Data Protection Statement on processing personal data when using Zoom in virtual events, including oral proceedings by VICO

Protecting your privacy is of the utmost importance to the European Patent Office (‘EPO'). The Office is committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be handled fairly, lawfully and with due care.

This processing operation is subject to the Guidelines for the Protection of Personal Data in the European Patent Office.

The information in this communication is given pursuant to Articles 13 and 14 of the Guidelines.

1. What is the nature and purpose of the processing operation?

Zoom Video Communications ("Zoom") is a cloud-based videoconferencing (VICO) platform enabling the successful organisation of events in a virtual environment such that effective interaction between participants is as close as possible to a face-to-face experience.

With a view to the needs of the Office and its stakeholders to continue enjoying access to all services the EPO has extended the use of videoconference in order to organise virtual events. Within this framework, Zoom will be used for conducting such virtual events.

Personal data is processed in the Zoom platform for the purpose of carrying out the virtual event and ensuring the effective collaboration and communication between the Office and its stakeholders thus guaranteeing EPO business operations and compliance with applicable legal obligations. The collected data may also be used to prepare anonymised statistics on the participants.

All the possible measures have been taken by the EPO to ensure the protection of personal data and to safeguard the confidentiality, integrity and availability of the information and moreover Zoom has committed in a binding agreement to comply with its data protection obligations stemming from the GDPR and the EPO Data Protection Guidelines.

2. What personal data do we process?

The data processed in the Zoom platform for the purpose of virtual events by VICO is as follows:

• Contact details of the participant or user;
• name of company;
• town and country;
• audio-visual files;
• professional category/profile;
• how participant found out about the event;
• general information about service preferences;
• information about each user´s device, network and internet connection, such as IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version;
• information about usage of or other interaction with Zoom Products (‘Usage Information');
• other information the user uploads, provides or creates while using the service;
• metadata used for the maintenance of the service provided;
• optional data: telephone number of a person making a call using Zoom services (e.g. Zoom Phone) and data collected through the use of cookies and tracking pixels (only in case the participant or user visits one of Zoom marketing websites).

Additional data could be collected depending on whether the user joins the virtual event through an Android or an iOS device. As part of the nature of a collaborative tool, additional personal data may be included in the information that is exchanged between the Office and stakeholders, such as instant messages, images, files, whiteboards, recordings (if previously agreed), contacts, metadata used for the maintenance of the service provided.

3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of the CIO (PD46) on behalf of the EPO, acting as delegated data controller.

Personal data is processed by the staff of the department 4615 New Productivity Apps, Collaboration & Events managing the technical means to conduct virtual events.

4. Who has access to your personal data and to whom is it disclosed?

The personal data is disclosed, on a need to know basis, to the following recipients:

• the EPO's staff members and external users participating in or organising virtual events;
• Members of the department 4615 New Productivity Apps, Collaboration & Events and its third-party providers for service maintenance and support purposes.
• Zoom and its third-party providers for service maintenance and support purposes.

5. How do we protect and safeguard your information?

Zoom has publicly announced that it stores all data on third-party secured servers where the following security measures are implemented:

• management of access logs;
• 24/7 global support by managing and monitoring data centre access activities, equipping local teams and other support teams to respond to security incidents;
• backup power supply;
• data encryption.

Zoom has SOC 2 type II certification for compliance with security, availability, processing, integrity and confidentiality standards and its cloud services provider is ISO 27001 certified.

For more information on the processing of personal data by Zoom or its subcontractors, please consult their privacy policy. Zoom signs agreements with all its service providers that prevent them from processing of data for their own purposes or for the purposes of another third party.

When the EPO organizes a virtual event on the Zoom platform and invites the parties to dial-in, we will do so according to the most secure options available; the EPO nevertheless strongly recommends its users to only share any highly confidential data when exchanging information using Zoom's end to end encryption functionality. 

For more information, please refer to the User Technical Guidelines.

6. How can you access your personal information and, if necessary, correct it? How can you receive your data? How can you request that your personal data be erased, or restrict or object to its processing?

You have the right to access, rectify, erase and receive your personal data, as well as restrict its processing or object to the same, as provided in Articles 14 of the Guidelines.

If you would like to exercise any of these rights, please send a written query explicitly stating your request to the data controller.

The right to rectification only applies to inaccurate or incomplete factual data processed within the Zoom platform.

Your request will be answered within 3 months of receipt of the request. However, according to Article 14(7) of the Guidelines, this period may be extended, taking into account the complexity and number of requests. The Office will inform you of any such extension.

7. What is the legal basis for processing your data?

Personal data is processed in accordance with Article 5(a) of the Guidelines, which states that ‘processing is necessary for the performance of a task carried out in the legitimate interest of the official authority vested in the European Patent Office'.

Personal data is collected and processed in accordance with the following legal instrument:

Guidelines for the Protection of Personal Data in the European Patent Office.

8. How long can data be kept?

Personal data processed by the data controller or the service providers under its supervision are generally stored for the period of time necessary to achieve the purpose for which they have been processed. Zoom shall retain the personal data of the attendees strictly necessary for the organisation and management of a particular event/meeting for the maximum of one month.

This guidance may be further developed on the basis of the experience gained during virtual events and attendee feedback.

9. Contact information

Should you have any queries on the processing of your personal data, please address it using our contact form and it will be routed to the EPO Data Controller.

You may consult the EPO Data Protection Officer at: dpo@epo.org