EUROPEAN PATENT OFFICE
Information from the EPO
Decision of the President of the European Patent Office of 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data
The President of the European Patent Office (EPO),
Having regard to
- Article 10(2)(a) of the European Patent Convention,
- Decision CA/D 5/21 of the Administrative Council of the European Patent Organisation of 30 June 2021 introducing a new data protection framework at the EPO, by which amendments to the Service Regulations for permanent and other employees of the EPO and Implementing Rules for Articles 1b and 32a of those Service Regulations on the protection of personal data ("Data Protection Rules") were adopted with effect from 1 January 2022,
- and in particular of Articles 1(2)(a), (3)(1)(t) and 9(2) and (3) of the Data Protection Rules,
Considering transfers under Article 9 are to national patent offices outside the territory of the European Patent Convention contracting states, public authorities outside the territory of the European Patent Convention contracting states, international organisations, private entities within or outside the European Economic Area (EEA) not qualifying as processors, and private entities qualifying as processors and located outside the EEA,
Taking into consideration in cases of conflict the European Patent Convention, including its Implementing Regulations and any other provisions applicable under it (e.g. Protocol on Privileges and Immunities), and the provisions of the Patent Cooperation Treaty, including its Regulations and any other provisions and established practices applicable under it prevail over the Data Protection Rules,
has decided as follows:
For the purposes of Article 9(2) of the Data Protection Rules, the countries of the recipients (or territories or sectors within a country) and entities listed in the annex to this decision are considered to ensure an adequate level of protection for personal data transferred from the EPO.
Monitoring of continued adequacy
The EPO will continuously monitor whether the countries and entities listed in the annex continue to ensure an adequate level of protection within the meaning of Article 1 and this decision may be repealed or amended at any time as a result.
The EPO will continuously assess whether any other countries and entities ensure an adequate level of protection within the meaning of Article 1 and, if so, this decision may be amended at any time to include them in the annex.
Entry into force
This decision enters into force on 17 November 2022. It applies to any processing of personal data ongoing on or initiated after that date.
Done at Munich, 17 November 2022.
List of countries considered to ensure adequate protection
1. Countries in the EEA
4. Canada (private-sector organisations)
5. Faroe Islands
8. Isle of Man
11. New Zealand
12. Republic of Korea
14. United Kingdom, based on its General Data Protection Regulation and the EU Law Enforcement Directive
List of entities considered to ensure adequate protection
European Union institutions, bodies, offices and agencies, based on Regulation (EU) 2018/1725.