Data privacy policy for the processing of personal data in Microsoft 365

The protection of your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature (i.e. data that can identify you directly or indirectly) will be processed fairly, lawfully and with due care.

This processing operation is subject to the Guidelines for the protection of personal data in the European Patent Office. We strive to keep our data protection framework in line with current best practices. A recent audit report has confirmed that it is in close alignment with the EU’s General Data Protection Regulation (GDPR).

1. How and why do we process your personal data?

We have expanded our use of Microsoft 365, which includes cloud-based services such as OneDrive, MS Teams and MS Forms. The set of applications included in Microsoft 365 is provided to users with the aim of increasing flexibility and improving communication and collaboration, both within the EPO and between the EPO and external stakeholders.

Personal data is processed, i.e. collected and stored in Microsoft’s cloud servers, for the purpose of providing the above-mentioned services.

This processing will not be used for any automated decision-making, including profiling.

2. What personal data do we process?

We process the following categories/types of personal data:

  • Personal identifying information: username, first name, surname, email, work telephone number, occupation and preferred language
  • Electronic identifying information: IP address, cookies, connection data and access times
  • Films, pictures and video and sound recordings
  • Metadata used for maintenance of the service provided
  • Any data as (potentially) processed in the context of file sharing for professional activities (e.g. messages, images, files, voicemail, calendar meetings, contacts and the like)

3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of our Chief Information Officer, who is a member of our Business Information Technology (BIT) department and who acts as delegated EPO data controller.

Personal data is processed by the EPO’s external service provider, Microsoft, for the following activities:

  • Providing end-user support and troubleshooting for Office365 applications and features related to conducting virtual meetings and teleconferences
  • Tracking changes to users and groups
  • Managing content uploaded to Microsoft 365, including data retention policies
  • Managing Microsoft 365 settings
  • Supporting, operating and maintaining the EPO’s online services

For more information on the processing of personal data by Microsoft, see the Microsoft Privacy Statement.

4. Who has access to your personal data and to whom is it disclosed?

Personal data is disclosed on a need-to-know basis to the following recipients:

  • EPO staff and external users included in Microsoft 365 services used for the exchange of information.
  • BIT and Microsoft staff involved in the data processing necessary to provide the service.

Personal data is stored in the European Union (EU) in accordance with the application configuration implemented by the EPO.

It is not used for any other purposes, nor is it disclosed to any other recipient.

5. How do we protect and safeguard your personal data?

We implement appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

Microsoft 365 has been configured to preserve the confidentiality of the information you exchange by implementing encryption during all communications and in storage. Anonymous access is not authorised. Any information you add to Microsoft 365, be it via chat, videoconference or file sharing, will be available only to the specific users and groups indicated in section 4 above.

Microsoft data centres are certified in several security standards, including ISO27001, SOC1 and SOC2, NIST Cybersecurity Framework (CSF), ISO27017 and ISO27018 Code of Practice for Protecting Personal Data in the Cloud.

Microsoft has implemented a number of safeguards to ensure the availability of the information. As a minimum, data is replicated between two data centres within the same region, has redundancy controls and implements backups that are encrypted before being transmitted and stored.

Data centres have physical and logical security monitoring measures, including:

  • video surveillance of perimeters
  • seismic and environmental monitoring of buildings
  • monitoring of security threats, such as worms, denial of service attacks, unauthorised access and any other type of unlawful activity

Microsoft has implemented a list of over 700 safeguards in its systems, servers and data centres. They include safeguards against accidental or unlawful destruction, loss, unauthorised access, use, modification or disclosure. These internal controls are audited on an annual basis. If required, audit information can be provided under a non-disclosure agreement. Information is encrypted while at rest and in transit.

As mentioned above, personal data is stored in the EU according to the application configuration implemented by the EPO. It may, however, be made available to sub-contractors in other countries, depending on the requirements for maintenance, support or operation of cloud-hosted services, and the availability of this expertise. If access is granted, it is always temporarily and only to the data required for the specific maintenance, support or operation procedure being carried out. The following safeguards are implemented:

  • In all transfers to third countries, Microsoft uses EU standard contract clauses for data transfer with its sub-processors.
  • Microsoft requires sub-processors to join the Microsoft Supplier Security and Privacy Assurance Program. This programme is designed to standardise and strengthen data handling practices, and to ensure that supplier business processes and systems are consistent with those of Microsoft.

6. What rights do I have to my data?

You have the right to access, rectify and receive your personal data, as well as to restrict and object to the processing of your data, in accordance with Article 14 of the Guidelines for the protection of personal data in the European Patent Office.

If you would like to exercise any of these rights, please write with details of your request to our Chief Information Officer at CIO_CTO_Office@epo.org.

We will reply to your request without undue delay, and in any event within three months of receipt of the request. However, according to Article14(7) of the Guidelines for the protection of personal data in the European Patent Office, that period may be extended if necessary, taking into account the complexity and number of requests received. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay.

7. What is the legal basis for processing your data?

Processing is based on Article 5(a)of the Guidelines for the protection of personal data in the European Patent Office.

Personal data is collected and processed in accordance with the EPO’s information security policies.

8. How long do we store your data?

According to Microsoft’s standard policy for Microsoft 365, data is recoverable for up to 93 days after deletion by the user.

9. Contact information

If you have any questions concerning the processing of your personal data, please write to our Chief Information Officer at CIO_CTO_Office@epo.org.

You can also contact our Data Protection Officer at dataprotection@epo.org.

Quick Navigation