Data protection notice
The protection of your privacy is of great importance to the European Union Intellectual Property Office (the ‘Office’). We feel responsible for the personal data that we collect and process. Therefore, we are committed to respecting and protecting your personal data and ensuring the efficient exercise of your data subject rights.
This section describes how the Office handles your personal data to perform its tasks (as laid down in EU law) while providing you with its products and services.
Central Register: EUIPO has the legal obligation to keep a central register of records of activities processing personal data (Article 31 of Regulation 2018/1725). You can know more about EUIPO records of activities processing your personal data at the EUIPO Central Register. For more information about EUIPO Central Register please see question 11 below.
1. What is the legal framework for data protection applicable to the EUIPO?
The Office collects and processes all personal data in accordance with the provisions of Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the ‘EU Data Protection Regulation’). In complement to this text, the [Decision No ADM-18-65 implementing Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 in the European Union Intellectual Property Office] also governs the processing of personal data by EUIPO.
The EU Data Protection Regulation, together with the European Union trade mark regulation (EU) No 2017/1001 (‘EUTMR’), the Community Design regulation (EC) No 6/2002 (‘CDR’) and their implementing acts, set out the data protection requirements applicable to the Office as an EU agency.
Please consult the EU trade mark legal texts and the Community design legal texts for further information.
2. What types of personal data do we collect?
The personal data the Office collects and processes relates to you as a natural person.
The Office classifies personal data into two categories:
Mandatory personal data: this refers to the personal data necessary for the performance of the tasks carried out in the public interest that were conferred on the Office or for compliance with a legal obligation to which the Office is subject. To give you some examples: your name and address as an applicant for the purposes of filing a trade mark or design application; your login details to the online services offered by the Office for authentication and security purposes; and/or your name and address as an opponent are processed and made available to the public due to the Office’s legal obligation to maintain a public register.
Non-mandatory personal data: this refers to personal data processed on the basis of consent only. Examples: your dietary and mobility requirements when attending an event at the Office, or your phone number, fax number or email address when you choose to make them publicly available. Access to these data will be restricted to the Office and we will request your consent to make them available to the general public.
The data is collected by electronic means via the Office’s ‘back office’ and ‘front office’ applications
For more information on the categories of personal data processed within the framework of the Office’s IP tasks, please see the EUIPO’s explanatory note.
3. What do we use your personal data for?
The Office collects and processes your personal data for several purposes.
- Administration of the EU trade mark (EUTM) and registered Community design (RCD) systems, concretely:
- administering the applications and/or registrations including any translation of the required documents;
- maintaining a public register;
- accessing the information necessary for conducting the relevant proceedings more easily and efficiently.
- Promotion of the EUTM and RCD systems. This refers to the administration and promotion of the systems, promoting the convergence of practices and tools in the field of trade marks and designs, or the tasks of the European Observatory on Infringements of Intellectual Property Rights. Your personal data will be used for contacting you and for informing you of trade mark or design news, invitations to seminars, workshops and any other communications related to EUIPO products and services.
- Management of user interactions. When contacting our Information Centre via any of our available communication channels, the Office will collect and process your personal data to be used for providing you with information services, managing your queries and complaints and improving the efficiency and quality of the information services provided. This includes the management of personal data by the Office when handling, digitalising and sorting all incoming correspondence (mail, faxes and some e-communications). When contacting the Office via fax, the Office has implemented a cloud-based fax system to ensure the availability and resiliency of this service.
- Cooperation with other institutions. The Office will also cooperate with other entities in relation to the tasks conferred on it. As a result of this cooperation, your personal data will be used for:
- the maintenance and feeding of common or connected databases and portals for worldwide consultation, search and classification purposes;
- the continuous provision and exchange of data and information.
- Improve our products and services. The Office will use your personal data for producing surveys, reports and statistics enabling us to optimise its operations and improve the functioning of the system. This includes collecting and analysing your feedback to improve your experience and level of satisfaction with the Office.
- Organisation of events, training and meetings. The Office regularly organises events, such as training and meetings that are open to the public. This requires the management of participant’s personal data for the organisation of the events. If you are participating in a public event organised by the Office, your personal data is managed as described in the specific Privacy Statements under question 11.
- Recruitment processes. If you have applied for a vacancy published by the Office, your personal data is managed as described in the specific Privacy Statement under question 11. Please note that unsolicited applications and/or CVs are not considered and are always disposed of.
- Management of Security. For the safety and security of its buildings and assets, the Office has implemented a security management process based on ISO 27001. This includes the management of personal data related to the visitors to the Office, the video surveillance policy and keeping activity logs in the EUIPO systems, according to the best practices in information security.
- Public procurement. All our procurement procedures are governed by Regulation (EU, Euratom) No 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012.
For more information on how your personal data is managed in each of the above circumstances, please consult question 11.
4. What are the legal bases for which we process your personal data?
The Office collects and processes your personal data, primarily, in compliance with Article 5.1(a) and (b) of the EU Data Protection Regulation:
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
- for compliance with a legal obligation to which the Office is subject.
In very specific circumstances, the processing is based on consent (Article 5.1(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation.
Each time personal data is processed, it is regulated by specific legal instruments, such as implementing rules, internal rules, etc.
5. Who has access to your personal data?
The general public have access to data in relation to information that is considered to be of public interest. Indeed, the Office has a legal obligation to make it accessible to any third party (Register data).
The Office will not make personal data available to the public, other than Register data, unless the party concerned has given his or her express consent. The consequence being that certain personal data provided by you as an applicant, proprietor or representative, for which publication is not a legal obligation (e.g. phone, fax number or email address), may only be accessible to the public if consent is given and provided that the Office’s IT systems can support it.
Please see ED Decision No EX-21-4 and the EUIPO’s explanatory note for further information on what particulars of EUTM and RCD applications and registrations will be publicly available.
Your personal data may also be accessible in the following publications.
- The European Union Trade Mark and Community Designs Bulletins containing publications of applications and entries in the register, as well as other particulars for which publication is required under the EUTM and RCD regulations.
- The decisions of the Office, which are made available online for the information and consultation of the general public, in the interests of transparency and predictability.
The public will be able to access your personal data via the EUIPO’s online tools and platforms, or by downloading the information, though only for the purpose of providing third parties and public authorities with the information they need to enable them to exercise the rights conferred on them by the EUTMR and CDR, and to determine the existence of prior rights belonging to third parties.
6. For how long is your personal data stored?
The Office will keep your personal data, for which entry in the Register is mandatory, for an indefinite period of time.
Other personal data stored in the database will also be kept indefinitely, though you will have the possibility to request the removal of this personal data from the database 18 months after the expiry of the EU trade mark or the closure of the relevant inter partes procedure. This does not apply to personal data stored in the Register.
Other specific retention periods may be established for specific activities for which your personal data may be processed. You can find more information in each individual privacy statement in question 11.
7. How do we protect and safeguard your information?
The Office takes the protection of your personal data very seriously, and therefore applies adequate organisational, technical and security measures to protect it.
Here are examples of these measures, implemented at the EUIPO premises:
- the EUIPO is certified ISO 27001;
- a EUIPO username and password are required in order to access the EUIPO systems and databases;
- authentication and authorisation are based on roles;
- authentication and authorisation are carried out at server level, no anonymous access is allowed;
- server is physically protected at the Data Processing Centre;
- logical security hardening of the servers;
- network security configured to prevent external threats from accessing the mail servers;
- Our website is protected by anti-bot technology, as described in the Configuring Bot Defense and Detecting and Preventing Web Scrapping knowledge articles. Please note that as described in these links, this may involve accessing device sensors locally in your device, but under no circumstances this information is shared with EUIPO. This will only tell us how likely it is that a visitor is a bot.
- confidentiality and data protection clauses are signed by service providers;
- a limited number of duly authorised people with a specific IT profile have editing rights to the back office tools in which your personal data is processed.
In addition, the EUIPO also implements certain services of Amazon Web Services (AWS) such as ‘Desktop as a Service’ in order to support the EUIPO infrastructure. The security measures implemented by the EUIPO to protect your personal data in AWS are described in detail here. Further information is available in the AWS Cloud Security Center.
8. What are your rights related to the processing of personal data? How to exercise your rights? Can your rights be restricted?
Rights related to your personal data
What does it mean
To be informed
You have the right to know how the Office handles your personal data (including information about the controller, the purpose, the legal bases, the types of personal data used, who receives your data and the time limits for keeping it, as well as possible transfers of personal data to third countries). Please consult this Data Protection Notice and in particular question 11 for further information on specific privacy statements.
To access the data
You have the right to know whether the Office processes your personal data, including for which purpose, the types of data, data recipients, time limits, as well as possible transfers of personal data to third countries.
To rectify the data
You can obtain the rectification of your personal data if they are incomplete or inaccurate.
To erase the data (‘right to be forgotten’)
Under certain circumstances, you can request that your personal data be erased (e.g. when the data is no longer necessary for the purpose for which they were collected). Please remember that you can request that your personal data be erased from the Database 18 months after the expiry of the EU trade mark, or the closure of the relevant inter partes procedure. This right does not apply to personal data entered in the Register.
To restrict processing of the data
You can request that the Office restrict the processing of your personal data under certain circumstances (e.g. when the accuracy of the data is contested).
To data portability
You have the right to request that the Office send you your personal data in a structured, commonly used, and machine-readable format under certain circumstances (e.g.: we have your explicit consent for processing your personal data).
To object to the processing of your data
You can object to the processing of your personal data by the Office under certain circumstances.
How to exercise your data protection rights
- You can manage your privacy settings and edit your personal data in your User Area account at any time. Please log into your User Area and go to the ‘Options’ section. In ‘Options’ you can edit your personal data and login details, change your settings, and manage your sub profiles via your User Area;
- You can always send us an email at DPOexternalusers@euipo.europa.eu. Please remember we cannot accept verbal requests (telephone or face-to-face) as we may not be able to properly identify you or deal with your request immediately:
- Your email request should be as detailed as possible. We need an accurate description of the data, the purpose for which it was collected and how they were collected;
- Don’t forget to mention which of the rights above you wish to exercise.
- We will deal with your request without delay and help you exercise your rights, provided that the conditions for exercising them are met:
- Occasionally, in order to identify you and find your data, we may need additional information. This will only be used to verify your identity and to help you exercise your rights. It will not be stored for longer than needed for this purpose;
- Very occasionally, we may not be able to help you exercise your rights if the conditions are not met. In such situations, we will inform you as to why you cannot exercise this right.
Can your rights be restricted?
Data protection is not an absolute right. It must always be balanced against other fundamental rights and there may be circumstances where one or several of the above-mentioned rights may be refused to be granted.
These rights may also be restricted for a temporary period of time on the legitimate grounds established by Article 25 of Regulation (EU) 2018/1725, by legal acts adopted on the basis of the Treaties, or under the Internal Rules laid down in the Decision of the Management Board of the European Union Intellectual Property Office (EUIPO) of 26 March 2020. The Internal Rules provide that any such restriction will be limited in time, that it will be proportionate and that it will respect the essence of the above-mentioned rights.
As a general rule, you will be informed of the main reasons for a restriction. You will also be informed of your right to make a complaint to the EDPS, or to seek judicial remedy. Nevertheless, there are some circumstances in which we will not inform you of these reasons. The restriction will be lifted as soon as the circumstances justifying the restriction are no longer applicable. You will receive a specific data protection notice when this period has passed.
If you wish to learn more about how you can exercise your rights, you can check the User Area or each individual privacy statement in question 11. Please see the EUIPO’s Explanatory note for more information on exercising your rights in the context of the trade mark and design procedures before the Office.
9. Which cookies are used on our website?
If you want to read more about the cookies that we use, how and why we use them and how you can change your settings, please check our cookies page
10. How to contact us should you have any questions?
You can contact us for any purpose related to your personal data, by sending a written request to the EUIPO as the data controller responsible for your information, or to the EUIPO Data Protection Officer.
You can use the online communication channels or put your query/concern in writing to:
Ms. Gloria Folguera Ventura
Data Protection Officer
Avenida de Europa, 4, E-03008 Alicante, Spain
If your request has not been responded to adequately by the data controller and/or DPO, you can lodge a complaint with the European Data Protection Supervisor: https://edps.europa.eu/about-edps/contact_en.
11. Need any additional information?
If you want to know more about how we handle your personal data please check the EUIPO Central Register (a living document, continuously subject to changes) and the relevant and specific data protection notices (currently only available in English) which are listed below.
The Central Register shall contain at least the following information (Article 31(1) of the Regulation (EU) 2018/1725):
- name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures to protect those personal data”
The privacy statements shall contain the information provided in Articles 15 and Article 16 of the Regulation (EU) 2018/1725. The list of relevant and specific data protection notices (currently only available in English), with hyperlinks to the relevant privacy statements, follows:
- Promotion of the EUTM and RCD systems and data on GIs:
- eSearch Case Law
- eSearch Plus
- RCD Download
- EUTM Download
- Collection of misleading invoices addressed to IP systems users
- EUIPO eRegister
- EUIPO eRegister
- Persons Module (PER)
- GI View
- Mediation and other alternative dispute resolution (ADR) services
- Users interactions and services:
- Online Chat
- Management of User Interactions
- Pro Bono and EDR services
- User Area
- Stakeholder Quality Assurance Panels (SQAP) audit
- Ideas powered for business
- Observatory activities:
- Events, meetings and visits:
- Training & Learning activities:
- Internal management of the Office:
- Mail Management Services
- Management of access to the Office
- Video surveillance policy
- Keeping activity logs in the EUIPO systems
- Recruitment processes
- Selection and recruitment procedures of Trainees at EUIPO
- Selection and appointment procedures for the posts of Executive Director, Deputy Executive Director, and President, Chairpersons and Members of the Boards of Appeal
You can also find additional information in the following links: