Data protection statement on the processing of personal data in Okta's Customer Identity and Access Management (CIAM) system

Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be processed fairly, lawfully and with due care.

This processing operation is subject to the Guidelines for the Protection of Personal Data in the European Patent Office.

The information in this communication is provided pursuant to Articles 13 and 14 of these Guidelines.

1. What is the nature and purpose of the processing operation?

The processing operation involves customers authenticating via CIAM to access EPO online services. CIAM uses Okta's cloud-based Software as a Service (SaaS) platform.

The authentication is required as soon as an attempt is made to log in to a secure area of EPO online services that is accessible only with an existing smart card obtained and registered for using those services. CIAM uses a copy of our smart card user database to grant access.

2. What personal data do we process?

We may process your personal data whenever you use EPO online services. Personal data processed includes your first and last name , smart card number and preferred language.

3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of our Chief Information Officer acting as the EPO's delegated data controller. Personal data is processed by our Information Security Dept. 4.6.2.3.

4. Who has access to your personal data and to whom is it disclosed?

The personal data is disclosed on a need-to-know basis to the EPO staff (system administrators) in its Information Security Dept. 4.6.2.3.

This department may disclose personal data to third-party service providers for maintenance and support purposes.

5. How do we protect and safeguard your personal data?

We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

Okta does not transfer the personal data to countries that do not guarantee adequate levels of data protection. The following technical and organisational security measures have been implemented:

Okta has administrative, physical and technical safeguards in place to protect the security, confidentiality and integrity of both customer and personal data. These safeguards are described in Okta's trust and compliance documentation.

Okta processes personal data in accordance with those EU General Data Protection Regulation (GDPR) requirements directly applicable to its provision of the service.

Okta has obtained certification under the Asia-Pacific Economic Cooperation (APEC) scheme of Privacy Recognition for Processors (PRP) and processes personal data accordingly.

6. How can you access, rectify and receive your data, request that your data be erased, or restrict/object to processing?

You have the right to access, rectify, and receive your personal data, to have your data erased and to restrict and object to the processing of your data, in accordance with Article 14 and 15 of the Guidelines.

If you would like to exercise any of these rights, please write with details of your request to the data controller at infosecurity@epo.org.

Your request will be answered within three months of receipt. However, according to Article 14(7) of the Guidelines, this period may be extended, taking into account the complexity and number of requests. We will inform you of any such extension.

7. What is the legal basis for processing your data?

Personal data is processed in accordance with Article 5(a) of the Guidelines, which provides for processing which "is necessary for the performance of a task carried out ... in the legitimate interest of the official authority vested in the European Patent Office".

8. How long can data be kept?

Personal data processed by the data controller or the service providers under its supervision are generally stored for no longer than necessary for the purposes for which they have been processed.

Personal data will be stored for the duration of the contract with Okta.

9. Contact information

If you have any questions about the processing of your personal data, please write to our data controller at infosecurity@epo.org.

You can also contact our Data Protection Officer at dpo@epo.org.

Quick Navigation