circular No. 421, EPO video surveillance policy.

The EPO's Data Protection Officer independently monitors the internal application of and compliance with the Data Protection Rules with respect to all processing operations carried out by the EPO. A Data Protection Board appointed by the President is mandated with an oversight and advisory function and has a role in the legal redress mechanism (Article 47 DPR).

Download EPO Data Protection Rules

Data protection and privacy policy

This data protection and privacy policy ("policy") explains how personal data collected by the EPO is processed.

a. What information do we process?

Personal data means any information relating to any identified or identifiable natural person (also referred to as "data subject" or "individual"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity; personal data which have undergone pseudonymisation but could still be attributed to a natural person by the use of additional information are to be considered to be information relating to an identifiable natural person.

We classify personal data in two categories:

  • Mandatory personal data: this means the personal data necessary for (1) the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the EPO, which includes the processing necessary for the EPO's management and functioning, (2) compliance with a legal obligation to which the EPO is subject and (3) the performance of a contract to which the data subject is party.
    • Examples include the personal data the EPO collects to fulfil its obligation to maintain a public patent register (see Rule 143 EPC and the related decision of the President) and the personal data it collects for login authentication and security purposes.
  • Non-mandatory personal data: this means personal data collected and processed on the basis of the data subject's consent. The specific rules on collecting consent are in Article 7 DPR.
    • Examples include the personal data about dietary or mobility requirements that data subjects may provide when registering for an event and the contact data of professional representatives accessible via a searchable database on the EPO website.

For more information on the categories of personal data processed during patent-grant and related proceedings, see the decision of the President dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings.

Personal data collected by the EPO are adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed.

b. What do we use your personal data for?

"Processing" of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, storage, use, disclosure or erasure.

When you interact with the EPO, your personal data are collected for specific, explicit and legitimate purpose(s) and not further processed in a manner that is incompatible with the purpose(s) for which they were collected.

Our processing of personal data must follow a number of principles. These include that the processing must be lawful, fair and transparent to the data subject and ensure appropriate security of the personal data.

The purposes for which personal data are processed are set out in the relevant data protection statements and records made available to data subjects.

c. What is the legal basis for processing your personal data?

The EPO's processing operations are based on Article 5 DPR, which provides that we can collect personal data:

  • for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the EPO's management and functioning
  • for compliance with a legal obligation to which the controller is subject
  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • when the data subject has given explicit consent to the processing of their personal data for one or more specific purposes
  • to protect the vital interests of the data subject or of another natural person

d. Who has access to your personal data and to whom is it disclosed?

Except where published in the European Patent Register (under Article 127 and Rule 143 EPC and the related decision of the President), your personal data are not made available to the public unless you have given your express consent.

Personal data may be accessed, disseminated and processed only on a strict need-to-know basis, by the authorised EPO staff and third-party service providers. Personal data are not disclosed to any other recipients. For more information on how we protect and safeguard your personal data, see point e. below.

e. How do we protect and safeguard your personal data?

We take appropriate technical and organisational measures to safeguard and protect personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

All personal data processed on systems hosted on the EPO premises are stored in secure IT applications in accordance with the security standards of EPO, which include the following measures:

  • User authentication: all workstations and servers require log-in, mobile devices require log-in to the EPO enclave, privileged accounts require additional and stronger authentication
  • Access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege): separation into administrator and user roles, users have minimum privileges, overall administrator roles are kept to a minimum
  • Logical security hardening of systems, equipment and network: 802.1x for network access, encryption of endpoint devices, antivirus on all devices
  • Physical protection: EPO access controls, additional access controls to datacentre, policies on locking offices
  • Transmission and input controls (e.g. audit logging, systems and network monitoring): security monitoring with Splunk
  • Security incident response: 24/7 monitoring for incidents, on-call security expert.

For personal data processed on systems not hosted on the EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations stemming from the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).

If you become aware of a personal data breach (meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data) which affects personal data transmitted, stored or otherwise processed by the EPO, please report it as soon as possible to DPOexternalusers@epo.org.

f. How long do we keep your personal data?

Personal data kept in a form which permits identification of data subjects will be stored only for the time needed to achieve the purposes for which it is processed.

In the case of personal data processed pursuant to Rule 143 EPC and the related decision of the President, the EPO is legally obliged to keep them indefinitely. Otherwise, specific retention periods are established for each specific processing of personal data.

For more information, data subjects may refer to the specific data protection statement or data protection record.

g. Social network features

The EPO uses social media to communicate its work and better engage with the public. We are on Facebook, Twitter, LinkedIn, Xing and YouTube and we encourage all individuals to share our content and take part in our discussions.

We do not currently offer social media plug-ins for epo.org, but in some cases we do offer links or services related to those platforms. Please bear in mind that if you use these services or access social media via epo.org, the social media provider in question may process your personal data.

Each social media provider has its own policy on how it processes your personal data when you access its website. We therefore encourage you to refer to the privacy policies of the providers listed below for more information on the purposes and scope of their personal data processing:

Facebook

Twitter

LinkedIn

YouTube

h. Changes to this policy

The EPO has always aimed to keep its data protection framework in line with the latest developments and best practices. To this end, we will continue to update this policy in the future and encourage you to consult it on a regular basis.

Information on the processing of personal data in EPO products and services

You can find additional information about the processing of personal data for specific purposes below:

For carrying out the EPO's official activities and tasks

Decision of the President of the European Patent Office dated 13 December 2021 concerning the processing of personal data in patent-grant and related proceedings

Decision of the President of the European Patent Office dated 7 December 2022 concerning the processing of personal data in proceedings related to European patents with unitary effect

Decision of the President of the European Patent Office dated 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data

  1. Data Protection Statement on the processing of personal data within the context of investigative activities

  2. Data protection statement on the processing of personal data within the framework of the Amicable Settlement Procedure

  3. Data protection statement on the processing of personal data within the framework of Central Fee Payment Service (Patent fees)

  4. Data protection statement on the processing of professional personal data within the framework of creating and maintaining a list of contacts to support depository and extended custody services from financial institutions

  5. Data protection statement on the processing of personal data in the context of managing and maintaining a list of contacts providing trading support in the area of financial securities and cash management

  6. Data protection statement on the processing of personal data in the context of managing and maintaining a list of contacts to support the use of the Principal Directorate Administration of the Reserve Funds' investment management platform

  7. Data Protection Statement on the processing of personal data within the team and service quality management in the interpreting area

  8. Data protection statement on the processing of personal data in the handling of Disciplinary Proceedings

  9. Data protection statement on the processing of personal data in the handling of Data Protection Board (DPB) complaints

  10. Data protection statement on the processing of personal data in the provision of legal advice by Directorate Institutional and Contract Law

  11. Data protection statement on the processing of personal data during disciplinary proceedings against professional representatives before the EPO

  12. Data protection statement on the processing of personal data in the handling of International Labour Organisation’s Administrative Tribunal (ILOAT) complaints

  13. Data protection statement on the processing of personal data in the management of the Legal Affairs Archives

  14. Data protection statement on the processing of personal data in the context of Patent Developments and IP Lab related legal advice

  15. Data protection statement on the processing of personal data within the case management system of Principal Directorate Legal Affairs

  16. Data protection statement on the processing of personal data in the handling of data in a Professional Incompetence Procedure

  17. Data protection statement on the processing of personal data within framework of the Internal Appeals Procedure

  18. Data Protection Statement on the processing of personal data within the Brussels Office of the European Patent Office (EPO)

  19. Data protection statement on the processing of personal data in the context of Splunk

  20. Data protection statement on processing of personal data in the framework of tendering within the Chief Business Analyst Unit

  21. Data protection statement on the processing of personal data during dispute settlement activities in national proceedings or arbitration

  22. Data protection statement on the processing of personal data in the context of off-site storage of patent granting process (PGP) paper files

  23. Data protection statement on the processing of personal data in the case management for complaints filed with the Data Protection Board by external data subjects

  24. Data protection statement on the processing of personal data by the EPO’s Microsoft Defender for Endpoint service

  25. Data protection statement on the processing of personal data in the organisation of the meetings of the US Bar-EPO Liaison Council

  26. Data protection statement on the processing of personal data in the context of the European Publication Server

  27. Data protection statement on the processing of professional personal data within the framework of activities governed by the Code of Conduct for the Administration of the Reserve Funds

  28. Data protection statement on the processing of personal data in the context of IT Cooperation Front Office technical knowledge transfer virtual events held via Microsoft Teams

  29. Data protection statement on the processing of personal data within the framework of (OPS)

  30. Data protection statement on the processing of personal data in the context of the selection of members of the Standing Advisory Committee to the European Patent Office (SACEPO)

  31. Data protection statement on the processing of personal data in the organisation of meetings of the Standing Advisory Committee before the EPO (SACEPO)

  32. Data protection statement on the processing of personal data related to pre-litigation and litigation on civil service matters where the Administrative Council is the competent appointing authority

  33. Data protection statement on the processing of personal data in the context of EPO smart car ds

  34. Data protection statement on the processing of personal data in the context of paying invoices and reimbursements

  35. Data Protection Statement on the processing of personal data in the context of the Convergence of Practice programme
  36. Data protection statement on the processing of personal data within the framework of the delivery of Patent Knowledge related data
  37. Data protection statement on the processing of personal data for the “MyEPO Portfolio” online service for parties to proceedings before the EPO (PGP)
  38. Data protection statement on the processing of personal data in the context of the European Patent Office Federated Services
  39. Data protection statement on the processing of personal data within the framework of the delivery of Patent Information Services for Experts (PISE)
  40. Data protection statement on the processing of personal data within the framework of the EP full text for text analytics
  41. Data protection statement on the processing of personal data within the framework of the delivery of EPO hosted patent knowledge services (Espacenet and European Patent Register)
  42. Data protection statement on the processing of personal data in the context of accident reporting at the EPO (Espacenet and European Patent Register)
  43. Data Protection Statement for Identity Management through AD and Azure
  44. Data protection statement on the processing of personal data within the framework of the Patent Knowledge Web Shop
  45. Data protection statement on the processing of personal data within the framework of Patent Knowledge User Support
  46. Data protection statement on the processing of personal data in the context of the EPO Mail Service
  47. Data protection statement on the processing of personal data within the framework of the official publications
  48. Data protection statement on the archiving of Council Secretariat's documents which include personal data
  49. Data protection statement on the processing of personal data in the management of the Micado Address Book (MAB)
  50. Data protection statement on the processing of personal data in the context of the meetings of the Administrative Council and its bodies
  51. Data protection statement on the processing of personal data in the context of the pre-employment medical examination procedure
  52. Data protection statement on the processing of personal data within the framework of the Employee Assistance Programme (EAP)
  53. Data protection statement on the processing of personal data in the context of staff requests that require medical assessments by the EPO Occupational Health Services (OHS)
  54. Data protection statement on the processing of personal data in the context of User Experience (UX) research on EPO software applications
  55. Data protection statement for externals on the processing of personal data in the framework of the medical certificates/consultancy registration process

For the management of interactions with users contacting the EPO

  1. Data protection statement on the processing of personal data within the framework of the Data Protection Board tasks, duties and activities

  2. Data protection statement on the processing of personal data in the framework of the Data Protection Office's tasks, duties and activities

  3. Data protection statement on the processing of personal data in Microsoft 365

  4. Data protection statement on the processing of personal data in the context of the EPO podcast

  5. Data protection statement on the processing of personal data for the EPO's Patent Knowledge News

  6. Data protection statement on the processing of personal data for the EPO's email newsletters and related subscription forms

  7. Data protection statement on the processing of personal data in Okta's Customer Identity and Access Management (CIAM) system

  8. Data protection statement on the processing of personal data within the framework of Customer Service Management

  9. Data protection statement on the processing of personal data in the context of external clients' consultations with the Ombuds Office

  10. Data protection statement on the processing of personal data in the context of the European qualifying examination

  11. Data protection statement on the processing of personal data within the framework of the EPO’s European Patent Academy activities

  12. Data protection statement on the processing of personal data in the context of the European Patent Administration Certification

  13. Data Protection Statement on the processing of personal data Study on European Patent Applications to produce statistics on the gender of inventors

  14. Data protection statement on the processing of personal data by the EPO's Academy E-learning centre

  15. Data protection statement on the processing of personal data in the context of email usage at the European Patent Office

  16. Data protection statement on the processing of personal data in the context of the EPO external communication platform (“epo.org”)

  17. Data protection statement on the processing of personal data for virtual meetings/events and videoconferencing using the “EPOtogether tool”

  18. Data protection statement on the processing of personal data in the context of European and International Co-operation units’ tasks, duties and activities (Principal Directorate 5.1)

  19. Data protection statement on the processing of personal data within the framework of the EPO’s e-Waste disposal

  20. Data protection statement on the processing of personal data for Bot Protection Service

  21. Data protection statement on the processing of personal data within the framework of the user satisfaction surveys on search services, on examination services, final actions and publication as well as on opposition services

  22. Data protection statement on the processing of personal data related to stakeholder consultation on the work plan 2023-2025 of the EPO Observatory on Patents and Technology

  23. Data protection statement on the processing of personal data in the context of the European Inventor Network (EIN)

  24. Data protection statement on the processing of personal data for mass email distribution list

  25. Data protection statement on the processing of personal data within the framework of the user satisfaction surveys

  26. Data protection statement on the processing of personal data related to stakeholder consultation on the EPO’s Strategic Plan 2028

  27. Data protection statement on the processing of personal data for SEARCH tool for National Patent Offices

  28. Data protection statement on the processing of personal data in the context of publishing the Top 25 Digital Champions of the MyEPO Portfolio service on epo.org

  29. Data Protection Statement on the processing of personal data in the context of the online user consultation on proposed amendments to the Rules of Procedure of the Boards of Appeal to further enhance the timeliness of appeal proceedings

  30. Data protection statement on processing personal data for the EPO Contingency Upload Service for parties to proceedings before the EPO

  31. Data protection statement on the processing of personal data in the context of EPO’s outreach activities

  32. Data protection statement on the processing of personal data related to online user consultations

  33. Data protection statement on the processing of personal data within the context of formal complaints and feedback

For co-operation with other European institutions or international organisations

  1. Data protection statement on the processing of personal data in the context of the PATLIB network and its centres

For organising events, training and meetings open to the public

  1. Data protection statement on the processing of personal data in the context of the European Inventor Award and the Young Inventors prize

  2. Data protection statement on the processing of personal data for virtual events and videoconferencing using Zoom

  3. Data protection statement on the processing of personal data in the framework of the organisation and management of EPO meetings and events

  4. Data protection statement on the processing personal data in the context of the preparatory works envisaged before the European Patent Convention (EPC) 50 Years event

For managing public procurement procedures

  1. Data protection statement on the processing of personal data within the framework of the Operational reporting information used internally on the Tableau / BI4you platform

  2. Data protection statement on the processing of personal data relating to the Operational Usage of FIPS (SAP) / myFIPS in PD4.1 and PD4.7

  3. Data protection statement on processing personal data within the procurement procedures of the EPO

Access to the EPO premises

  1. Circular No. 421, EPO video surveillance policy

  2. Data Protection Statement on the processing of personal data for the registration of presence of staff and contractors within the EPO premises outside office hours

  3. Data Protection Statement on the processing of personal data in the context of preventing access to the EPO premises

  4. Data Protection Statement on the processing of personal data for the management of access control and management of access cards to the EPO

Cookies policy

A "cookie" is a small piece of data that a website stores on the data subject's computer or mobile device.

a. First-party cookies

Strictly necessary cookies. We use cookies that are necessary for site usability and security. These cookies do not gather information about data subjects, and they will not be used for marketing purposes or to collect information about your browsing behaviours or preferences. They are set by default and cannot be disabled.

Analytical cookies. We use cookies to understand your preferences and track usage trends. We may collect data about your browsing behaviour, such as IP address (anonymised by removing part of the address), location of the user based on masked IP address, IP provider (if available), browser type, operating system, language and screen resolution, the visited pages and the time and date of the visits.

We use this information to gather aggregated and anonymous statistics with a view to improving our services and your experience. The data are collected, aggregated and anonymised in our datacentre under adequate security measures.

b. Third-party cookies

The audio-visual content displayed on our website is hosted on and processed by YouTube. By watching it, you accept YouTube's specific terms and conditions, including its cookies policy, which we have no control over.

c. Cookies used on the website

The following cookies are used on the EPO internal platform:

  • Session cookies: Does not contain an expiration date. They remain in your device only as long as the browser is open.
  • Persistent cookies: Contain an expiration date. On the date specified, the cookie is removed from the disk.

For further information on the cookies used, please see the following list:

Strictly necessary cookies:

Name

Provider

Source

Purpose

Expiry

SESS[Unique ID]

Drupal

First party

This cookie allows logging in and remembering which contact forms you have submitted.

23 days

SimpleSAMLAuthToken

Drupal

First party

It contains the session Authorisation Token. The cookies about SimpleSAML (used for the login with Azure-Microsoft) are only for editors or people from EPO that needs to login in Drupal

23 days

SimpleSAMLSessionID

Drupal

First party

It contains the session identifier that is used when loading and saving a user's session.

When you close your browser

cookie-agreed

Drupal

First party

Used to remember that users visited the website and acknowledged the use of cookies (via the dedicated banner). This preference can be changed at any time by the user.

100 days

cookie-agreed-version

Drupal

First party

Indicates the version of the acceptance of cookies.

100 days

youtube-cookies-agreed

Drupal

First party

It allows the user to play videos on YouTube. This cookie is installed on your device once you have agreed to watch videos via our website.

100 days


Analytical cookies:

Name

Provider

Source

Purpose

Expiry (by default)

_pk_id

Matomo

First party

Used to store a few details about the user such as the unique visitor ID

393 days

_pk_ref

Matomo

First party

Used to store the attribution information, the referrer initially used to visit the website

150 days

_pk_ses

Matomo

First party

Short lived cookies used to temporarily store data for the visit

30 minutes


Third party cookies:

Name

Provider

Purpose

Expiry (by default)

DEVICE_INFO

YouTube

Used to track user’s interaction with embedded content.

179 days

VISITOR_INFO1_

YouTube

Tries to estimate the users' bandwidth on pages with integrated YouTube videos.

179 days

YSC

YouTube

Registers a unique ID to keep statistics of what videos from YouTube the user has seen.

When you close your browser

The following cookies are used on the EPO Bulk Data Distribution Service website:

Category Cookie name Source Expiry Purpose

Strictly necessary

JSESSIONID $

First party

Session

Platform session cookie, used to maintain user session by the server.

Strictly necessary

ambassador_session. NAME.SPACE

First party

Session

Platform session cookie, used to maintain user session by the server.

Strictly necessary

ambassador_xsfr. NAME.SPACE

First party

Session

Platform session cookie, used to maintain user session by the server (xsrf protection).

d. Technical information

How can you manage cookies?

You can manage/delete cookies as you wish - for details on how to manage and delete cookies, see aboutcookies.org as an example.

Removing cookies from your device

You can delete all cookies that are already on your device by clearing the browsing history of your browser. This will remove all cookies from all websites you have visited. Be aware though that you may also lose some saved information (e.g., daily authentication details).

Managing site-specific cookies

For more detailed control over site-specific cookies, check the privacy and cookie settings in your preferred browser.

Blocking cookies

You can set most modern browsers to prevent any cookies being placed on your device by selecting the Do Not Track (DNT) option in your web browser. However, some preferences may need to be adjusted every time you visit a site or page as some services and functionalities may not work properly.

If the DNT option is enabled in your browser, we will respect your choice and will not track your browsing behaviour on our website for our anonymised statistics. You can find instructions on how to activate the DNT option in some popular browsers below:

What are your rights and how can you exercise them?
Can your rights be restricted?
What redress mechanisms are available?

a. Your data protection rights

As a data subject, you have the following rights under the EPO Data Protection Rules:

Data subjects' rights

Description

Right to information (Articles 16 and 17 DPR)

Where personal data has not been obtained from the data subjects, the controller shall, at the time when personal data is obtained, provide data subjects with information on the categories of personal data concerned and the source of the personal data and, if applicable, whether it came from publicly accessible sources.

Right of access (Article 18 DPR)

Data subjects have the right to request confirmation as to whether or not their personal data is being processed, and, if so, to access the personal data easily and at reasonable intervals, to understand which data about them is processed, to verify the quality of their personal data, to verify the lawfulness of the processing and to exercise their other rights.

Right to rectification (Article 19 DPR)

Data subjects have the right to request the correction of inaccurate personal data concerning them.

Right to erasure (Article 20 DPR)

Data subjects have the right to request the erasure of their personal data under certain circumstances, e.g. if their personal data is no longer necessary for the purposes for which it was collected or if their personal data has been unlawfully processed.

Right to restriction of processing (Article 21 DPR)

Data subjects have the right to obtain from the EPO the restriction of processing of their personal data if the data is inaccurate, the EPO no longer needs it for the purposes of processing or the processing is unlawful, or, where they have already objected to processing, pending verification of their objection.

Right to data portabilit y (Article 22 DPR)

When personal data is processed on the basis of Articles 5(c), 5(d) and 11(2)(a) DPR, data subjects have the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning them which they have provided to the controller and the right to transmit those data to another controller without hindrance from the controller to which the personal data were initially provided.

Right to object (Article 23 DPR)

Data subjects have the right to object, at any time, to the processing of their personal data under certain circumstances. The controller shall cease to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects.

Right to not be subject to a decision based solely on automated processing (Article 24 DPR)

Decisions based solely on automated processing are decisions made by machines, including profiling, which produce legal effects concerning or similarly significantly affecting data subjects. Data subjects have the right not to be subject to this kind of decision, except where the decision is necessary for entering into, or performance of a contract between them and the EPO, is authorised by a legal act or is based on their explicit consent.

b. Can your rights be restricted?

Data protection is not an absolute right. It always has to be balanced against other fundamental rights and so there may be circumstances where one or more of your rights may be restricted. If they are restricted, you will be informed of the main reasons for this and of your right to ask the Data Protection Officer to investigate and/or file a request for review with the delegated controller (see the procedure described below in d.).

These rights might be restricted on the legitimate grounds established by Article 25 of the EPO Data Protection Rules and the Circular No. 420 implementing Article 25 DPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

  • the European Patent Organisation's security, public security or defence of the contracting states
  • the prevention, investigation, detection and prosecution of criminal offences or the enforcement of criminal penalties, including the safeguarding against and the prevention of threats to public security and including cases in which Article 20 of the Protocol of Privileges and Immunities is applied
  • other substantial interests of the European Patent Organisation pertaining to its core mission, or in reason of obligations arising from the duty of co-operation with the contracting states, including monetary, budgetary and taxation matters, public health and social security
  • the internal security of the EPO, including of its electronic communications networks
  • the protection of judicial and quasi-judicial independence and judicial and quasi-judicial proceedings
  • the prevention, investigation, detection and sanction of breaches of ethics for regulated professions
  • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority
  • the protection of the data subject or the rights and freedoms of others
  • the enforcement of civil law claims

For more information about restrictions, you can consult the related Circular No. 420 and the EPO's Data Protection Officer at DPOexternalusers@epo.org.

c. How to exercise your rights

If you would like to exercise your rights as a data subject, you can contact the delegated controller via email at DPOexternalusers@epo.org.

The delegated controller should respond without undue delay and in any event within one month of receipt of your request. This period may be extended by two further months where necessary in view of the complexity and number of the requests. In this case, the delegated controller must duly notify you of the extension and the reasons for the delay within one month of the EPO's receipt of the request.

When contacting the EPO to exercise your right(s) , in order to enable us to respond more promptly and precisely to your request, you always need to provide certain preliminary information with the request. Therefore, we encourage you to fill in this form and submit it with your request.

Please note that the EPO will not process or handle requests to exercise data subject rights which are sent via and/or received from software used to generate automated requests (such as Mine, deseat.me, JustDelete.me, Removaly).

d. What redress mechanisms are available?

If you consider that the EPO's processing of your personal data infringes your rights as a data subject, you can make use of the specific means of redress available to you under the DPR. Please note that access to these redress mechanisms is conditional on respecting the order of the steps described below.

Overview

The overview of the redress mechanisms below is intended as a user-friendly illustration, but its content is not legally binding. The Data Protection Rules and the Rules of Procedure of the Data Protection Board are the applicable and binding legal provisions.

First step

Data subjects who consider that the processing of their personal data by the Office infringes the above-mentioned rights may request the delegated controller to review the matter and take a decision (Article 49 DPR). Where the processing is carried out by the EPO Boards of Appeal in the exercise of functions and powers under the Act of Delegation, please address your request for review to the President of the Boards of Appeal, who acts as controller of these activities.

  • Timeframe: You must submit your request for review no later than three months from the day on which you were informed or otherwise became aware of the processing of personal data allegedly infringing your rights.
  • How to file a request for review by the delegated controller? Data subjects should send their request by filling in the request for review form and sending it to: DPOexternalusers@epo.org.
  • Procedure:
    • The delegated controller should respond without undue delay and in any event within one month of receipt of your request.
    • This period may be extended by two further months where necessary, in view of the complexity and number of the requests. If so, the controller must duly notify the data subject of the extension and the reasons for the delay within one month of the EPO's receipt of the request.
    • If the controller or the delegated controller fails to take any action by the end of a period of three months, this will be deemed to be an implicit rejection of your request.

Second step

If you are not satisfied with the delegated controller's decision or if the delegated controller fails to take action within three months of submission of your request, you can file a complaint with the Data Protection Board under Article 50 DPR. The Data Protection Board will handle your complaint in accordance with its Rules of Procedure.

  • Timeframe: You must file your complaint with the Data Protection Board within three months of receipt of the delegated controller's decision or, in the case of an implicit rejection, of the date of expiry of the time limit for replying to your request for review.
  • How to lodge a complaint with the Data Protection Board: By filling in the request form and sending it to dpbcomplaints@epo.org.
  • Procedure:
    • The Data Protection Board invites the parties to set out in writing their position on the claims and facts at issue and to provide evidence or comments and arguments on evidence already at hand.
    • Further, the Data Protection Board issues a reasoned opinion to the controller. If it is deemed necessary, it may recommend compensation for material and/or non-material damage.
    • Once the opinion is communicated, the controller takes a final decision. If the controller does not follow the Data Protection Board's opinion, it must set out the reasons in writing.
    • The controller notifies the parties, as well as the Data Protection Officer and the Data Protection Board, of the final decision and the conclusions of the Data Protection Board.

Third and last step

If you disagree with the controller's final decision on your complaint, you can ask the President of the Office for ad-hoc arbitration proceedings to resolve the dispute (Article 52 DPR).

  • Timeframe: You must submit your request for arbitration within three months of receiving the controller's final decision.
  • Contact: You must fill in the request form and send it, together with all the necessary documentation it asks you to provide, to the President of the EPO at president@epo.org.
  • Procedure:
    • Arbitration takes place in The Hague (the Netherlands), with a qualified arbitrator appointed by the Secretary General of the Permanent Court of Arbitration.
    • The law governing the arbitration is the EPC, the EPO Data Protection Rules, including any implementing legislation, the law of international organisations and the principles of public international law.
    • The arbitration is confidential, and the result will be consolidated in the form of a written settlement (also called "arbitration award") which also fixes the costs of arbitration.
    • The European Patent Organisation pays the arbitration fees, but each party pays his or her own costs of legal representation and expenses unless the arbitrator decides otherwise.
How to contact us?

You can report a personal data breach or contact the relevant controller, the delegated controllers and the Data Protection Officer at DPOexternalusers@epo.org.