Data privacy policy for the processing of personal data in MS Teams

The protection of your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature (i.e. data that can identify you directly or indirectly) will be processed fairly, lawfully and with due care.

This processing operation is subject to the Guidelines for the protection of personal data in the European Patent Office. We strive to keep our data protection framework in line with current best practices. A recent audit report has confirmed that it is in close alignment with the EU’s General Data Protection Regulation (GDPR).

1. How and why do we process your personal data?

We have expanded our use of Microsoft 365, and in particular Microsoft Teams (MS Teams), to organise virtual meetings and teleconferences both within the EPO and between the EPO and our stakeholders. MS Teams is a cloud-based application included as part of Microsoft 365. It is provided to users with the aim of offering more flexibility and improving communication and collaboration both within the EPO and between the EPO and our stakeholders. The core capabilities in Teams include business messaging, calling, video meetings and file sharing.

In addition to these core capabilities, MS Teams also allows the recording of virtual meetings and the use of live captions. The use of such features is granted to specific stakeholders in accordance with internal policies on the use of MS Teams. This data privacy policy provides detailed information on all the types of data that can be processed using MS Teams, whereby the exact nature of the processing of this personal data may vary on a case-by-case basis.

For instance, the possibility of recording a virtual meeting depends on the nature of the meeting and must be authorised by the delegated data controller. Participants will be notified both in the invitation and before recording is activated that the meeting will be recorded and will be informed about the possibility to object to the recording. Personal data is processed, i.e. collected and stored in Microsoft’s cloud servers, for the purpose of providing the above-mentioned services. It will not be used for any automated decision-making, including profiling.

2. What personal data do we process?

We process the following categories/types of personal data:

  • Personal identifying information: username, first name, surname, email, work telephone number, occupation and preferred language
  • Electronic identifying information: IP address, cookies, connection data and access times
  • Films, pictures and video and sound recordings
  • Audio and video inputs from participants’ microphones and cameras (where the meeting is recorded)
  • Metadata used for maintenance of the service provided
  • Any data as (potentially) processed in the context of file sharing for professional activities (e.g. messages, images, files, voicemail, calendar meetings, contacts and the like)
  • Data processed by connected experience features such as live captions and inline message translation

3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of our Chief Information Officer (CIO), who is a member of our Business Information Technology (BIT) department and who acts as delegated EPO data controller.

However, whenever the use of the MS Teams application is requested by another business unit of the EPO, BIT will act as the data processor. In this situation, the requesting business unit will act as the delegated data controller.  

Personal data is processed by the EPO’s external service provider, Microsoft, for the following activities:

  • Providing end-user support and troubleshooting for Microsoft 365 applications and features related to the conduct of virtual meetings and teleconferences
  • Tracking changes to users and groups
  • Managing content uploaded to MS Teams, including data retention policies
  • Managing MS Teams settings
  • Supporting, operating and maintaining the EPO’s online services

Further details of how we process personal data for all Microsoft 365 services are available in the Data privacy statement for the processing of personal data in Microsoft 365.

For more information on the processing of personal data by Microsoft, see the Microsoft Privacy Statement.

4. Who has access to your personal data and to whom is it disclosed?

Personal data is disclosed on a need-to-know basis to the following recipients:

  • EPO staff and external users included in the MS Teams team that is used for the exchange of information.
  • EPO BIT and Microsoft staff involved in the data processing necessary to provide the service.

Where a virtual meeting is recorded, the recording may potentially be disclosed to the EPO as a whole, or outside the EPO, depending on the meeting. In either circumstance, the data subject will be duly informed by the meeting organiser of the details of the processing operation. Personal data is stored in the European Union (EU) in accordance with the application configuration implemented by the EPO.

It is not used for any other purposes, nor is it disclosed to any other recipient.

5. How do we protect and safeguard your personal data?

We implement appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

MS Teams has been configured to preserve the confidentiality of the information you exchange by implementing encryption during all communications and in storage. Anonymous access is not authorised. Any information you add to a group in MS Teams, be it via chat, videoconference or file sharing, will be available only to the specific users and groups indicated in section 4 above.

Personal data is collected and processed in accordance with the EPO’s information security policies.  

Microsoft data centres are certified in several security standards, including ISO27001, SOC1 and SOC2, NIST Cybersecurity Framework (CSF), ISO27017 and ISO27018 Code of Practice for Protecting Personal Data in the Cloud.

Microsoft has implemented a number of safeguards to ensure the availability of the information. As a minimum, data is replicated between two data centres within the same region, has redundancy controls and implements backups that are encrypted before being transmitted and stored.

Data centres have physical and logical security monitoring measures, including:

  • video surveillance of perimeters
  • seismic and environmental monitoring of buildings
  • monitoring of security threats, such as worms, denial of service attacks, unauthorised access and any other type of unlawful activity

Microsoft has implemented a list of over 700 safeguards in its systems, servers and data centres. They include safeguards against accidental or unlawful destruction, loss, unauthorised access, use, modification or disclosure. These internal controls are audited on an annual basis. If required, audit information can be provided under a non-disclosure agreement. Information is encrypted while at rest and in transit.

As mentioned above, personal data is stored in the EU according to the application configuration implemented by the EPO. It may, however, be made available to sub-contractors in other countries, depending on the requirements for maintenance, support or operation of cloud-hosted services, and the availability of this expertise. If access is granted, it is always temporarily and only to the data required for the specific maintenance, support or operation procedure being carried out. The following safeguards are implemented:

  • In all transfers to third countries, Microsoft uses EU standard contract clauses for data transfer with its sub-processors.
  • Microsoft requires sub-processors to join the Microsoft Supplier Security and Privacy Assurance Program. This programme is designed to standardise and strengthen data handling practices, and to ensure that supplier business processes and systems are consistent with those of Microsoft.

5.1 Specific measures relating to the recording of MS Teams meetings

Where a virtual meeting is recorded, participants can limit the processing of their personal data by activating/de-activating their microphone and camera. In addition, where there are legitimate grounds, participants can also ask via the chat feature for the recording to be temporarily suspended so that they can contribute without being recorded.

6. What rights do I have to my data?

You have the following rights with respect to your data.

6.1. Right of access

You have the right to request confirmation as to whether or not your personal data is being processed, and, where that is the case, to request access to it as well as to information on the purpose of the processing or the categories of personal data concerned.

6.2. Right to rectification

You have the right to request the correction of inaccurate personal data.

6.3. Right to block processing

You have the right to ask the EPO to restrict the processing of your personal data under certain circumstances, e.g. if you think that the processing is incorrect or unlawful.

6.4. Right to erasure

You have the right to request erasure of your personal data without undue delay under certain circumstances, e.g. if your personal data is no longer necessary for the purposes for which it was collected or if it has been unlawfully processed.

6.5. Right to object

You have the right to object to the processing of your personal data under certain circumstances.

You can assert your above-mentioned rights by writing to our Chief Information Officer at

7. What is the legal basis for processing your data?

Processing is based on Article 5(a)of the Guidelines for the protection of personal data in the European Patent Office.

For some recordings of virtual meetings where the data subject (e.g. an external speaker at an online meeting organised by the EPO that is going to be recorded) has given their consent, the processing may be based on Article 5(e) of these Guidelines.

8. How long do we store your data?

Data will be stored in MS Teams for one year after the exchange activity is completed.

Data resulting from the recording of an MS Teams meeting may be kept for longer than one year depending on the nature of the meeting. The period of retention is defined in accordance with the purpose of the recording. If a recording becomes outdated or obsolete before the end of the retention period it will be deleted. Further information on the retention period will be provided in a specific data protection statement and/or disclaimer which will be sent with the invitation to the meeting.  

9. Contact information

If you have any questions concerning the processing of your personal data, please write to our Chief Information Officer at

You can also contact our Data Protection Officer at

Data subjects who wish to exercise their rights relating to recorded virtual meetings using MS Teams may do so by contacting the organiser of the event concerned.  

Quick Navigation