Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be processed lawfully, fairly and with due care.
This processing operation is subject to the EPO Data Protection Rules (DPR).
The information in this communication is provided pursuant to Articles 16 and 17 DPR.
This data protection statement explains the way in which your personal data is handled within the framework of Customer Service Management.
At the EPO, when an enquiry is received, the sender data are compared against the contact details in our database to identify the sender and to allow a routing of their enquiry with these contact details. This makes it possible to automatically acknowledge receipt of the enquiry, update and reply to the user and monitor any pending requests, in order to provide the best possible user experience. The contact details are only needed, processed and stored in so far as they are required to handle user enquiries about EPO tools, pending applications for a European patent, international PCT applications, opposition and limitation/revocation files, patent information issues and EPO products and to handle user questions, payment-related queries and other issues which are linked to the mission and services provided by the EPO.
Your anonymised data may also be used for statistical purposes and trend monitoring, as well as to gather information about categories of user or the types of issue users address.
All enquiries received are stored in the external processor's data centres located in Düsseldorf and Frankfurt, Germany.
Your personal data are processed in order to:
The processing is not intended to be used for any automated decision-making.
The personal data processed within the framework of Customer Service Management are stored in Germany, which is considered a country where an adequate level of protection of personal data is ensured. Stored personal data are not accessed from a country that does not ensure an adequate level of data protection. Specific safeguards, including a data processing agreement with the provider, have been put in place to mitigate the risks.
The categories of personal data processed are as follows:
The ticket itself consists of the following elements:
The following types/categories of personal data may be processed regarding EPO internal employees and external EPO contractors who are involved in customer service case resolution and related activities:
The processing of personal data is carried out under the responsibility of the Vice-President DG 1 acting as the EPO's delegated data controller.
Personal data are processed by the EPO staff involved in the management of the respective initiative, project or activity of Principal Directorate Quality, Business and User Services.
External contractors involved in providing and maintaining Customer Service Management software may also access the personal data, for maintenance and support purposes only.
The personal data are disclosed on a need-to-know basis to the EPO staff working in:
Personal data may be disclosed to third-party service providers for maintenance and support purposes.
Personal data will only be shared with authorised persons responsible for the corresponding processing operations and are not used for any other purposes or disclosed to any other persons.
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
All personal data are stored in secure IT applications in accordance with the EPO's security standards. Appropriate levels of access are granted individually only to the above-mentioned recipients.
All personal data processed in the systems hosted on the EPO premises are stored in secure IT applications in accordance with the security standards of the EPO. These include:
For personal data processed and stored in Customer Service Management software, the EPO has carried out a privacy and security risk assessment. The provider processing the personal data has committed in a binding agreement to comply with its data protection obligations stemming from the applicable data protection legal framework.
The provider's security framework is based on ISO/IEC 27002:2013. It has been an ISO 27001-certified organisation since 2012 and is also ISO/IEC 27017:2015- and 27018:2019-certified. The provider also applies industry-recognised information security frameworks. These include ISO/IEC 27001:2013 and ISO/IEC 27017:2015 and 27018:2014, as well as accreditation with regional standards and regulations.
The software is required to have implemented appropriate technical and organisational measures such as:
You have the right to access, rectify and receive your personal data, to have your data erased and to restrict and object to the processing of your data, as outlined in Articles 18 to 24 DPR. The right to rectification can only apply to inaccurate or incomplete objective and factual data processed within the framework of Customer Service Management and does not apply to subjective statements.
If you would like to exercise any of these rights, please write with details of your request to the delegated data controller at firstname.lastname@example.org. In order to enable us to respond more promptly and precisely, you always need to provide certain preliminary information with your request. We therefore encourage you to fill in this form and submit it with your request.
Your data can also be erased upon request.
We will reply to your request without undue delay, and in any event within one month of receipt of the request. However, according to Article 15 (2) DPR, that period may be extended by two further months if necessary, taking into account the complexity and number of requests received. We will inform you of any such delay.
Personal data is processed in accordance with Article 5 a. DPR: processing is necessary for the performance of a task carried out on the basis of legal provisions of the European Patent Organisation or in the legitimate exercise of the official authority vested in the EPO.
The processing is necessary for the management and functioning of the EPO.
Personal data will be kept only for the time needed to achieve the purposes for which it is processed. Personal data will be stored as long as the processing is operational.
Contact details will be stored for five years after they have been used or updated the last time, i.e. after the last interaction with the data subject within the framework of Customer Service Management.
Personal data received with an enquiry will be anonymised five years after the closure of a particular ticket, allowing the anonymised data to be used for statistical purposes.
In the event of a formal appeal/litigation, all data held at the time the formal appeal/litigation was initiated will be retained until the proceedings have been closed.
If you have any questions about the processing of your personal data, please write to the delegated data controller at email@example.com.
You can also contact the Data Protection Officer at firstname.lastname@example.org.
If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.