Data protection notice
The protection of your privacy is of great importance to the European Union Intellectual Property Office (the ‘Office’). We feel responsible for the personal data that we collect and process. Therefore, we are committed to respecting and protecting your personal data and ensuring the efficient exercise of your data subject rights.
This section describes how the Office handles your personal data to perform its tasks (as laid down in EU law) while providing you with its products and services.
Central Register: EUIPO has the legal obligation to keep a central register of records of activities processing personal data (Article 31 of Regulation 2018/1725). You can know more about EUIPO records of activities processing your personal data at the EUIPO Central Register. For more information about EUIPO Central Register please see question 12 below.
The Office collects and processes all personal data in accordance with the provisions of Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the ‘EU Data Protection Regulation’). In complement to this text, the [Decision No ADM-18-65 implementing Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 in the European Union Intellectual Property Office] also governs the processing of personal data by EUIPO.
The EU Data Protection Regulation, together with the European Union trade mark regulation (EU) No 2017/1001 (‘EUTMR’), the Community Design regulation (EC) No 6/2002 (‘CDR’) and their implementing acts, set out the data protection requirements applicable to the Office as an EU agency.
The personal data the Office collects and processes relates to you as a natural person.
The Office classifies personal data into two categories:
Mandatory personal data: this refers to the personal data necessary for the performance of the tasks carried out in the public interest that were conferred on the Office or for compliance with a legal obligation to which the Office is subject. To give you some examples: your name and address as an applicant for the purposes of filing a trade mark or design application; your login details to the online services offered by the Office for authentication and security purposes; and/or your name and address as an opponent are processed and made available to the public due to the Office’s legal obligation to maintain a public register.
Non-mandatory personal data: this refers to personal data processed on the basis of consent only. Examples: your dietary and mobility requirements when attending an event at the Office, or your phone number, fax number or email address when you choose to make them publicly available. Access to these data will be restricted to the Office and we will request your consent to make them available to the general public.
The data is collected by electronic means via the Office’s ‘back office’ and ‘front office’ applications
For more information on the categories of personal data processed within the framework of the Office’s IP tasks, please see the EUIPO’s explanatory note.
The Office collects and processes your personal data for several purposes.
- Administration of the EU trade mark (EUTM) and registered Community design (RCD) systems, concretely:
- administering the applications and/or registrations including any translation of the required documents;
- maintaining a public register;
- accessing the information necessary for conducting the relevant proceedings more easily and efficiently.
- Promotion of the EUTM and RCD systems. This refers to the administration and promotion of the systems, promoting the convergence of practices and tools in the field of trade marks and designs, or the tasks of the European Observatory on Infringements of Intellectual Property Rights. Your personal data will be used for contacting you and for informing you of trade mark or design news, invitations to seminars, workshops and any other communications related to EUIPO products and services.
- Management of user interactions. When contacting our Information Centre via any of our available communication channels, the Office will collect and process your personal data to be used for providing you with information services, managing your queries and complaints and improving the efficiency and quality of the information services provided. This includes the management of personal data by the Office when handling, digitalising and sorting all incoming correspondence (mail, faxes and some e-communications). When contacting the Office via fax, the Office has implemented a cloud-based fax system to ensure the availability and resiliency of this service.
- Cooperation with other institutions. The Office will also cooperate with other entities in relation to the tasks conferred on it. As a result of this cooperation, your personal data will be used for:
- the maintenance and feeding of common or connected databases and portals for worldwide consultation, search and classification purposes;
- the continuous provision and exchange of data and information.
- Improve our products and services. The Office will use your personal data for producing surveys, reports and statistics enabling us to optimise its operations and improve the functioning of the system. This includes collecting and analysing your feedback to improve your experience and level of satisfaction with the Office.
- Organisation of events, training and meetings. The Office regularly organises events, such as training and meetings that are open to the public. This requires the management of participant’s personal data for the organisation of the events. If you are participating in a public event organised by the Office, your personal data is managed as described in the specific Privacy Statements under question 12.
- Recruitment processes. If you have applied for a vacancy published by the Office, your personal data is managed as described in the specific Privacy Statement under question 12. Please note that unsolicited applications and/or CVs are not considered and are always disposed of.
- Management of Security. For the safety and security of its buildings and assets, the Office has implemented a security management process based on ISO 27001. This includes the management of personal data related to the visitors to the Office, the video surveillance policy and keeping activity logs in the EUIPO systems, according to the best practices in information security.
- Public procurement. All our procurement procedures are governed by Regulation (EU, Euratom) No 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012.
For more information on how your personal data is managed in each of the above circumstances, please consult question 12.
The Office collects and processes your personal data, primarily, in compliance with Article 5.1(a) and (b) of the EU Data Protection Regulation:
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;
- for compliance with a legal obligation to which the Office is subject.
In very specific circumstances, the processing is based on consent (Article 5.1(d) of the EU Data Protection Regulation) or another legal basis, as established by the EU Data Protection Regulation.
Each time personal data is processed, it is regulated by specific legal instruments, such as implementing rules, internal rules, etc.
The general public have access to data in relation to information that is considered to be of public interest. Indeed, the Office has a legal obligation to make it accessible to any third party (Register data).
The Office will not make personal data available to the public, other than Register data, unless the party concerned has given his or her express consent. The consequence being that certain personal data provided by you as an applicant, proprietor or representative, for which publication is not a legal obligation (e.g. phone, fax number or email address), may only be accessible to the public if consent is given and provided that the Office’s IT systems can support it.
Your personal data may also be accessible in the following publications.
- The European Union Trade Mark and Community Designs Bulletins containing publications of applications and entries in the register, as well as other particulars for which publication is required under the EUTM and RCD regulations.
- The decisions of the Office, which are made available online for the information and consultation of the general public, in the interests of transparency and predictability.
The public will be able to access your personal data via the EUIPO’s online tools and platforms, or by downloading the information, though only for the purpose of providing third parties and public authorities with the information they need to enable them to exercise the rights conferred on them by the EUTMR and CDR, and to determine the existence of prior rights belonging to third parties.
The Office will keep your personal data, for which entry in the Register is mandatory, for an indefinite period of time.
Other personal data stored in the database will also be kept indefinitely, though you will have the possibility to request the removal of this personal data from the database 18 months after the expiry of the EU trade mark or the closure of the relevant inter partes procedure. This does not apply to personal data stored in the Register.
Other specific retention periods may be established for specific activities for which your personal data may be processed. You can find more information in each individual privacy statement in question 12.
The Office takes the protection of your personal data very seriously, and therefore applies adequate organisational, technical and security measures to protect it.
Here are examples of these measures, implemented at the EUIPO premises:
- the EUIPO is certified ISO 27001;
- a EUIPO username and password are required in order to access the EUIPO systems and databases;
- authentication and authorisation are based on roles;
- authentication and authorisation are carried out at server level, no anonymous access is allowed;
- server is physically protected at the Data Processing Centre;
- logical security hardening of the servers;
- network security configured to prevent external threats from accessing the mail servers;
- confidentiality and data protection clauses are signed by service providers;
- a limited number of duly authorised people with a specific IT profile have editing rights to the back office tools in which your personal data is processed.
In addition, the EUIPO also implements certain services of Amazon Web Services (AWS) such as ‘Desktop as a Service’ in order to support the EUIPO infrastructure. The security measures implemented by the EUIPO to protect your personal data in AWS are described in detail here. Further information is available in the AWS Cloud Security Center.
You have the right to access, rectify and, where processed on the basis of your consent, port your data at any time. You may also request the erasure of your data that is not included in the Register from the database 18 months after the expiry of the EU trade mark or closure of the relevant inter partes procedure. You also have the right to object to and restrict certain processing of your data. We will review your requests and grant your rights provided that certain conditions are met.
In principle, we cannot accept verbal requests (telephone or face-to-face) as we may not be able to deal with your request immediately without first analysing it and reliably identifying you.
You can edit your personal data and login details, change your settings and manage your subprofiles via your User Area in the Options section. For any other matters, you can send your request through the Contact Form in your User Area or send us an email to DPOexternalusers@euipo.europa.eu
Your request should contain a detailed, accurate description of the data you want access to or would like to exercise your other rights towards.
In certain cases, and if your request is not made through your User Area, we will ask you to provide additional information which is necessary for us to confirm your identity. This additional information will only be used to verify your identity and will not be stored for longer than needed for this purpose.
Cookies are small text files sent by a website server and stored on your device (such as a computer, table or phone).
This information is used to gather aggregated and anonymous statistics with a view to improving our services and your user experience. None of the cookies require your consent. The collection, aggregation and anonymisation of this data are performed in the data centre of the EUIPO under adequate security measures.
Our website also complies with the ‘Do Not Track’ option. If you enable the DNT option in your web browser, we will respect your choice and your browsing experience on our website will not be tracked for our anonymised statistics. Instructions on how to activate this option can be found below:
We use social media to present our work through widely-used and contemporary channels. Our use of social media is highlighted on our website, for instance, you can watch EUIPO videos, which we upload to our YouTube page, and follow links from our website to Twitter, Facebook or LinkedIn.
We do not set any cookies in our display of social media buttons that connect to those services when our website pages are loaded on your computer (or other devices), or from components from those media services embedded in our web pages. Please note, however, that based on your preferences for these external services, some cookies may be loaded, for example, with your preferences for YouTube videos.
Each social media channel has their own policy on the way they process your personal data when you access their sites. More information can be found here:
You can contact us for any purpose related to your personal data, by sending a written request to the EUIPO as the data controller responsible for your information, or to the EUIPO Data Protection Officer.
You can use the online communication channels or put your query/concern in writing to:
Ms. Gloria Folguera Ventura
Data Protection Officer
Avenida de Europa, 4, E-03008 Alicante, Spain
If your request has not been responded to adequately by the data controller and/or DPO, you can lodge a complaint with the European Data Protection Supervisor: https://edps.europa.eu/about-edps/contact_en.
If you want to know more about how we handle your personal data please check the EUIPO Central Register (a living document, continuously subject to changes) and the relevant and specific data protection notices (currently only available in English) which are listed below.
The Central Register shall contain at least the following information (Article 31(1) of the Regulation (EU) 2018/1725):
- name and contact details of the controller, the data protection officer and, where applicable, the processor and the joint controller;
- the purposes of the processing;
- description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- where applicable, transfers of personal data to a third country or an international organisation and the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures to protect those personal data”
The privacy statements shall contain the information provided in Articles 15 and Article 16 of the Regulation (EU) 2018/1725. The list of relevant and specific data protection notices (currently only available in English), with hyperlinks to the relevant privacy statements, follows:
- Promotion of the EUTM and RCD systems:
- Management of User Interactions:
- Improve our products and services:
- EUIPO´s Newsletters
- GetResponse Tool
- Organisation of events, training and meetings; MS Teams Data Protection Privacy Statement; Zoom Data Protection Privacy Statement; Academy learning portal
- School and University Visits
- Recruitment processes
- Management of Security. This includes the management of personal data related to the visitors to the Office, the video surveillance policy and keeping activity logs in the EUIPO systems.
- Procurement and Grants procedure
You can also find additional information in the following links: