My bookmarks

My events

  • Start
    Location
    End
    Language
About us

Data protection and privacy notice


The European Patent Office ("EPO") is committed to ensuring that it observes the fundamental rights of natural persons ("data subjects") to privacy and to the protection of their personal data processed by it when performing its tasks and providing its services.

Legal framework for the protection of personal data at the EPO

The EPO is an international organisation established by the European Patent Convention (EPC) and, as such, is not subject to EU Regulation 2016/679 - General Data Protection Regulation (GDPR). On 29 June 2021, it adopted a new data protection framework which is in line with best practices at European and international level. The Data Protection Rules (DPR) are the core of this new framework.

All personal data collected or managed by the EPO is processed in accordance with the Data Protection Rules, which aim to ensure that the EPO's handling of data subjects' information meets the highest standards. Processing operations carried out by the Administrative Council of the European Patent Organisation do not fall under these Rules. Additionally, Articles 49 to 52 DPR do not apply to the processing of personal data by the EPO Boards of Appeal in their judicial capacity.

Article 32 DPR requires the EPO to keep a register with its records of processing activities. Entries to this register will be progressively introduced within the six months of the entry into force of the DPR. Records involving personal data of external data subjects are publicly accessible on the EPO website. External data subjects can consult these records to learn more about how the EPO processes their personal data.

The EPO's Data Protection Officer independently monitors the internal application of and compliance with the Data Protection Rules with respect to all processing operations carried out by the EPO. The EPO President has also appointed a Data Protection Board, which is mandated with an oversight and advisory function and has a role in the legal redress mechanism (Article 47 DPR).

Data protection and privacy policy

This data protection and privacy policy ("policy") explains how personal data collected by the EPO is processed.

a. What information do we process?

Personal data means any information relating to any identified or identifiable natural person (also referred to as "data subject" or "individual"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity; personal data which have undergone pseudonymisation but could still be attributed to a natural person by the use of additional information are to be considered to be information relating to an identifiable natural person.

We classify personal data in two categories:

  • Mandatory personal data: this means the personal data necessary for (1) the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the EPO, which includes the processing necessary for the EPO's management and functioning, (2) compliance with a legal obligation to which the EPO is subject and (3) the performance of a contract to which the data subject is party.
    • Examples include the personal data the EPO collects to fulfil its obligation to maintain a public patent register (see Rule 143 EPC and the related decision of the President) and the personal data it collects for login authentication and security purposes.
  • Non-mandatory personal data: this means personal data collected and processed on the basis of the data subject's consent. The specific rules on collecting consent are in Article 7 DPR.
    • Examples include the personal data about your dietary or mobility requirements that you give when registering for an event and the contact data of professional representatives accessible via a searchable database on the EPO website.  

For more information on the categories of personal data processed during patent-grant and related proceedings, see the Memorandum on the use of personal data in the patent granting procedure (PGP), published in the December 2021 issue of the Official Journal of the EPO.

We also collect personal data when providing our services. Personal data collected are adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed.

b. What do we use your personal data for?

"Processing" of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, storage, use, disclosure or erasure.

When you interact with the EPO, your personal data are collected for specific, explicit and legitimate purpose(s) and not further processed in a manner that is incompatible with the purpose(s) for which they were collected.

Our processing of personal data must follow a number of principles. These include that the processing must be lawful, fair and transparent to the data subject and ensure appropriate security of the personal data.

The purposes for which personal data are processed are set out in the relevant data protection statements and records made available to data subjects.

You can find additional information about the processing of personal data for specific purposes below:

c. What is the legal basis for processing your personal data?

The EPO's processing operations are based on Article 5 DPR, which provides that we can collect personal data:

  • for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the EPO's management and functioning
  • for compliance with a legal obligation to which the controller is subject
  • for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • when the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes
  • to protect the vital interests of the data subject or of another natural person

d. Who has access to your personal data and to whom is it disclosed?

Except where published in the European Patent Register (under Article 127 and Rule 143 EPC and the related decision of the President), your personal data are not made available to the public unless you have given your express consent.

Personal data may be accessed, disseminated and processed only on a strict need-to-know basis, by the authorised EPO staff and third-party service providers. Personal data are not disclosed to any other recipients. For more information on how we protect and safeguard your personal data, see point e. below.

e. How do we protect and safeguard your personal data?

We take appropriate technical and organisational measures to safeguard and protect personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

All personal data processed on systems hosted on the EPO premises are stored in secure IT applications in accordance with the security standards of EPO, which include the following measures:

  • User authentication: all workstations and servers require log-in, mobile devices require log-in to the EPO enclave, privileged accounts require additional and stronger authentication
  • Access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege): separation into administrative and user roles, users have minimum privileges, overall administrative roles are kept to a minimum
  • Logical security hardening of systems, equipment and network: 802.1x for network access, encryption of endpoint devices, antivirus on all devices
  • Physical protection: EPO access controls, additional access controls to datacentre, policies on locking offices
  • Transmission and input controls (e.g. audit logging, systems and network monitoring): security monitoring with Splunk
  • Security incident response: 24/7 monitoring for incidents, on-call security expert.

For personal data processed on systems not hosted on the EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations stemming from the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).

f. How long do we keep your personal data?

Personal data kept in a form which permits identification of data subjects will be stored only for the time needed to achieve the purposes for which it is processed.

In the case of personal data processed pursuant to Rule 143 EPC and the related decision of the President, the EPO is legally obliged to keep them indefinitely. Otherwise, specific retention periods are established for each specific processing of personal data.

For more information, data subjects may refer to the specific data protection statement or data protection record.

g. Social network features

The EPO uses social media to communicate its work and better engage with the public. We are on Facebook, Twitter, LinkedIn, Xing and YouTube and we encourage all individuals to share our content and take part in our discussions!

Our website uses social plug-ins of Facebook, Twitter, LinkedIn, Xing and YouTube ("social media providers"). If you are logged into your social network account with one of those social media providers when you visit the website, the social media provider might assign your visit to their network account. If you use the functions of the social plug-ins, this information will also be transmitted directly from your browser to the social media provider and may be stored there.

Each social media provider has its own policy on how it processes your personal data when you access its website. We therefore encourage you to refer to the various providers' privacy policies for more information on the purposes and scope of their processing of the personal data:

h. Changes to this policy

The EPO has always aimed to keep our data protection framework in line with the latest developments and best practices, and we will also update this policy accordingly. We therefore encourage you to consult it regularly.

Cookies policy

A "cookie" is a small piece of data that a website stores on the data subject's computer or mobile device.

a. First-party cookies

Strictly necessary cookies. We use cookies that are necessary for site usability and security. These cookies do not gather information about data subjects and they will not be used for marketing purposes or to collect information about your browsing experience or preferences. They are set by default and cannot be disabled.

Analytical cookies. We use cookies to understand your preferences and track usage trends. We may collect data about your browsing experience, such as IP address, location, IP provider (if available), browser type, operating system, language and screen size, the visited pages and the time and date of the visits.

We use this information to gather aggregated and anonymous statistics with a view to improving our services and your experience. The data are collected, aggregated and anonymised in our datacentre under adequate security measures.

b. Third-party cookies

The audio-visual content displayed on our website is hosted on and processed by YouTube. By watching it, you accept YouTube's specific terms and conditions, including its cookies policy, which we have no control over.

c. Technical information

Managing cookies?

You can manage/delete cookies as you see fit. You can find out more about how to do this at aboutcookies.org.

Removing cookies from your device

You can delete all cookies currently on your device by clearing your browsing history. This will remove all cookies from the websites you have visited.

Managing site-specific cookies

You can learn more about how to manage site-specific cookies by looking at the privacy and cookie settings of your browser.

Blocking cookies

You can select the Do Not Track (DNT) option in your web browser to prevent, as much as possible, cookies being placed on your device. However, some preferences may need to be adjusted every time you visit a site or page as some services and functionalities may not work properly.

If the DNT option is enabled in your browser, we will respect your choice and will not track your browsing experience on our website for our anonymised statistics. You can find instructions on how to activate the DNT option in some popular browsers below:

What are your rights and how can you exercise them?
Can your rights be restricted?
What redress mechanisms are available?

a. Overview

The infographic below is designed to give a clear and simple overview of your rights under the EPO Data Protection Rules, how to exercise them and what redress mechanisms are available. For more detailed information, we recommended that you also refer to the full explanations in the next sections.

Overview of your rights under the EPO Data Protection Rules

b. Your data protection rights

As a data subject, you have the following rights under the EPO Data Protection Rules:

Data subjects' rights

Description

Right to information (Articles 16 and 17 DPR)

Where personal data has not been obtained from the data subjects, the controller shall, at the time when personal data is obtained, provide data subjects with information on the categories of personal data concerned and the source of the personal data and, if applicable, whether it came from publicly accessible sources.

Right of access (Article 18 DPR)

Data subjects have the right to request confirmation as to whether or not their personal data is being processed, and, if so, to access the personal data easily and at reasonable intervals, to understand which data about them is processed, to verify the quality of their personal data, to verify the lawfulness of the processing and to exercise their other rights.

Right to rectification (Article 19 DPR):

Data subjects have the right to request the correction of inaccurate personal data concerning them.

Right to erasure (Article 20 DPR)

Data subjects have the right to request the erasure of their personal data under certain circumstances, e.g. if their personal data is no longer necessary for the purposes for which it was collected or if their personal data has been unlawfully processed.

Right to restriction of processing (Article 21 DPR)

Data subjects have the right to obtain from the EPO the restriction of processing of their personal data if the data is inaccurate, the EPO no longer needs it for the purposes of processing or the processing is unlawful, or, where they have already objected to processing, pending verification of their objection.

Right to data portability (Article 22 DPR)

When personal data is processed on the basis of Articles 5(c), 5(d) and 11(2)(a) DPR, data subjects have the right to receive, in a structured, commonly used and machine-readable format, the personal data concerning them which they have provided to the controller and the right to transmit those data to another controller without hindrance from the controller to which the personal data were initially provided.

Right to object (Article 23 DPR)

Data subjects have the right to object, at any time, to the processing of their personal data under certain circumstances. The controller shall cease to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subjects.

Right to not be subject to a decision based solely on automated processing (Article 24 DPR)

Decisions based solely on automated processing are decisions made by machines, including profiling, which produce legal effects concerning or similarly significantly affecting data subjects. Data subjects have the right not to be subject to this kind of decision, except where the decision is necessary for entering into, or performance of a contract between them and the EPO, is authorised by a legal act or is based on their explicit consent.

c. Can your rights be restricted?

Data protection is not an absolute right. It always has to be balanced against other fundamental rights and so there may be circumstances where one or more of your rights may be restricted. If they are restricted, you will be informed of the main reasons for this and of your right to ask the Data Protection Officer to investigate and/or file a request for review with the delegated controller (see the procedure described below in d.).

These rights might be restricted on the legitimate grounds established by Article 25 of the EPO Data Protection Rules and the Circular No. 420 implementing Article 25 DPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

  • the European Patent Organisation's security, public security or defence of the contracting states
  • the prevention, investigation, detection and prosecution of criminal offences or the enforcement of criminal penalties, including the safeguarding against and the prevention of threats to public security and including cases in which Article 20 of the Protocol of Privileges and Immunities is applied
  • other substantial interests of the European Patent Organisation pertaining to its core mission, or in reason of obligations arising from the duty of co-operation with the contracting states, including monetary, budgetary and taxation matters, public health and social security
  • the internal security of the EPO, including of its electronic communications networks
  • the protection of judicial and quasi-judicial independence and judicial and quasi-judicial proceedings
  • the prevention, investigation, detection and sanction of breaches of ethics for regulated professions
  • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority
  • the protection of the data subject or the rights and freedoms of others
  • the enforcement of civil law claims

For more information about restrictions, you can always consult the related Circular No. 420  and the EPO's Data Protection Officer at DPOexternalusers@epo.org.

d. How to exercise your rights

You can contact the Data Protection Officer at any time on any matter concerning the interpretation or application of the Data Protection Rules. No-one is to suffer prejudice on account of bringing an alleged infringement of these Rules to the attention of the Data Protection Officer.

When contacting the EPO to exercise your right(s), in order to enable us to respond more promptly and precisely to your request, you always need to provide certain preliminary information with the request. Therefore, we encourage you to fill in this form and submit it with your request.

e. What redress mechanisms are available?

Please note that in order to have access to the redress mechanisms described below, you first need to have filed a request for review with the delegated controller as per the procedure described in point d. above How to exercise your rights.

First step

If you consider that the EPO's processing of your personal data infringes your rights, you can ask the delegated controller to review the matter and take a decision (Article 49 DPR).

  • Timeframe: you must submit your request for review no later than three months from the day on which you were informed or otherwise became aware of the processing of personal data allegedly infringing your rights.
  • Who to contact to exercise the rights? Data subjects should send their request with the form mentioned above attached to: DPOexternalusers@epo.org.
  • Procedure:
    • The delegated controller should respond without undue delay and in any event within one month of receipt of your request.
    • This period may be extended by two further months where necessary, in view of the complexity and number of the requests. If so, the controller must duly notify the data subject of the extension and the reasons for the delay within one month of the EPO's receipt of the request.
    • If the controller or the delegated controller fails to take any action by the end of a period of three months, this will be deemed to be an implicit rejection of your request.

Second step

If you are not satisfied with the delegated controller's decision or if the delegated controller fails to take action within three months of submission of your request, you can file a complaint with the Data Protection Board under Article 50 DPR. It will review your complaint in accordance with its Rules of Procedure.

  • Timeframe: You must file your complaint with the Data Protection Board within three months of receipt of the delegated controller's decision or, in the case of an implicit rejection, of the date of expiry of the time limit for replying to your request for review.
  • How to lodge a complaint with the Data Protection Board: by filling in the request form and sending it to dpbcomplaints@epo.org.
  • Procedure:
    • The Data Protection Board invites the parties to set out in writing their position on the claims and facts at issue and to provide evidence or comments and arguments on evidence already at hand.
    • Further, the Data Protection Board issues a reasoned opinion to the controller. If it is deemed necessary, it may recommend compensation for material and/or non-material damage.
    • Once the opinion is communicated, the controller takes a final decision. If the controller does not follow the Data Protection Board's opinion, it must set out the reasons in writing.
    • The controller notifies the parties, as well as the Data Protection Officer and the Data Protection Board, of the final decision and the conclusions of the Data Protection Board.

Third and last step

If you disagree with the controller's final decision on your complaint, you can ask the President of the Office for ad-hoc arbitration proceedings to resolve the dispute (Article 52 DPR).

  • Timeframe: You must make your request for arbitration within three months of receiving the controller's final decision.
  • Contact: Fill in the request form and send it, together with all the necessary documentation it asks you to provide, to the President of the EPO at president@epo.org.
  • Procedure:
    • Arbitration takes place in The Hague (the Netherlands), with a qualified arbitrator appointed by the Secretary General of the Permanent Court of Arbitration.
    • The law governing the arbitration is the EPC, the EPO Data Protection Rules, including any implementing legislation, the law of international organisations and the principles of public international law.
    • The arbitration is confidential, and the result will be consolidated in the form of a written settlement (also called "arbitration award") which also fixes the costs of arbitration.
    • The European Patent Organisation pays the arbitration fees, but each party pays his or her own costs of legal representation and expenses unless the arbitrator decides otherwise.

How to contact us?

You can contact the controller, the delegated controllers and the Data Protection Officer at DPOexternalusers@epo.org.

If you wish to lodge a complaint with the Data Protection Board, write to dpbcomplaints@epo.org. Please bear in mind, however, that you first need to file a request for review with the delegated controller before you can lodge a complaint with the Board.