DATA PROTECTION & PRIVACY
Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to protecting your personal data and ensuring respect for data subjects' rights when performing our tasks and providing our services. All data of a personal nature that identify you directly or indirectly will be processed lawfully, fairly and with due care.
The processing operations described below are subject to the EPO Data Protection Rules (DPR).
The information in this statement is provided in accordance with Articles 16 and 17 DPR.
The EPO E-learning Centre is a platform that houses training courses. It allows external users (hereinafter also referred to as “data subjects”) to find courses the users are interested in. When a user registers with the e-learning centre, the user will be asked to provide certain personal data, which the EPO will use to identify the user.
1. What is the nature and purpose of the processing operation?
This data protection statement relates to the processing of personal data by the EPO’s Academy E-learning centre.
The EPO E-learning Centre (also known as the Learning Management System (LMS)) is a platform that offers houses training courses to external users. When a user registers with the e-learning centre, the user will be asked to provide certain personal data, which the EPO uses to identify the user. This includes a valid email address, which will be the user's user ID. The user will be able to modify the data (s)he enters, which will become the user's profile, at any time.
When registering for courses on the main EPO website (by using the online registration tool, which is a service provided by an external provider), the following personal data that the data subject (user) enters will be synchronised with the Learning Management System (LMS): first name, last name, city and country. The data subject's email address will be used as the user's unique identifier, i.e. it will be the Data Subject's user ID.
The majority of the courses are free and no registration is required. In that case, no personal data are collected.
If a user needs to register (and/or to pay) for a specific course, personal data is collected and the data subject is informed hereof, and the EPO will not proceed without the acceptance of the terms. Personal data is processed for the purposes of providing training and showing the data subjects’ progress through the activities on offer in our e-learning centre (e.g. tests and modules taken). Information may be aggregated in anonymised form to produce reports on user preferences and users' geographical distribution, with a view to optimising technical improvements.
The processing is not intended to be used for any automated decision-making, including profiling.
Your personal data will not be transferred to recipients outside the EPO that are not covered by Article 8(1), (2) and (5) DPR unless an adequate level of protection is ensured. In the absence of an adequate level of protection, a transfer can only take place if appropriate safeguards have been put in place and enforceable data subject rights and effective legal remedies for data subjects are available, or if derogations for specific situations as per Article 10 DPR apply.
2. What personal data do we process?
The following categories of personal data are processed: the personal data inserted by the data subjects themselves, which contain contact details such as first name, last name, personal and/or work email address, city and country.
3. Who is responsible for processing the data?
Personal data are processed under the responsibility of PD 51 Cooperation and Patent Academy acting as the EPO's delegated data controller.
Personal data are processed by the EPO staff involved in managing the initiative, project or activity of the EPO’s Academy referred to in this statement.
External contractors involved in providing the platform may also process personal data, which can include accessing it.
4. Who has access to your personal data and to whom are they disclosed?
Personal data are disclosed on a need-to-know basis to the EPO staff working in the EPO’s Academy, within PD 51 Cooperation and Patent Academy.
Personal data will also be shared with the following persons only:
- For the purposes of administering and maintaining the platform and user support, it will be shared with the EPO staff and the third party service providers / contractors specifically selected for these purposes, who are subject to the EPO's DPR.
- Tutors external to the EPO – hired on a contractual basis for a particular course – receive a list of that course's participants containing their first names, last names, city and country.
- For internal planning and reporting within EPO, anonymised aggregated data may be shared with the unit in charge of European and International Cooperation and with the EPO's supervisory bodies.
- In the case of training specifically for staff of national patent offices in the European Patent Organisation's member states, a list of participants in each training course is shared with those national offices' EPO coordination officers as part of the EPO’s cooperation with those offices
Personal data will only be shared with authorised persons responsible for the necessary processing operations. They will not be used for any other purposes or disclosed to any other recipients.
5. How do we protect and safeguard your personal data?
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss or alteration and unauthorised disclosure or access.
All personal data are stored in secure IT applications in accordance with the EPO's security standards. Appropriate levels of access are granted individually only to the above-mentioned recipients.
For systems hosted on EPO premises, the following basic security measures generally apply:
- User authentication and access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege);
- Logical security hardening of systems, equipment and network;
- Physical protection: EPO access controls, additional access controls to datacentre, policies on locking offices;
- Transmission and input controls (e.g. audit logging, systems and network monitoring);
- Security incident response: 24/7 monitoring for incidents, on-call security expert.
For personal data processed on systems not hosted on EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations under the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption)).
6. How can you access, rectify and receive your data, request that your data be erased, or restrict/object to processing? Can your rights be restricted?
You have the right to access, rectify and receive your personal data, not to be subject to a decision based solely on automated processing, to have your data erased and to restrict and/or object to the processing of your data (Articles 18 to 24 DPR).
If you would like to exercise any of these rights, external users should write to DPOexternalusers@epo.org , otherwise please write to the delegated data controller at firstname.lastname@example.org. In order to enable us to respond more promptly and precisely, you always need to provide certain preliminary information with your request. We therefore encourage you to fill out this form (for externals) or this form (for internals) and submit it with your request.
We will reply to your request without undue delay and in any event within one month of receipt of the request. However, Article 15(2) DPR provides that this period may be extended by a further two months where necessary in view of the complexity and number of requests received. We will inform you of any such delay.
7. What is the legal basis for processing your data?
Personal data are processed on the basis of Article 5 DPR, specifically Art 5(a) DPR, namely “processing is necessary for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the Office's management and functioning”.
8. How long do we keep your data?
Personal data will be kept only for the time needed to achieve the purposes for which it is processed. Personal data is kept for as long as the user has an active account. The EPO will delete the account following a 1 year period of inactivity, or upon request of the user to cancel the account. Thus, all personal data is erased upon a user's deactivation/deletion of their account.
In the event of a formal appeal/litigation, all data held at the time the formal appeal/litigation was initiated will be retained until the proceedings have been closed.
9. Contact information
If you have any questions about the processing of your personal data, externals should contact the DPO and/or the delegated controller at DPOexternalusers@epo.org. EPO employees should contact the delegated data controller at email@example.com
You can also contact our Data Protection Officer at firstname.lastname@example.org.
Review and legal redress
If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.