Data protection statement on the processing of personal data in the context of the EPO podcast
Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to protecting your personal data and ensuring respect for data subjects' rights when performing our tasks and providing our services. All data of a personal nature that identify you directly or indirectly will be processed lawfully, fairly and with due care.
The processing operations described below are subject to the EPO Data Protection Rules (DPR).
The information in this statement is provided in accordance with Articles 16 and 17 DPR.
This data protection statement explains the way in which Principal Directorate Communication collects and processes your data for the creation and promotion of the EPO podcast and the collection of statistical data.
The EPO podcast aims to provide perspectives on innovation through interviews with experts, patent examiners, inventors or specialists in the commercialisation of innovation. The EPO collects and processes personal data from interviewers and interviewees to record and create the podcast. The recordings and other personal data, such as their names and personal pictures, are disclosed to the general public through different podcast platforms and the EPO internal and external channels. Personal data are deleted according to the retention periods indicated below. Their retention period depends on the type of data.
Please be aware that when you listen to the podcast on the EPO website or any third-party site, your data may be collected and processed not only in accordance with this data protection statement, but also in accordance with the third parties' privacy policies. This applies especially if you listen to our podcast by having logged into one of the external podcast platforms mentioned here.
1. What is the nature and purpose of the processing operation?
Personal data are processed for the following purposes:
- The organisation and creation of the script and recording of each podcast episode between the interviewer and the interviewees, such as inventors, patent attorneys and patent examiners.
- The payment of invoices, if applicable.
- The broadcasting of the podcast through the EPO website and the podcast platforms listed under item 2.
- The promotion of each podcast episode, and the EPO podcast in general, through the EPO's internal and external channels, such as the intranet, the EPO website and all the EPO social media accounts. In addition, an episode of the EPO podcast might be promoted by other multipliers when, for instance, the interviewee works for a company that also wants to promote this employee's interview through its channels.
- The creation of anonymous statistics, which help the podcast team to improve the quality and the reach of the podcast.
The processing of your data is not intended to be used for any automated decision-making, including profiling. Your personal data will not be transferred to recipients outside the EPO that are not covered by Article 8(1), (2) and (5) DPR unless an adequate level of protection is ensured.
2. What personal data do we process?
For the purpose of recording and promoting the podcast, we collect and process the following personal data.
- Form of address (to avoid confusion in the case of names that can be both male and female)
- Podcast participants' names and surnames
- Email address (personal or professional)
- Phone number (personal or professional)
- Bank account for the payment of the speaker's invoice (if applicable)
- Current job title
- Voice recordings
- Transcribed words, comments and opinions
- Photos in order to create and distribute the episode of the podcast and the promotional material related to it through the different EPO channels, such as our website and social networks
Personal data are also processed when users listen to or download the podcast from the EPO website through Anchor.fm.
In addition, if you listen to our podcasts by having logged into one of the following external podcast platforms, the providers might assign your visit to their network account and collect information about you according to their privacy policies. The online platforms might extract and provide us with statistics at a level of aggregation that does not allow us to identify any user.
For more information on the purposes, the scope and the use of the data by those platforms, you are encouraged to review the relevant privacy policies of the respective providers (Spotify, Stitcher, Google Podcasts, Apple Podcasts, Castbox, Deezer, PodBean, RadioPublic or TuneIn) and/or manage the privacy set-up of your device.
3. Who is responsible for processing the data?
Personal data are processed under the responsibility of Principal Directorate Communication acting as the EPO's delegated data controller.
Personal data are processed by the EPO staff working in Principal Directorate Communication referred to in this statement who are involved in managing the activity of the EPO podcast team. In addition, personal data may be also processed by staff working in the EPO Directorate Patent Academy when they create podcasts, whether original or created based on a previous recording or interview carried out by this department.
External contractors involved in supporting the recording and creation of the podcast or providing a platform and maintaining the services may also process personal data, which may include accessing those data. For instance, data such as your email address and the recordings are shared with an external agency involved in the podcast production for the purpose of recording and post-production, so it can keep in touch with you and record you.
4. Who has access to your personal data and to whom are they disclosed?
Personal data are disclosed on a need-to-know basis to the EPO staff working in Principal Directorate Communication.
Personal data may be disclosed to third-party service providers for maintenance and support purposes.
Personal data will only be shared with authorised persons responsible for the necessary processing operations. They will not be used for any other purposes or disclosed to any other recipients.
Names, voice recordings, comments, opinions, statements and photos are published on the internal and external platforms of the EPO and are therefore disclosed to the general public, who can also download the episodes.
5. How do we protect and safeguard your personal data?
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss or alteration and unauthorised disclosure or access.
All personal data are stored in secure IT applications in accordance with the EPO's security standards. Appropriate levels of access are granted individually only to the above-mentioned recipients.
For systems hosted on EPO premises, the following basic security measures generally apply.
- User authentication and access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege).
- Logical security hardening of systems, equipment and the network.
- Physical protection: EPO access controls, additional access controls to the data centre, policies on locking offices.
- Transmission and input controls (e.g. audit logging, systems and network monitoring).
- Security incident response: 24/7 monitoring for incidents, on-call security expert.
In principle, the EPO has adopted a paperless policy management system. However, if paper files containing personal data need to be stored on EPO premises, they are locked in a secure location with restricted access.
For personal data processed on systems not hosted on EPO premises, the EPO has carried out a privacy and security risk assessment. External providers are required to have implemented appropriate technical and organisational measures, such as physical security measures, access and storage control measures, data security measures (e.g. encryption), user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging) and conveyance control measures (e.g. securing data in transit by encryption).
6. How can you access, rectify and receive your data, request that your data be erased or restrict/object to processing? Can your rights be restricted?
You have the right to access, rectify and receive your personal data, not to be subject to a decision based solely on automated processing, to have your data erased and to restrict and/or object to the processing of your data (Articles 18 to 24 DPR).
If you would like to exercise any of these rights, please write to the delegated data controller at firstname.lastname@example.org. To enable us to respond more promptly and precisely, you always need to provide certain preliminary information with your request. We therefore encourage you to fill in this form and submit it with your request.
Please bear in mind that data protection is not an absolute right. It must always be balanced against other fundamental rights and freedoms and there may be circumstances where one or more of a data subject's rights may be refused. Regarding the content published on EPO's social media platforms, for instance, you can request the deletion of the posted material one year after the publication, should you have specific reasons to do so.
We will reply to your request without undue delay and in any event within one month of receipt of the request. However, Article 15(2) DPR provides that this period may be extended by two further months where necessary in view of the complexity and number of requests received. We will inform you of any such delay.
7. What is the legal basis for processing your data?
Personal data are processed on the basis of Article 5 a. DPR: "processing is necessary for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the Office's management and functioning".
8. How long do we keep your data?
Personal data will be kept only for the time needed to achieve the purposes for which they are processed.
Regarding the data used for the organisation and recording of each podcast episode, personal data not needed for the subsequent steps, such as mobile number or bank account (if applicable), will be deleted from the Principal Directorate Communication database once the invoice has been paid. Please bear in mind that some personal data are likely to remain in the EPO financial system for audit reasons.
Recordings and visual material used for the promotion of the EPO podcast are accessible to the public for a minimum period of three years. Nevertheless, Principal Directorate Communication may decide on a case-by-case basis to keep a podcast episode accessible for a longer period of up to seven years in order to provide the user with a satisfactory performance of the service.
If you use one of the platforms mentioned above, each platform keeps your data for as long as you are a user of their service.
In the event of a formal appeal/litigation, all data held at the time when the formal appeal/litigation was initiated will be kept until the proceedings have been concluded.
9. Contact information
If you have any questions about the processing of your personal data, please write to the delegated data controller at email@example.com.
You can also contact our Data Protection Officer at firstname.lastname@example.org.
Review and legal redress
If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.