Privacy statement on processing personal data within the procedure of the EUIPO Academy Learning Portal
Protecting your privacy is of the utmost importance to the European Union Intellectual Property Office (‘EUIPO’ or ‘us’ or ‘the controller’). The Office is committed to respecting and protecting your personal data and ensuring your rights as a data subject. All data of a personal nature that identifies you directly or indirectly will be handled fairly, lawfully and with due care.
This processing operation is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The information in this communication is given pursuant to Articles 15 and 16 of Regulation (EU) 2018/1725.
This statement refers to the EUIPO Academy Learning Portal (EUIPO ALP) system, which is the learning management system for online training at the EUIPO. As EUIPO ALP contains individuals’ personal data, its processing falls within the provisions of the abovementioned Regulation.
This privacy statement explains the way in which EUIPO ALP uses its users’ personal data (i.e. users with an EUIPO corporate account: staff, seconded national experts, trainees and external service providers; general users and Pan European Seal users) (EUIPO ALP users) as well as the way in which the privacy of such data is protected.
1. What is the nature and the purpose of the processing operation?
Personal data is processed for the following purposes:
- to plan and organise and promote training activities for EUIPO ALP users;
- to create a training history log for EUIPO staff, which will be available in the HR Portal;
- to issue certificates of participation for the different training courses;
- to collect feedback from participants so that the controller can promote and deliver better and more effective training, according to participants’ needs and knowledge as well as the skills necessary for their job;
- to keep logs that include user activity (access time, actions, etc.), which could be used to resolve user incidents.
EUIPO ALP covers all needs on the treatment of information for the EUIPO’s online management of training. The necessary profile information is generated during the registration process and EUIPO ALP account creation. The account allows the user to enrol in different courses and his or her profile data is used to track individual progress. The user can edit his or her profile data and request that the controller delete it.
2. What personal data do we process?
The types of personal data processed are as follows:
Mandatory personal data is collected to create the user account:
Profile information: Username, Password, First name, Surname, Email address, City/Town, Country, Nationality, Date of birth.
In addition, the following non-mandatory personal data could be collected if the user so wishes; however, this is not required for creating an account or for participating in a training course:
Other profile information: Time zone, Description box, User picture (file to upload), First name ─ phonetic, Surname ─ phonetic, Middle name, Alternate name, Date of birth, Web page, ICQ number, Skype ID, AIM MD, Yahoo ID, MSN ID, ID number, Institution, Department, Phone, Mobile phone, Address, Department code, Area code, Area description, Service code, Service description, Sector code, Sector description, Active, Employee position, Gender, Nationality, LinkedIn, Facebook, Twitter, University/Centre.
Finally, the following data is produced by the system based on a user’s activity:
- EUIPO ALP courses enrolled in, first access to EUIPO ALP (date and time), last access to EUIPO ALP (date and time);
- User comments in forums and messages;
- Logs, user connection data (such as IP, date, time);
- Completion results and date of completion;
- Certificates of completion;
- Survey results.
3. Who is responsible for processing the data?
Personal data processing is the responsibility of the Director of the Academy Department, acting as the delegated EUIPO data controller.
Personal data is processed by the EUIPO staff involved in the management of the EUIPO ALP, both from the Academy Department and from the Digital Transformation Department.
External contractors involved in maintaining the EUIPO ALP, and also course trainers, may also have access to relevant personal data.
All processing operations of a personal data are duly notified to the EUIPO’s Data Protection Officer (DPO) and, if necessary, to the European Data Protection Supervisor.
4. Who has access to your personal data and to whom is it disclosed?
Not all users have the same access rights to personal data. Each user’s profile (function and responsibility) determines their need and entitlement to access specific sets of data based on a specific system role.
Personal data is disclosed to the following recipients below.
- EUIPO Academy staff involved in the management of EUIPO ALP has access to the data.
- EUIPO Human Resources Department staff involved in the migration of completed courses to the HR Portal has access to the data, to be processed as described in the Privacy Statement of the HR Portal. This information is also made available to the EUIPO staff’s line managers.
- The EUIPO Digital Transformation Department, as an internal processor in the role of application manager, has access to the data.
- Deloitte, as an external processor providing services to Human Resources Department (consultancy services related to the EUIPO ALP), may have an access to the data.
- IECISA-ALTIA and INTRASOFT, as external processors providing services to Digital Transformation Department (EUIPO ALP administration and queries) have access to personal data on a strictly need-to-know basis.
- Linguarama Iberica S.A., as an external processor providing services to Academy Department exclusively for language courses, has access to personal data on a strictly need-to-know basis.
- Skillsoft and Videoarts, as external processors providing services to Academy Department exclusively for e-learning content, have access to the following personal data: first name, surname and user name.
- EUIPO Infrastructure and Buildings Department as internal processor and Pomilio Blumm as external processor, providing services to IBD as described in DPR-2019-007.
- In certain ALP courses, participants' usernames, names and surnames are disclosed to the other participants in the same course.
- Data will only be shared with authorised persons responsible for the corresponding processing operations. Data is not used for any other purposes or disclosed to any other recipients.
5. How do we protect and safeguard your information?
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.
All personal data related to EUIPO ALP is stored in secure IT applications according to the Office’s security standards. These include:
- role-based access control to the systems and network;
- logical security hardening of systems, equipment and network;
- physical protection via a secure Data Protection Centre.
Security measures are reviewed periodically by external auditors (ISO 27001 and SOC 2).
Data is stored in the content management system (EUIPO ALP) on a database server (MySql) in accordance with the security standards of the Office.
- Information is stored in security hardened servers with access control measures and protected by a username and password. Anonymous access will not be allowed.
- Authentification and authorisation to view and access information is based on roles.
- Access to EUIPO ALP for roles with permission to view personal data is restricted by username and password and subject to prior validation by Academy Department.
- Servers are physically protected at the Data Protection Centre.
- Networking security is configured to prevent external threats from accessing the servers.
6. How can you access your personal information and, if necessary, correct it? How can you receive your data? How can you request that your personal data be erased, or restrict or object to its processing?
You have the right to access, rectify, erase and receive your personal data, as well as restrict its processing and object to the same, as provided in Articles 17 to 24 of Regulation (EU) 2018/1725.
If you would like to exercise any of these rights, please send a written query explicitly specifying your request to the delegated data controller, the Director of the EUIPO Academy Department at: Academy@euipo.europa.eu.
Your request will be answered without undue delay, and in any event within 1 month of receipt of the request. However, according to Article 14(3) of Regulation (EU) 2018/1725, that period may be extended by up to 2 months where necessary, taking into account the complexity and number of requests. The Office will inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
7. What is the legal basis for processing your data?
Personal data is processed in accordance with Article 5(1)(a) of Regulation (EU) 2018/1725.
Personal data is collected and processed in accordance with the following legal instruments: Article 24a of the Staff Regulations of Officials of the European Union, Article 151(1) of Regulation (EU) 2017/1001 on the European Union trade mark and Article 9 of Decision No ADM‑17‑66 on the Internal Structure of the Office.
8. How long can data be kept?
Personal data will be kept only for the time needed to achieve the purposes for which it is processed.
For general users and Pan European Seal users (users who do not have an EUIPO corporate account), data is kept for as long as the user has an active account. The EUIPO will delete the account following a 10-year period of inactivity, or upon request of the user to cancel the account.
For EUIPO users (users with an EUIPO corporate account), the account will remain active as long as there is a contractual relationship with the EUIPO. All data will be deleted 2 months after the contract is finished.
In the event of a formal appeal, all data held at the time of the appeal will be retained until the completion of the appeal process.
9. Which cookies are used on our website?
Cookies are small text files sent by a website server and stored on your device (such as a computer, table or phone).
This information is used to gather aggregated and anonymous statistics with a view to improving our services and your user experience. None of the cookies require your consent. The collection, aggregation and anonymisation of this data are performed in the data centre of the EUIPO under adequate security measures.
Our website also complies with the ‘Do Not Track’ option. If you enable the DNT option in your web browser, we will respect your choice and your browsing experience on our website will not be tracked for our anonymised statistics. Instructions on how to activate this option can be found below:
10. Contact information
Should you have any queries on the processing of your personal data:
- If you are EUIPO staff please address them to the data controller, the Director of the Academy at: Academy@euipo.europa.eu.
- If you are an external user, please address your questions to: DPOexternalusers@euipo.europa.eu.
You may also consult the EUIPO DPO at: DataProtectionOfficer@euipo.europa.eu.
Forms of recourse
If your request has not been responded to adequately by the data controller and/or DPO, you can lodge a complaint with the European Data Protection Supervisor at: firstname.lastname@example.org.