Data protection notice

 

The protection of your privacy is of great importance to the European Union Intellectual Property Office (the ‘Office’). We feel responsible for the personal data that we collect and process. Therefore, we are committed to respecting and protecting your personal data and ensuring the efficient exercise of your data subject rights.

This section describes how the Office handles your personal data to perform its tasks (as laid down in EU law) while providing you with its products and services.

 

1. What is the legal framework for data protection applicable to the EUIPO?

The Office collects and processes all personal data in accordance with the provisions of Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the ‘EU Data Protection Regulation’).

The EU Data Protection Regulation, together with the European Union trade mark regulation (EU) No 2017/1001 (‘EUTMR’), the Community Design regulation (EC) No 6/2002 (‘CDR’) and their implementing acts, set out the data protection requirements applicable to the Office as an EU agency.

Please consult the EU trade mark legal texts and the Community design legal texts for further information.

 

2. What types of personal data do we collect?

The personal data the Office collects and processes relates to you as a natural person.

The Office classifies personal data into two categories:

Mandatory personal data: this refers to the personal data necessary for the performance of the tasks carried out in the public interest that were conferred on the Office or for compliance with a legal obligation to which the Office is subject. To give you some examples: your name and address as an applicant for the purposes of filing a trade mark or design application; your login details to the online services offered by the Office for authentication and security purposes; and/or your name and address as an opponent are processed and made available to the public due to the Office’s legal obligation to maintain a public register.

Non-mandatory personal data: this refers to personal data processed on the basis of consent only. Examples: your dietary and mobility requirements when attending an event at the Office, or your phone number, fax number or email address when you choose to make them publicly available. Access to these data will be restricted to the Office and we will request your consent to make them available to the general public.

The data is collected by electronic means via the Office’s ‘back office’ and ‘front office’ applications

For more information on the categories of personal data processed within the framework of the Office’s IP tasks, please see the EUIPO’s explanatory note.

 

3. What do we use your personal data for?

The Office collects and processes your personal data for several purposes.

  • Administration of the EU trade mark (EUTM) and registered Community design (RCD) systems, concretely:

    • administering the applications and/or registrations including any translation of the required documents;

    • maintaining a public register;

    • accessing the information necessary for conducting the relevant proceedings more easily and efficiently.

     

  • Promotion of the EUTM and RCD systems. This refers to the administration and promotion of the systems, promoting the convergence of practices and tools in the field of trade marks and designs, or the tasks of the European Observatory on Infringements of Intellectual Property Rights. Your personal data will be used for contacting you and for informing you of trade mark or design news, invitations to seminars, workshops and any other communications related to EUIPO products and services.

  • Management of user interactions. When contacting our Information Centre via any of our available communication channels, the Office will collect and process your personal data to be used for providing you with information services, managing your queries and complaints and improving the efficiency and quality of the information services provided. This includes the management of personal data by the Office when handling, digitalising and sorting all incoming correspondence (mail, faxes and some e-communications). When contacting the Office via fax, the Office has implemented a cloud-based fax system to ensure the availability and resiliency of this service.

  • Cooperation with other institutions. The Office will also cooperate with other entities in relation to the tasks conferred on it. As a result of this cooperation, your personal data will be used for:

    • the maintenance and feeding of common or connected databases and portals for worldwide consultation, search and classification purposes;

    • the continuous provision and exchange of data and information.

     

  • Improve our products and services. The Office will use your personal data for producing surveys, reports and statistics enabling us to optimise its operations and improve the functioning of the system. This includes collecting and analysing your feedback to improve your experience and level of satisfaction with the Office.

  • Organisation of events, training and meetings. The Office regularly organises events, such as training and meetings that are open to the public. This requires the management of participant’s personal data for the organisation of the events. If you are participating in a public event organised by the Office, your personal data is managed as described in the specific Privacy Statements under question 12.

  • Recruitment processes. If you have applied for a vacancy published by the Office, your personal data is managed as described in the specific Privacy Statement under question 12. Please note that unsolicited applications and/or CVs are not considered and are always disposed of.

  • Management of Security. For the safety and security of its buildings and assets, the Office has implemented a security management process based on ISO 27001. This includes the management of personal data related to the visitors to the Office, the video surveillance policy and keeping activity logs in the EUIPO systems, according to the best practices in information security.

  • Public procurement. All our procurement procedures are governed by Regulation (EU, Euratom) No 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012.

For more information on how your personal data is managed in each of the above circumstances, please consult question 12.

 

4. What are the legal bases for which we process your personal data?

The Office collects and processes your personal data, primarily, in compliance with Article 5.1(a) and (b) of the EU Data Protection Regulation:

  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

  • for compliance with a legal obligation to which the Office is subject.

In very specific circumstances, the processing is based on consent (Article 5.1(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation.

Each time personal data is processed, it is regulated by specific legal instruments, such as implementing rules, internal rules, etc.

 

5. Who has access to your personal data?

The general public have access to data in relation to information that is considered to be of public interest. Indeed, the Office has a legal obligation to make it accessible to any third party (Register data).

The Office will not make personal data available to the public, other than Register data, unless the party concerned has given his or her express consent. The consequence being that certain personal data provided by you as an applicant, proprietor or representative, for which publication is not a legal obligation (e.g. phone, fax number or email address), may only be accessible to the public if consent is given and provided that the Office’s IT systems can support it.

Please see ED Decision No EX-14-3 and the EUIPO’s explanatory note for further information on what particulars of EUTM and RCD applications and registrations will be publicly available.

Your personal data may also be accessible in the following publications.

  • The European Union Trade Mark and Community Designs Bulletins containing publications of applications and entries in the register, as well as other particulars for which publication is required under the EUTM and RCD regulations.

  • The decisions of the Office, which are made available online for the information and consultation of the general public, in the interests of transparency and predictability.

The public will be able to access your personal data via the EUIPO’s online tools and platforms, or by downloading the information, though only for the purpose of providing third parties and public authorities with the information they need to enable them to exercise the rights conferred on them by the EUTMR and CDR, and to determine the existence of prior rights belonging to third parties.

 

6. For how long is your personal data stored?

The Office will keep your personal data, for which entry in the Register is mandatory, for an indefinite period of time.

Other personal data stored in the database will also be kept indefinitely, though you will have the possibility to request the removal of this personal data from the database 18 months after the expiry of the EU trade mark or the closure of the relevant inter partes procedure. This does not apply to personal data stored in the Register.

Other specific retention periods may be established for specific activities for which your personal data may be processed. You can find more information in each individual privacy statement in question 12.

 

7. How do we protect and safeguard your information?

The Office takes the protection of your personal data very seriously, and therefore applies adequate organisational, technical and security measures to protect it.

Here are examples of these measures:

  • the EUIPO is certified ISO 27001;

  • a EUIPO username and password are required in order to access the EUIPO systems and databases;

  • authentication and authorisation are based on roles;

  • authentication and authorisation are carried out at server level, no anonymous access is allowed;

  • server is physically protected at the Data Processing Centre;

  • logical security hardening of the servers;

  • network security configured to prevent external threats from accessing the mail servers;

  • confidentiality and data protection clauses are signed by service providers;

  • a limited number of duly authorised people with a specific IT profile have editing rights to the back office tools in which your personal data is processed.

 

8. How can you manage or delete your personal data?

You have the right to access, rectify and, where processed on the basis of your consent, port your data at any time. You may also request the erasure of your data that is not included in the Register from the database 18 months after the expiry of the EU trade mark or closure of the relevant inter partes procedure. You also have the right to object to and restrict certain processing of your data. We will review your requests and grant your rights provided that certain conditions are met.

You can edit your personal data and login details, change your settings and manage your subprofiles via your User Area in the Options section. Learn more about how you can exercise your rights in the User Area or in each individual privacy statement in question 12.

 

9. Which cookies are used on our website?

Cookies are small text files sent by a website server and stored on your device (such as a computer, table or phone).

When you visit our website, we use cookies for web session management and authentication and also for web browser security. The cookies are also implemented to ensure a proper technical functioning of the website, and they help us store user preferences and track usage trends on an aggregated basis. For this reason, we may collect some data on your browsing experience, such as your IP address, browser type, language and screen size, the page you visited, the time and date of the visit and the website page you were redirected from.

This information is used to gather aggregated and anonymous statistics with a view to improving our services and your user experience. None of the cookies require your consent. The collection, aggregation and anonymisation of this data are performed in the data centre of the EUIPO under adequate security measures.

Our website also complies with the ‘Do Not Track’ option. If you enable the DNT option in your web browser, we will respect your choice and your browsing experience on our website will not be tracked for our anonymised statistics. Instructions on how to activate this option can be found below:
Firefox
Internet Explorer
Chrome
Safari
Opera

 

10. What use is made of social media on our website?

We use social media to present our work through widely-used and contemporary channels. Our use of social media is highlighted on our website, for instance, you can watch EUIPO videos, which we upload to our YouTube page, and follow links from our website to Twitter, Facebook or LinkedIn.

We do not set any cookies in our display of social media buttons that connect to those services when our website pages are loaded on your computer (or other devices), or from components from those media services embedded in our web pages. Please note, however, that based on your preferences for these external services, some cookies may be loaded, for example, with your preferences for YouTube videos.

Each social media channel has their own policy on the way they process your personal data when you access their sites. More information can be found here:

 

11. How to contact us should you have any questions?

You can contact us for any purpose related to your personal data, by sending a written request to the EUIPO as the data controller responsible for your information, or to the EUIPO Data Protection Officer.

You can use the online communication channels or put your query/concern in writing to:

Post/Courier:
Ms. Mariya Koleva
Data Protection Officer
EUIPO
Avenida de Europa, 4, E-03008 Alicante, Spain

If your request has not been responded to adequately by the data controller and/or DPO, you can lodge a complaint with the European Data Protection Supervisor: https://edps.europa.eu/about-edps/contact_en.

 

12. Need any additional information?

If you want to know more about how we handle your personal data, please also check the EUIPO central register of records of processing activities (a living document, continuously subject to changes) and the following relevant and specific data protection notices (currently only available in English).

 

You can also find additional information in the following links: