Data protection statement / Privacy Statement on processing personal data in the context of organising and managing meetings and events related to EU-funded projects for external participants
Protecting your privacy is of the utmost importance to the European Union Intellectual Property Office (EUIPO). The Office is committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be handled fairly, lawfully and with due care.
This processing operation is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The information in this communication is given pursuant to Articles 15 and 16 of Regulation (EU) 2018/1725.
1. What is the nature and purpose of the processing operation?
Personal data is processed when organising and managing events, including meetings, and coordinating follow-up activities, as well as for the purposes of accountability, communication and transparency. This may include registration and accommodation for event participants; logistical support before and during the event, minute-taking and distribution of minutes; recording interviews; web-publication, publication in the in-house magazine or through other media channels such as streaming; and providing participants with further information on future meetings and events.
2. What personal data do we process?
Prior to and during an event, the Office processes participants’ identification data to organise and manage the event. This includes the title, name, surname, nationality, place of residence, contact details, ID number (such as a passport number), email address, position held, organisation/institution, country, city of departure, bank details (for reimbursements, where provided), credit card details (for paid events), and mobile phone number in case of emergencies. Depending on the nature of the event, health-related data, such as mobility and dietary requirements, allergies and intolerances, might be requested. Upon request and consent of the participants, data of family members accompanying the participant may also be processed, if it becomes necessary in the framework of the logistical organisation of events (booking of flights and/or accommodation).
Sound, video, or audio-visual recordings may also be made during events, including during interviews and workshops. When this is the case, images/photos, statements, opinions, etc. may be processed depending on the type and purpose(s) of the recording.
If you do not want to be photographed or recorded, you can choose not to be present when the photographs are being taken or the recording occurs, or contact the event organiser, the International Cooperation and Legal Affairs Department, or the Communication Service who will accommodate your needs, if possible.
3. Who is responsible for processing the data?
Personal data processing is the responsibility of the International Cooperation and Legal Affairs Department (ICLAD) director, acting as the delegated EUIPO data controller, and, where relevant, jointly with the Infrastructure and Buildings Department (IBD) director and the head of the Communication Service.
Personal data may be processed by authorised ICLAD personnel, IBD’s internal hospitality, security and logistics teams, external service providers (such as event management provider ‘Pomilio Blumm’), their subcontractors, and/or the travel agency contracted by the Office. For some events, data may also be processed by the Communication Service’s internal teams and their external providers.
4. Who has access to your personal data and to whom is it disclosed?
Personal data related to external participants and visitors is made accessible only on a need-to-know basis to a public mainly comprising EUIPO staff members, external providers and their subcontractors, but in certain specific cases some data may also be made available to the general public. Due to reporting requirements, personal data related to participants in certain events may be made accessible to the EU delegations and authorised staff members of the European Commission.
Insofar as the event requires the assistance, cooperation, participation or involvement in any way of international organisations (e.g. WIPO), other EU bodies (e.g. CPVO) and/or other entities such as professional associations, national governmental entities or other stakeholders, personal data of the participants such as name, position and contact details may be made available to the authorised staff members, including delegated teams, of these entities. Due to the location of such entities, personal data may need to be transferred to international organisations or third countries outside the European Economic Area.
Personal data may further be made accessible through internal communication tools such as the Office’s internal website ‘Insite’, the in-house magazine ‘Backstage’, videos shown at events, or the EUIPO News programme. Pictures, presentations, live web-streaming and/or audio and video recording of speakers, participants and organisers might be made available on the internet in the context of the Office’s activities etc.
Recipients of personal data might vary depending on the type of recording and event. Purposes can vary from minute-taking to publication on relevant EU-funded websites and the EUIPO website for communication or transparency purposes, publication in the in-house magazine or recording for internal purposes.
Specific information on the exact recipients will be available from the International Cooperation and Legal Affairs Department, the Communication Service and/or the event organisers upon request.
5. How do we protect and safeguard your information?
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
All personal data related to the organisation and management of events is stored in secure IT applications according to the Office’s security standards, as well as in specific electronic folders accessible only to authorised recipients. The Office’s systems and servers are password protected and require an authorised username and password to access. The information is stored securely so as to safeguard the confidentiality and privacy of the data therein. Paper documents are kept locked in secure cupboards.
All individuals dealing with personal data in the context of the organisation and management of events must sign a confidentiality declaration.
If any processing of personal data is carried out by a service provider, the relevant department of the Office, acting as data controller, will monitor and verify the implementation of the organisational and technical security measures required to ensure compliance with Regulation (EU) 2018/1725.
6. How can you access your personal information and, if necessary, correct it? How can you receive your data? How can you request that your personal data be erased, or restrict or object to its processing?
You have the right to access, rectify, erase, and receive your personal data, as well as restrict its processing or object to the same, as provided in Articles 17 to 24 of Regulation (EU) 2018/1725.
If you would like to exercise any of these rights, please send a written query explicitly stating your request to the delegated data controller as indicated in section 9 below.
Your request will be answered without undue delay, and in any event within 1 month of receipt of the request. However, according to Article 14(3) of Regulation (EU) 2018/1725, this period may be extended by up to 2 months where necessary, taking into account the complexity and number of requests. The Office will inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
Please note that withdrawing your consent for the processing of your health-related data will not affect the lawfulness of any processing based on your consent before this consent was withdrawn.
7. What is the legal basis for processing your data?
Personal data is processed in accordance with the following articles of Regulation (EU) 2018/1725:
- Article 5(1)(a), which states that ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body’.
- Article 5(1)(c), which states that ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
- Article 5(1)(d), which states that ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’ (applicable only to health-related data collected during event registration). This data will only be processed when the data controller receives the data subject’s freely given, specific, informed and unambiguous consent.
- Article 5(1)(e), which states that ‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’ (applicable only for mobile telephone numbers when they are collected during registration for an event).
Personal data is collected and processed in accordance with the data protection guidelines for processing personal data for the purpose of organisation and management of EUIPO meetings and events.
8. How long can your data be kept?
Personal data processed by data controllers or the service providers under their supervision will be kept only for the time needed to achieve the purpose for which it is processed.
Personal data (name, number, position, organisation, city of departure, country, signature, data necessary for reimbursements and the related bank details) can be stored, in the case of events organised in the framework of actions co-funded by the European Commission, for a period of 5 years after the end date of the action, including any prolongation of the end date of the related grant agreement. It can further be kept until any ongoing audit, verification, appeal, litigation, pursuit of claim or investigation by OLAF has concluded.
The remaining data (except for participants’ email addresses) will be deleted 6 months after the event at the latest. Health-related data will be stored for 6 months if the participant has not withdrawn their consent, in which case the data will be immediately deleted.
Email addresses can be stored for up to 2 years after the event to ensure the organiser of the event can contact the participant if needed (for the purpose of reimbursement of costs or other issues related to the participant’s attendance).
Notwithstanding the above, some personal data (photographs and/or sound, video and audio-visual recordings of events) might be kept for educational, institutional, recording, informational and/or promotional (internal and external) reasons for a longer period of time if they have been published on a relevant EU-funded website, the Office’s intranet or website, or made available via the Office’s other social media channels or the Academy learning portal. If this is the case, personal data use will be limited as much as possible, for example, by keeping only the name, surname, and photographs.
9. Contact information
Should you have any queries on the processing of your personal data, please address them to the data controller at the following email address: DPOexternalusers@euipo.europa.eu.
You may consult the EUIPO Data Protection Officer at: DataProtectionOfficer@euipo.europa.eu.
Forms of recourse
If your request has not been responded to adequately by the data controller and/or DPO, you can lodge a complaint with the European Data Protection Supervisor at: firstname.lastname@example.org.