Data privacy policy for the processing of personal data in MS Teams

The protection of your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature (i.e. data that can identify you directly or indirectly) will be processed fairly, lawfully and with due care.

This processing operation is subject to the Guidelines for the protection of personal data in the European Patent Office. We strive to keep our data protection framework in line with current best practices. A recent audit report has confirmed that it is in close alignment with the EU’s General Data Protection Regulation (GDPR).

1. How and why do we process your personal data?

We have expanded our use of Microsoft 365, and in particular Microsoft Teams (MS Teams), to organise virtual meetings and teleconferences both within the EPO and between the EPO and our stakeholders. MS Teams is a cloud-based application included as part of Microsoft 365. It is provided to users with the aim of offering more flexibility and improving communication and collaboration both within the EPO and between the EPO and our stakeholders. The core capabilities in Teams include business messaging, calling, video meetings and file sharing.

Personal data is processed, i.e. collected and stored in Microsoft’s cloud servers, for the purpose of providing the above-mentioned services.

It will not be used for any automated decision-making, including profiling.

2. What personal data do we process?

We process the following categories/types of personal data:

  • Personal identifying information: username, first name, surname, email, work telephone number, occupation and preferred language
  • Electronic identifying information: IP address, cookies, connection data and access times
  • Films, pictures and video and sound recordings
  • Metadata used for maintenance of the service provided
  • Any data as (potentially) processed in the context of file sharing for professional activities (e.g. messages, images, files, voicemail, calendar meetings, contacts and the like)

3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of our Chief Information Officer (CIO), who is a member of our Business Information Technology (BIT) department and who acts as delegated EPO data controller.

Personal data is processed by the EPO’s external service provider, Microsoft, for the following activities:

  • Providing end-user support and troubleshooting for Office365 applications and features related to conducting virtual meetings and teleconferences
  • Tracking changes to users and groups
  • Managing content uploaded to MS Teams, including data retention policies
  • Managing MS Teams settings
  • Supporting, operating and maintaining the EPO’s online services

Further details of how we process personal data for all Microsoft 365 services are available in the Data privacy statement for the processing of personal data in Microsoft 365. For more information on the processing of personal data by Microsoft, see the Microsoft Privacy Statement.

4. Who has access to your personal data and to whom is it disclosed?

Personal data is disclosed on a need-to-know basis to the following recipients:

  • EPO staff and external users included in the MS Teams team that is used for the exchange of information.
  • BIT and Microsoft staff involved in the data processing necessary to provide the service.

Personal data is stored in the European Union (EU) in accordance with the application configuration implemented by the EPO.

It is not used for any other purposes, nor is it disclosed to any other recipient.

5. How do we protect and safeguard your personal data?

We implement appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

MS Teams has been configured to preserve the confidentiality of the information you exchange by implementing encryption during all communications and in storage. Anonymous access is not authorised. Any information you add to a group in MS Teams, be it via chat, videoconference or file sharing, will be available only to the specific users and groups indicated in section 4 above.

Microsoft data centres are certified in several security standards, including ISO27001, SOC1 and SOC2, NIST Cybersecurity Framework (CSF), ISO27017 and ISO27018 Code of Practice for Protecting Personal Data in the Cloud.

Microsoft has implemented a number of safeguards to ensure the availability of the information. As a minimum, data is replicated between two data centres within the same region, has redundancy controls and implements backups that are encrypted before being transmitted and stored.

Data centres have physical and logical security monitoring measures, including:

  • video surveillance of perimeters
  • seismic and environmental monitoring of buildings
  • monitoring of security threats, such as worms, denial of service attacks, unauthorised access and any other type of unlawful activity

Microsoft has implemented a list of over 700 safeguards in its systems, servers and data centres. They include safeguards against accidental or unlawful destruction, loss, unauthorised access, use, modification or disclosure. These internal controls are audited on an annual basis. If required, audit information can be provided under a non-disclosure agreement. Information is encrypted while at rest and in transit.

As mentioned above, personal data is stored in the EU according to the application configuration implemented by the EPO. It may, however, be made available to sub-contractors in other countries, depending on the requirements for maintenance, support or operation of cloud-hosted services, and the availability of this expertise. If access is granted, it is always temporarily and only to the data required for the specific maintenance, support or operation procedure being carried out. The following safeguards are implemented:

  • In all transfers to third countries, Microsoft uses EU standard contract clauses for data transfer with its sub-processors.
  • Microsoft requires sub-processors to join the Microsoft Supplier Security and Privacy Assurance Program. This programme is designed to standardise and strengthen data handling practices, and to ensure that supplier business processes and systems are consistent with those of Microsoft.

6. What rights do I have to my data?

You have the following rights with respect to your data.

6.1. Right of access

You have the right to request confirmation as to whether or not your personal data is being processed, and, where that is the case, to request access to it as well as to information on the purpose of the processing or the categories of personal data concerned.

6.2. Right to rectification

You have the right to request the correction of inaccurate personal data.

6.3. Right to blocking the data

You have the right to ask the EPO to restrict the processing of your personal data under certain circumstances, e.g. if you think that the processing is incorrect or unlawful.

6.4. Right to erasure

You have the right to request erasure of your personal data without undue delay under certain circumstances, e.g. if your personal data is no longer necessary for the purposes for which it was collected or if it has been unlawfully processed.

6.5. Right to object

You have the right to object to the processing of your personal data under certain circumstances.

You can assert your above-mentioned rights by writing to our Chief Information Officer at CIO_CTO_Office@epo.org.

7. What is the legal basis for processing your data?

Processing is based on Article 5(a)of the Guidelines for the protection of personal data in the European Patent Office.

Personal data is collected and processed in accordance with the EPO’s information security policies.

8. How long do we store your data?

Data will be stored in MS Teams for one year after the exchange activity is completed.

9. Contact information

If you have any questions concerning the processing of your personal data, please write to our Chief Information Officer at CIO_CTO_Office@epo.org.

You can also contact our Data Protection Officer at dataprotection@epo.org.

Quick Navigation