Data Protection Statement
Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to protecting your personal data and ensuring respect for data subjects' rights when performing our tasks and providing our services. All data of a personal nature that identify you directly or indirectly will be processed lawfully, fairly and with due care.
The processing operations described below are subject to the EPO Data Protection Rules (DPR).
The information in this statement is provided in accordance with Articles 16 and 17 DPR.
The present privacy statement describes how the EPO’s Principal Directorate Communication collects and processes your personal data when you vote for the Popular Prize of the EPO European Inventor Award.
1. What is the nature and purpose of the processing operation?
This data protection statement explains the way in which your personal data are collected, processed and anonymised or deleted when you vote for the Popular Prize of the European Inventor Award, which takes place once per year.
To give you a clear idea of each year’s nominations and to facilitate the vote, the EPO works with an external provider to develop a microsite through which you can obtain information about the finalists and their inventions, and vote.
In order to vote, you have to enter your email address, so that the system can send you a link through which you can cast your vote. Such personal data will be only used for authentication and statistical purposes.
You can vote from the date of the publication of the microsite until the time announced by the EPO each year. Read the terms and conditions of the vote.
Personal data are processed for the following purposes.
- To allow you to vote for one finalist per day.
- To allow you to share through your social media accounts that you have voted for the Popular Prize. To this end, the microsite uses plug-ins of social media platforms such as Google, YouTube, Facebook, Twitter, Instagram, and LinkedIn.
Please note: if you use the social plug-in functions or watch one of our videos posted on YouTube, this information might also be transmitted directly from your browser to the respective social media providers and may be stored by them. Additionally, if you are logged into your social network accounts when visiting the Popular Prize microsite, the respective social media providers might assign your visit to your social network account and combine this information with other data already stored.
The processing of your data is not intended to be used for any automated decision-making, including profiling.
All collected personal data are immediately deleted or anonymised once the purposes for which they have been processed have been achieved, except for the name of the inventor you voted for.
2. What personal data do we process?
The following categories of personal data are processed.
- Email address, for authentication.
- Name and surname, if they are part of your email address.
- Name of the inventor you voted for each day.
- Cookie consent.
- Other cookies, according to your settings.
Personal data are collected and anonymised for statistical purposes.
3. Who is responsible for processing the data?
Personal data are processed under the responsibility of Principal Directorate Communication, acting as the EPO's delegated data controller.
The external contractor, which is involved in the creation of the microsite and its maintenance, may also access and process personal data.
4. Who has access to your personal data and to whom are they disclosed?
Personal data are disclosed on a need-to-know basis to the EPO staff working in Principal Directorate Communication, and in particular the European Inventor Award team and online team.
Personal data may be disclosed to third-party service providers.
- ´For maintenance and support purposes.
- Social media platforms, if you use the “share with your network” feature.
Personal data will only be shared with authorised persons responsible for the necessary processing operations. They will not be used for any other purposes or disclosed to any other recipients.
5. How do we protect and safeguard your personal data?
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss or alteration and unauthorised disclosure or access.
All personal data are stored in secure IT applications in accordance with the EPO's security standards. Appropriate levels of access are granted individually only to the above-mentioned recipients.
For systems hosted on EPO premises, the following basic security measures generally apply.
- User authentication and access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege).
- Logical security hardening of systems, equipment and the network.
- Physical protection: EPO access controls, additional access controls to the data centre, policies on locking offices.
- Transmission and input controls (e.g. audit logging, systems and network monitoring).
- Security incident response: 24/7 monitoring for incidents, on-call security expert.
The EPO has adopted a paperless policy management system. However, if paper files containing personal data need to be stored on EPO premises, they are locked in a secure location with restricted access.
For personal data processed on systems not hosted on EPO premises, the external provider has committed in a data protection agreement to comply with their data protection obligations under the applicable legal frameworks for data protection. The EPO has also carried out a privacy and security risk assessment. These external providers are required to have implemented appropriate technical and organisational measures, such as physical security measures, access and storage control measures, data security measures (e.g. encryption), user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging) and conveyance control measures (e.g. securing data in transit by encryption).
6. How can you access, rectify and receive your data, request that your data be erased or restrict/object to processing? Can your rights be restricted?
You have the right to access, rectify and receive your personal data, not to be subject to a decision based solely on automated processing, to have your data erased and to restrict and/or object to the processing of your data (Articles 18 to 24 DPR).
If you would like to exercise any of these rights, please write to the delegated data controller at email@example.com. To enable us to respond more promptly and precisely, you always need to provide certain preliminary information with your request. We therefore encourage you to fill in this form and submit it with your request.
We will reply to your request without undue delay and in any event within one month of receipt of the request. However, Article 15(2) DPR provides that this period may be extended by two further months where necessary in view of the complexity and number of requests received. We will inform you of any such delay.
7. What is the legal basis for processing your data?
Personal data are processed on the basis of Article 5 DPR:
a. Processing is necessary for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the Office's management and functioning.
d. The data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes.
8. How long do we keep your data?
Personal data will be kept only for the time needed to achieve the purposes for which they are processed.
When you vote, all your personal data are directly anonymised, except for the name of the inventor you voted for. The anonymised data are only used for statistical purposes.
The external provider will delete the collected data from their database two weeks after the closing of the voting procedure, which is on the day of the event.
9. Contact information
If you have any questions about the processing of your personal data, please write to the delegated data controller at firstname.lastname@example.org.
You can also contact our Data Protection Officer at email@example.com.
Review and legal redress
If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.