The protection of your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature (i.e. data that can identify you directly or indirectly) will be processed fairly, lawfully and with due care.
This processing operation is subject to the Guidelines for the protection of personal data in the European Patent Office. We strive to keep our data protection framework in line with current best practices. A recent audit report has confirmed that it is in close alignment with the EU’s General Data Protection Regulation (GDPR).
We have expanded our use of Microsoft 365, and in particular Microsoft Teams (MS Teams), to organise virtual meetings and teleconferences both within the EPO and between the EPO and our stakeholders. MS Teams is a cloud-based application included as part of Microsoft 365. It is provided to users with the aim of offering more flexibility and improving communication and collaboration both within the EPO and between the EPO and our stakeholders. The core capabilities in Teams include business messaging, calling, video meetings and file sharing.
For instance, the possibility of recording a virtual meeting depends on the nature of the meeting and must be authorised by the delegated data controller. Participants will be notified both in the invitation and before recording is activated that the meeting will be recorded and will be informed about the possibility to object to the recording. Personal data is processed, i.e. collected and stored in Microsoft’s cloud servers, for the purpose of providing the above-mentioned services. It will not be used for any automated decision-making, including profiling.
We process the following categories/types of personal data:
The processing of personal data is carried out under the responsibility of our Chief Information Officer (CIO), who is a member of our Business Information Technology (BIT) department and who acts as delegated EPO data controller.
However, whenever the use of the MS Teams application is requested by another business unit of the EPO, BIT will act as the data processor. In this situation, the requesting business unit will act as the delegated data controller.
Personal data is processed by the EPO’s external service provider, Microsoft, for the following activities:
Further details of how we process personal data for all Microsoft 365 services are available in the Data privacy statement for the processing of personal data in Microsoft 365.
For more information on the processing of personal data by Microsoft, see the Microsoft Privacy Statement.
Personal data is disclosed on a need-to-know basis to the following recipients:
Where a virtual meeting is recorded, the recording may potentially be disclosed to the EPO as a whole, or outside the EPO, depending on the meeting. In either circumstance, the data subject will be duly informed by the meeting organiser of the details of the processing operation. Personal data is stored in the European Union (EU) in accordance with the application configuration implemented by the EPO.
It is not used for any other purposes, nor is it disclosed to any other recipient.
We implement appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
MS Teams has been configured to preserve the confidentiality of the information you exchange by implementing encryption during all communications and in storage. Anonymous access is not authorised. Any information you add to a group in MS Teams, be it via chat, videoconference or file sharing, will be available only to the specific users and groups indicated in section 4 above.
Personal data is collected and processed in accordance with the EPO’s information security policies.
Microsoft data centres are certified in several security standards, including ISO27001, SOC1 and SOC2, NIST Cybersecurity Framework (CSF), ISO27017 and ISO27018 Code of Practice for Protecting Personal Data in the Cloud.
Microsoft has implemented a number of safeguards to ensure the availability of the information. As a minimum, data is replicated between two data centres within the same region, has redundancy controls and implements backups that are encrypted before being transmitted and stored.
Data centres have physical and logical security monitoring measures, including:
Microsoft has implemented a list of over 700 safeguards in its systems, servers and data centres. They include safeguards against accidental or unlawful destruction, loss, unauthorised access, use, modification or disclosure. These internal controls are audited on an annual basis. If required, audit information can be provided under a non-disclosure agreement. Information is encrypted while at rest and in transit.
As mentioned above, personal data is stored in the EU according to the application configuration implemented by the EPO. It may, however, be made available to sub-contractors in other countries, depending on the requirements for maintenance, support or operation of cloud-hosted services, and the availability of this expertise. If access is granted, it is always temporarily and only to the data required for the specific maintenance, support or operation procedure being carried out. The following safeguards are implemented:
You have the following rights with respect to your data.
You have the right to request confirmation as to whether or not your personal data is being processed, and, where that is the case, to request access to it as well as to information on the purpose of the processing or the categories of personal data concerned.
You have the right to request the correction of inaccurate personal data.
You have the right to ask the EPO to restrict the processing of your personal data under certain circumstances, e.g. if you think that the processing is incorrect or unlawful.
You have the right to request erasure of your personal data without undue delay under certain circumstances, e.g. if your personal data is no longer necessary for the purposes for which it was collected or if it has been unlawfully processed.
You have the right to object to the processing of your personal data under certain circumstances.
You can assert your above-mentioned rights by writing to our Chief Information Officer at CIO_CTO_Office@epo.org.
Processing is based on Article 5(a)of the Guidelines for the protection of personal data in the European Patent Office.
For some recordings of virtual meetings where the data subject (e.g. an external speaker at an online meeting organised by the EPO that is going to be recorded) has given their consent, the processing may be based on Article 5(e) of these Guidelines.
Data will be stored in MS Teams for one year after the exchange activity is completed.
Data resulting from the recording of an MS Teams meeting may be kept for longer than one year depending on the nature of the meeting. The period of retention is defined in accordance with the purpose of the recording. If a recording becomes outdated or obsolete before the end of the retention period it will be deleted. Further information on the retention period will be provided in a specific data protection statement and/or disclaimer which will be sent with the invitation to the meeting.
If you have any questions concerning the processing of your personal data, please write to our Chief Information Officer at CIO_CTO_Office@epo.org.
You can also contact our Data Protection Officer at firstname.lastname@example.org.
Data subjects who wish to exercise their rights relating to recorded virtual meetings using MS Teams may do so by contacting the organiser of the event concerned.