Data protection statement on the processing of personal data in the context of external clients' consultations with the Ombuds Office

Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to protecting your personal data and ensuring respect for data subjects' rights when performing our tasks and providing our services. All data of a personal nature that identify you directly or indirectly will be processed lawfully, fairly and with due care.

The processing operations described below are subject to the EPO Data Protection Rules (DPR).

The information in this statement is provided in accordance with Articles 16 and 17 DPR.

This statement relates to the processing of personal data in the context of communications between you and the Ombuds Office. It explains the way in which your personal data will be processed, kept and stored when you share it with the Ombuds Office.

1. What is the nature and purpose of the processing operation?

The Ombuds Office processes personal data of persons who raise a matter with it. The personal data are processed for the purpose of assisting them in getting their matter back on track when they have been unable to resolve it to their satisfaction via the regular formal channels.

What happens when you contact the Ombuds Office?

When you contact the Ombuds Office, your matter will be treated in the strictest of confidence. Your data will be shared confidentially with the appropriate EPO managers, who will receive the minimum information essential to deal with your matter. Should the Ombuds Office consider it necessary to share your personal data with any other EPO staff involved in your matter, it will do so only with your express agreement.

Once your matter is closed, all personal data, including any reference to your organisation or affiliation or to the applicant you are representing, will be deleted. You can close your matter at any time. You may also withdraw your agreement to the processing of your personal data at any time, in which case all personal data, including any reference to your organisation or affiliation or to the applicant you are representing, will be deleted.

The Ombuds Office will keep an anonymous record of reported matters to enable it to identify trends or systemic issues. Its reports will not contain any details relating to personal data or to organisations or affiliations.

In exceptional cases, where the Ombuds Office considers information shared with it to indicate an imminent risk of serious harm to an individual or an illegal activity, it will share this information with relevant EPO managers to enable them to take appropriate action. If your matter relates to an integrity issue, such as fraud, corruption or other irregular activities, you should report it to the EPO department responsible for ensuring compliance at investigations@epo.org or at + 49 89 2399 1577.

You may inform the Ombuds Office at any time that you do not wish to continue the procedure with the Ombuds Office. In this case, your personal data, including any reference to your organisation or affiliation or to the applicant you are representing, will be deleted and any other data you have provided will be anonymised.

Please be reassured that your personal data will be processed solely for the above-mentioned purposes. In addition, the processing is not intended to be used for any automated decision making, including profiling. Your personal data will not be transferred to recipients outside the EPO.

2. What personal data do we process?

The data processed in each case will depend on the data you provide to the Ombuds Office for handling your matter. It will be used for the purpose of assisting you in getting your matter back on track when you have been unable to resolve it via the regular formal channels.

As an informal service, the Ombuds Office only processes the personal data you provide. This data may include:

  • Your first and last name
  • Your organisation/employer
  • Your work contact details, including email and postal addresses
  • Any affiliation with an association
  • The applicant you are representing
  • The application details
  • The names of EPO staff members involved in your matter

3. Who is responsible for processing the data?

Personal data are processed under the responsibility of the Ombuds Office, acting as the EPO's delegated data controller for informal communications with persons raising a matter with it.

Personal data are processed by the Ombuds Office staff handling your informal communications with them. They will treat your personal data as strictly confidential, sharing only the minimum with the relevant EPO line managers and, if necessary, other staff members involved in your matter as indicated above.

4. Who has access to your personal data and to whom are they disclosed?

The Ombuds Office will share your personal data with the relevant EPO line managers as appropriate. Should the nature of your matter require sharing your personal data with any other EPO staff, this will be done only with your express agreement.

The Ombuds Office will provide the relevant EPO line managers and, if necessary, other staff members involved in your matter only with the minimum information necessary to resolve it.

In exceptional cases, where the Ombuds Office considers information shared with it to indicate an imminent risk of serious harm to an individual or an illegal activity, it will share this information with relevant EPO managers to enable them to take appropriate action. If your matter relates to an integrity issue, such as fraud, corruption or other irregular activities, you should report it to the EPO department responsible for ensuring compliance at investigations@epo.org or at + 49 89 2399 1577.

5. How do we protect and safeguard your personal data?

We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss or alteration and unauthorised disclosure or access.

All personal data are stored in secure IT applications in accordance with the EPO's security standards. Appropriate levels of access are granted individually only to the above-mentioned recipients.

For systems hosted on EPO premises, the following basic security measures generally apply:

  • User authentication and access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege)
  • Logical security hardening of systems, equipment and network
  • Physical protection: EPO access controls, additional access controls to datacentre, policies on locking offices
  • Transmission and input controls (e.g. audit logging, systems and network monitoring)
  • Security incident response: 24/7 monitoring for incidents, on-call security expert.

6. How can you access, rectify and receive your data, request that your data be erased, or restrict/object to processing? Can your rights be restricted?


You have the right to access, rectify and receive your personal data, not to be subject to a decision based solely on automated processing, to have your data erased and to restrict and/or object to the processing of your data (Articles 18 to 24 DPR).

As mentioned under point 1 above, once your case is closed, all personal data, including any reference to your organisation or affiliation or to the applicant you are representing, are deleted and records of your case are anonymised.

Please bear in mind that data protection is not an absolute right. It must always be balanced against other fundamental rights and freedoms and there may be circumstances where the grant of one or more of a data subject's rights may be refused. If you would like to exercise any of the rights mentioned above, please detail your request to the delegated controller via e-mail at DPOexternalusers@epo.org.

We will reply to your request without undue delay and in any event within one month of receipt of the request. However, Article 15(2) DPR provides that this period may be extended by two further months where necessary in view of the complexity and number of requests received. We will inform you of any such delay.

7. What is the legal basis for processing your data?

Our mandate authorises us to process your personal data as outlined in point 1 under Article 5(a) DPR in order to carry out tasks in the exercise of our official activities.

The Ombuds Office reserves the right to share any information indicating illegal activity or a risk of serious harm with the appropriate EPO managers as per Article 5(b) DPR. This includes reporting integrity issues, such as fraud, corruption or other irregular activities, to the EPO department responsible for ensuring compliance at investigations@epo.org or at + 49 89 2399 1577.

8. How long do we keep your data?

Personal data will be kept only for the time needed to achieve the purposes for which it is processed.

Any personal data, including references to an organisation or affiliation or to the applicant represented, collected during a consultation with a client will be deleted upon confirmation from the client that the matter is closed.

Non-case-related data will be retained in anonymised form and used to generate systemic and trend data for reporting purposes and for identifying any general measures needed to improve quality.

9. Contact information

If you have any questions about the processing of your personal data, you can write any time to the delegated data controller, which is the Ombuds Office, at OO-DPL@epo.org, or to the Data Protection Officer at DPOexternalusers@epo.org.

Review and legal redress

If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.

Quick Navigation