EPO data protection guidance when using Zoom for oral proceedings by VICO

Oral proceedings in opposition organised through Zoom Video Communications: information for users regarding data protection

Zoom Video Communications ("Zoom") is a cloud-based videoconferencing (VICO) platform enabling the successful organisation of events in a virtual environment such that effective interaction between participants is as close as possible to a face-to-face experience.

With a view to the needs of patent proprietors and users to continue enjoying access to all patent procedures the EPO has decided to launch a pilot project on opposition by videoconference. Within this framework, Zoom is tested to hold proceedings which require simultaneous interpretation and/or multiple opponents.

This pilot project forms part of our Business Continuity scenario (launched in response to the operational disruption caused by the coronavirus pandemic). As such, the data processing operation is based on Article 5(a) of the EPO Data Protection Guidelines ("processing is necessary for the performance of a task carried out on the basis of the EPC or in the exercise of official authority vested in the EPO").

Personal data is processed by the EPO for the purpose of organising these oral proceedings. Personal data is processed in the Zoom platform only for the purpose of carrying out the virtual event and ensuring the effective collaboration and communication between the Office and its stakeholders thus guaranteeing EPO business continuity and compliance with applicable legal obligations.

All the possible measures have been taken by the EPO to ensure the protection of personal data and to safeguard the confidentiality, integrity and availability of the information and moreover Zoom has committed in a binding agreement to comply with its data protection obligations stemming from the GDPR and the EPO Data Protection Guidelines.

Zoom has publicly announced that it stores all data on third-party secured servers where the following security measures are implemented:

  • management of access logs;
  • 24/7 global support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents;
  • backup power supply;
  • data encryption.

Zoom has SOC 2 type II certification for compliance with security, availability, processing, integrity and confidentiality standards and its cloud services provider is ISO 27001 certified.

For more information on the processing of personal data by Zoom or its subcontractors, please consult their privacy policy. Zoom signs agreements with all its service providers that prevent them from processing of data for their own purposes or for the purposes of another third party.

When the EPO organises an oral proceeding on the Zoom platform and invites the parties to dial-in, we will do so according to the most secure options available; the EPO nevertheless strongly recommends its users to not share any confidential data when exchanging information using Zoom. 

For more information, please refer to the User Technical Guidelines.

The data processed by Zoom for the purpose of oral proceedings in opposition by VICO is as follows:

  • name of the user;
  • general information about service preferences;
  • information about each user´s device, network and internet connection, such as IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version;
  • information about usage of or other interaction with Zoom Products (‘Usage Information');
  • other information the user uploads, provides or creates while using the service;
  • metadata used for the maintenance of the service provided;
  • optional data: telephone number of a person making a call using Zoom services (e.g. Zoom Phone) and data collected through the use of cookies and tracking pixels (only in case the user visits one of Zoom marketing website).

Additional data could be collected depending on whether the user joins the virtual event through an Android or an iOS device. As part of the nature of a collaborative tool, additional personal data may be included in the information that is exchanged between the Office and stakeholders, such as instant messages, images, files, whiteboards, recordings (if previously agreed), contacts, metadata used for the maintenance of the service provided.

Personal data processed by the data controller or the service providers under its supervision are generally stored for the period of time necessary to achieve the purpose for which they have been processed.  Zoom shall retain the personal data of the attendees strictly necessary for the organisation and management of a particular event/meeting for the maximum of one month.

This guidance will be further developed during the course of the pilot project.

Latest update: 9 October 2020

If you have any question on data protection matters, please submit it using our contact form and it will be routed to the EPO Data Controller.

Quick Navigation