Data protection statement on processing personal data in the context of the PATLIB network and its centres

Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be processed lawfully, fairly and with due care.

This processing operation is subject to the EPO Data Protection Rules (DPR).

The information in this communication is provided pursuant to Articles 16 and 17 of the DPR.

This statement refers to the processing of personal data in the context of the PATLIB network and its centres.

1. What is the nature and the purpose of the processing operation?

Personal data are processed only for the purpose of carrying out the administration, collaboration and communication with the PATLIB centres with regard to all PATLIB related matters.

This privacy statement refers only to the data processed for the purposes stated in this section. The EPO data privacy policy for the processing of personal data in MS 365 can be found at: https://www.epo.org/about-us/office/data-protection-and-privacy/microsoft-365.html.

Personal data processed through the use of MS Forms is subject to the EPO data privacy policy for the processing of personal data in MS Forms available at: https://www.epo.org/about-us/office/data-protection-and-privacy/microsoft-forms.html

Personal data are processed for the following purposes:  

• Administration of PATLIB network
• Communicating within the PATLIB network
• Identifying participants and contributors to PATLIB activities
• Providing data subjects with information about the PATLIB activities by means of a regular email
• Providing data subjects with invitations to PATLIB and other IP-related EPO meetings, events and trainings
• Inviting data subjects with certain recorded skills to collaborate within the PATLIB network as experts, speakers, consultants, etc.
• Inviting data subjects to participate and/or contribute to other EPO lead activities where input of PATLIB centres seems beneficial.
• Inviting data subjects to participate in 3rd party activities commissioned and authorized by the EPO, e.g. for performing (statistical) analysis.
• Keeping an online directory of PATLIB centres and experts; the directory is available to the public to find IP specific support and contains contact details of the PATLIB centres and their experts. Through to self-administration, the centres decide on type and amount of disclosed details
• Keeping a record of data subjects' participation in activities organised in the PATLIB network, the business cases submitted and any feedback received.
• Document exchange within the PATLIB network
• Information exchange on events within the PATLIB network events calendar

2. What personal do we process?

The following categories of personal data are processed (not all categories are processed for every data subject):

• name
• email address
• phone number
• name and address of the PATLIB centre where the data subject works
• area of responsibility
• gender
• other information provided by data subjects, e.g. specialisation / field of expertise, calendar events, contribution to forum
• author link for uploaded, distributed and/or shared data (files)
• information provided by data subjects
• feedback received on data subjects, for example by participants where the data subject is a trainer.

3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of the Principal Director of the PD Patent Knowledge acting as delegated EPO data controller. Personal data are processed by the EPO staff working in the Directorate  Patent Knowledge Promotion (PATLIB) and Stakeholders and EPO staff members in charge of maintaining the underlying technical platform.

Personal data might be processed by external service providers supporting the EPO for certain activities, for instance for sending questionnaires to the PATLIB centres and for collecting the responses on behalf of the EPO.

The EPO takes all the appropriate safeguards in order to guarantee that the service provider will follow the EPO instructions on how to process your personal data in compliance with data protection requirement.

Personal data will only be used for the purpose of the contracted work, and then destroyed.

4. Who has access to your personal data and to whom is it disclosed?

The personal data are disclosed on a need-to-know basis to the following recipients:

• Participants in the PATLIB network
• the EPO's staff members of the European Co-operation Directorate
• the EPO’s staff members of the Principal Directorate Communication
• the respective national patent office in order to guarantee the accuracy of the personal data.

The personal data are not disclosed to any other recipient and is not intended to be transferred to third countries.

Furthermore, the part of personal data disclosed in the online directory is available to the public without restriction.
The PATLIB Centre is responsible for the accuracy of its own data within the PATLIB directory.

The PATLIB Centre is responsible for the accuracy of its own data within the PATLIB directory and a mechanism is in place to facilitate correction of inaccurate data.

Any third-party is directly responsible for misusing the publicly accessible data within the PATLIB directory.

Personal data might be disclosed to third-party service providers for maintenance and support purposes.

Personal data will only be shared with authorised persons responsible for the corresponding processing operations and are not used for any other purposes or disclosed to any other recipients.

5. How do we protect and safeguard your information?

We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

All personal data are stored in secure IT applications according to the EPO's security standards. Appropriate levels of access are granted individually only to the abovementioned recipients.

For systems hosted at EPO premises, the following base security measures generally apply:

• User authentication and access control (e.g., role-based access control to the systems and network, principles of need-to-know and least privilege)
• Logical security hardening of systems, equipment and network
• Physical protection: EPO access controls, additional access controls to datacentre, policies to lock offices
• Transmission and input controls (e.g., audit logging, systems and network monitoring)
• Security incidence response: 24/7 monitoring for incidents, on-call security expert.

For personal data processed on systems not hosted at EPO premises, the provider(s) processing the personal data has committed in a binding agreement to comply with its data protection obligations stemming from the applicable data protection legal framework(s). Furthermore, a privacy and security risk assessment has been carried out by the EPO. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).

6. How can you access, rectify and receive your data, request that your data be erased, or restrict/object to processing? Can your rights be restricted?

You have the right to access, rectify, and receive your personal data, to have your data erased and to restrict and object to the processing of your data, as outlined in Articles 18 to 24 of the EPO Data Protection Rules.

If you would like to exercise any of these rights, please write with details of your request to the delegated data controller at PATLIB_team@epo.org.

Data published in the online directory can be directly accessed via self-administration. 

We will reply to your request without undue delay, and in any event within one month of receipt of the request. However, according to Article 15(2) of the DPR, that period may be extended by two further months if necessary, taking into account the complexity and number of requests received. We will inform you of any such delay.

7. What is the legal basis for processing your data?

Personal data is processed in accordance with:

• Article 5(a) of the DPR, which states that ‘processing is necessary for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the Office's management and functioning';
• Article 5(d) of the DPR, which states that ‘the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes ‘.

8. How long can data be kept?

Personal data will be kept for as long as the person is a member of the network and three years thereafter.

In the event of a formal appeal/litigation, all data held at the time of the formal appeal/litigation shall be retained until the completion of its process.

9. Contact information

If you have any questions about the processing of your personal data, please write to the delegated data controller at PATLIB_team@epo.org.

You can also contact our Data Protection Officer at dpo@epo.org.

Review and legal redress

If you consider that the processing infringes your rights as data subject, you have the right to request review by the controller under Article 49 DPR and the right to seek legal redress under Article 50 DPR.