The protection of your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature (i.e. data that can identify you directly or indirectly) will be processed fairly, lawfully and with due care.
This processing operation is subject to the Guidelines for the protection of personal data in the European Patent Office. We strive to keep our data protection framework in line with current best practices. A recent audit report has confirmed that it is in close alignment with the EU’s General Data Protection Regulation (GDPR).
We have expanded our use of Microsoft 365, which includes cloud-based services such as OneDrive, MS Teams and MS Forms. The set of applications included in Microsoft 365 is provided to users with the aim of increasing flexibility and improving communication and collaboration, both within the EPO and between the EPO and external stakeholders.
Personal data is processed, i.e. collected and stored in Microsoft’s cloud servers, for the purpose of providing the above-mentioned services.
This processing will not be used for any automated decision-making, including profiling.
We process the following categories/types of personal data:
The processing of personal data is carried out under the responsibility of our Chief Information Officer, who is a member of our Business Information Technology (BIT) department and who acts as delegated EPO data controller.
Personal data is processed by the EPO’s external service provider, Microsoft, for the following activities:
For more information on the processing of personal data by Microsoft, see the Microsoft Privacy Statement.
Personal data is disclosed on a need-to-know basis to the following recipients:
Personal data is stored in the European Union (EU) in accordance with the application configuration implemented by the EPO.
It is not used for any other purposes, nor is it disclosed to any other recipient.
We implement appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
Microsoft 365 has been configured to preserve the confidentiality of the information you exchange by implementing encryption during all communications and in storage. Anonymous access is not authorised. Any information you add to Microsoft 365, be it via chat, videoconference or file sharing, will be available only to the specific users and groups indicated in section 4 above.
Microsoft data centres are certified in several security standards, including ISO27001, SOC1 and SOC2, NIST Cybersecurity Framework (CSF), ISO27017 and ISO27018 Code of Practice for Protecting Personal Data in the Cloud.
Microsoft has implemented a number of safeguards to ensure the availability of the information. As a minimum, data is replicated between two data centres within the same region, has redundancy controls and implements backups that are encrypted before being transmitted and stored.
Data centres have physical and logical security monitoring measures, including:
Microsoft has implemented a list of over 700 safeguards in its systems, servers and data centres. They include safeguards against accidental or unlawful destruction, loss, unauthorised access, use, modification or disclosure. These internal controls are audited on an annual basis. If required, audit information can be provided under a non-disclosure agreement. Information is encrypted while at rest and in transit.
As mentioned above, personal data is stored in the EU according to the application configuration implemented by the EPO. It may, however, be made available to sub-contractors in other countries, depending on the requirements for maintenance, support or operation of cloud-hosted services, and the availability of this expertise. If access is granted, it is always temporarily and only to the data required for the specific maintenance, support or operation procedure being carried out. The following safeguards are implemented:
You have the right to access, rectify and receive your personal data, as well as to restrict and object to the processing of your data, in accordance with Article 14 of the Guidelines for the protection of personal data in the European Patent Office.
If you would like to exercise any of these rights, please write with details of your request to our Chief Information Officer at CIO_CTO_Office@epo.org.
We will reply to your request without undue delay, and in any event within three months of receipt of the request. However, according to Article14(7) of the Guidelines for the protection of personal data in the European Patent Office, that period may be extended if necessary, taking into account the complexity and number of requests received. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay.
Processing is based on Article 5(a)of the Guidelines for the protection of personal data in the European Patent Office.
Personal data is collected and processed in accordance with the EPO’s information security policies.
According to Microsoft’s standard policy for Microsoft 365, data is recoverable for up to 93 days after deletion by the user.
If you have any questions concerning the processing of your personal data, please write to our Chief Information Officer at CIO_CTO_Office@epo.org.
You can also contact our Data Protection Officer at firstname.lastname@example.org.