Data protection statement on processing personal data in EPO’s procurement portal

Protecting your privacy is of the utmost importance to the European Patent Office (‘EPO'). The Office is committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be handled fairly, lawfully and with due care.

This processing operation is subject to the Guidelines for the Protection of Personal Data in the European Patent Office.

The information in this communication is given pursuant to Articles 13 and 14 of the Guidelines.

1. What is the nature and purpose of the processing operation?

The processing operation which includes the use of personal data allows (potential) suppliers to collaborate with the EPO on the Ivalua source-to-pay platform for procurement procedures including, but not restricted to, bid or offer submission as well as contracting, purchase order confirmations, shipping notifications and invoice submission.

2. What personal data do we process?

The categories of personal data processed are as follows:

  • User logon IDs
  • Contact details (suppliers and EPO)
    • First name and last name
    • Business email address
    • Business phone number
    • Business address details
    • IP address
    • User ID
    • Signatures (qualified electronic signatures)

Processing of categories of personal data not included in this section are strictly prohibited and therefore must not be uploaded into the iValua Solution. Such data include but are not limited to: (i) special categories of personal data, (ii) criminal activity records, (iii) background/verification checks performed and/or collected by the EPO on their employees, third party contractors, interim agents, trainees and sole proprietorship companies

3. Who is responsible for processing the data?

Personal data processing is carried out under the responsibility of Central Procurement acting as EPO delegated data controller.

4. Who has access to your personal data and to whom is it disclosed?

The personal data is disclosed, on a need to know basis, to the following recipients:

  • EPO's Central Procurement and Legal departments;
  • EPO's IT department and iValua technical staff for service maintenance and support purposes.

5. How do we protect and safeguard your information?

We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

EPO has legally binding agreement with iValua, which regulates the particularities of the data processing as well as the relationship between the EPO and iValua.

iValua stores all EPO data in the EU  on secure servers where technical and organisational measures are implemented which include but are not limited to the following controls: : patching, malware detection, vulnerability scanning, encryption, system hardening, network security, security logs, separation of environments, access control, physical and environmental security, security incident response, contingency planning/disaster recovery, secure disposal, security reports, networks and systems monitoring, change and configuration management etc. In addition, iValua is certified in the SOC 2 Type 2 security standard in accordance with Service Organization and Statement on Standards for Attestation Engagements No. 18 Reporting on Controls at a Service Organization ("SSAE 18") as well as in accordance with International Standard on Assurance Engagements No. 3402 Reporting on Controls at a Service Organization ("ISAE 3402"). 

The EPO has pre-configured the access rights and tool's settings in order to make sure that the personal data is protected and that all possible measures have been taken to safeguard the confidentiality, integrity and availability of the information within the tool.

6. How can you access your personal information and, if necessary, correct it? How can you receive your data? How can you request that your personal data be erased, or restrict or object to its processing?

You have the right to access, rectify, receive, erase and/or have your personal data archived by the EPO, as well as restrict its processing or object to the same, as provided in Article 14 of the Guidelines and stipulated in the contract between EPO and iValua.

If you would like to exercise any of these rights, please send a written query explicitly stating your request to the data controller, at the following email address:

Your request will be answered within 3 months of receipt of the request. However, according to Article 14(7) of the Guidelines, this period may be extended, taking into account the complexity and number of requests. The Office will inform you of any such extension.

7. What is the legal basis for processing your data?

Personal data is processed in accordance with Article 5(a) of the Guidelines, which states that ‘processing is necessary for the performance of a task carried out in the legitimate interest of the official authority vested in the European Patent Office'.

8. How long can data be kept?

Personal data processed by the data controller or the service providers under its supervision are generally stored for the period of time necessary to achieve the purpose for which they have been processed.

9. Contact information

Should you have any queries on the processing of your personal data, please address them to the data controller at the following email address:

You may consult the EPO Data Protection Officer at:

Quick Navigation