(1)

Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers are laid down in Chapter V (Articles 44 to 50) of that Regulation. While the flow of personal data to and from countries and international organisations outside the Union is essential for the expansion of cross-border trade and international cooperation, the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries and international organisations (2).

(2)

Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensure(s) an adequate level of protection. Under that condition, transfers of personal data to an international organisation may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and set out recital 103 of Regulation (EU) 2016/679.

(3)

As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision is to be based on a comprehensive analysis of the international organisation’s legal regime, covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission must determine whether the international organisation in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the Union (3). The standard against which the ‘essential equivalence’ is assessed is that set by Union legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of Justice of the European Union (4). The European Data Protection Board’s (EDPB) ‘adequacy referential’ is also of significance in this regard to further clarify that standard and provide guidance (5).

(4)

As clarified by the Court of Justice, a third country, or international organisation, cannot be required to ensure a level of protection identical to that guaranteed in the Union legal order (6). In particular, the means to which the third country or international organisation in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (7). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of privacy rights and data protection safeguards (including their effective implementation, supervision and enforcement), as well as through the circumstances surrounding a transfer of personal data, the foreign system as a whole delivers the required level of protection (8).

(5)

The Commission has analysed the legal framework and practice of the European Patent Organisation. Based on the findings set out in recitals 7 to 100, the Commission concludes that the European Patent Organisation (EPO) ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the Union to the EPO.

(6)

Pursuant to this Decision, transfers from controllers and processors in the Union to the European Patent Organisation may take place without the need to obtain any further authorisation. This Decision should not affect the direct application of Regulation (EU) 2016/679 to such entities where the conditions regarding the territorial scope laid down in Article 3 of that Regulation are fulfilled.

(7)

The European Patent Organisation is an intergovernmental organisation that was set up on 7 October 1977 on the basis of the European Patent Convention (EPC). The Organisation has its seat in Munich and has 39 contracting States, comprising all Member States of the Union, Iceland, Norway, and Liechtenstein, as well as Albania, North Macedonia, Monaco, San Marino, Serbia, Switzerland, Montenegro, the United Kingdom, and Türkiye (9).

(8)

The Organisation has legal personality (10) and consists of two organs (11): the European Patent Office (Office) and the Administrative Council. The EPO’s main task is the granting of European patents (12) in accordance with the EPC, which is done by the Office under the supervision of the Administrative Council. The Administrative Council consists of representatives of the contracting States and it exercises legislative powers on behalf of the EPO. It is also responsible for policy issues and supervises the Office’s activities (13). The Office, which acts as the executive arm of the EPO, is headed by a President (14) who manages the Office (President) and is accountable to the Administrative Council (15). The President, among other things, prepares and implements the Office’s budget, appoints, and supervises the Office’s staff, exercises disciplinary authority over staff, ensures the functioning of the Office including the adoption of internal administrative instructions and information to the public, and may submit to the Administrative Council any proposal for amending the Convention, general regulations, or decisions that fall within its competence (16). The Office consists of different departments, including a Receiving Section, a Legal Division, Examining and Opposition Divisions, and the Boards of Appeal (an internal independent body before which decisions taken by the EPO in the context of the patent granting procedure can be appealed) (17).

(9)

In the performance of its tasks, the EPO receives personal data from a number of different actors in the Union. On a continuous basis, European patent applications (18) are filed at EPO by patent applicants or transmitted to the EPO by national patent offices in Member States (19). The EPO also receives and processes personal data in the context of the tasks entrusted to it under Regulation (EU) No 1257/2012 of the European Parliament and of the Council (20). Those tasks include receiving and examining requests for unitary effect of European patents, collecting annual fees, and registering unitary effect (21). In this context, the EPO also receives requests about ongoing appeals before the Office’s Board of Appeals (22) from the Unified Patent Court (UPC), which may include personal data necessary to identify the relevant case (23).

(10)

Similarly, the EPO receives personal data contained in international patent applications when it acts under the Patent Cooperation Treaty (PCT), an international treaty that allows applicants to obtain patents with effects for all PCT contracting States (24). The EPO acts as an International Search Authority under the PCT and in this capacity reviews patentability of inventions disclosed in international applications, which help applicants to determine whether or not to file an application for substantive examination at national/Union level (25).

(11)

In addition, the EPO cooperates closely with national patent offices in all Member States in the context of a ‘European Patent Network’, and, in that context, exchanges personal data with them, for example when providing trainings courses and IT services to support and strengthen cooperation under the EPC. Similarly, it has concluded bilateral cooperation agreements with Member States that involve the exchange of personal data, for example in the context of the establishment of working groups, secondment and deployment of technical experts, etc. It also cooperates closely with the European Union Intellectual Property Office (EUIPO), for example by conducting joint trainings courses and awareness raising events, and seconding experts.

(12)

Finally, the EPO has contracts with several service providers in the Union that act as a processor within the meaning of Article 4, point (8) of Regulation (EU) 2016/679 and transfer personal data to the EPO.

(13)

The primary legislation that governs the activities of the EPO is established by an international treaty, that is to say the European Patent Convention and, where the EPO acts under the Patent Cooperation Treaty, by the latter. At a second level of the hierarchy of norms applicable to the EPO are legal acts adopted by the Administrative Council or, as far as the PCT is concerned, by the PCT Assembly. Secondary legislation of the EPO includes Implementing Regulations to the EPC and so-called Service Regulations (which regulate aspects relating to the EPO’s staff, including staff rights and obligations) (26). The right to the protection of personal data is set out in Article 1B of the Service Regulations (27), which also contains some core provisions of the EPO’s data protection framework, that is to say concerning the scope of application of the data protection framework, the protection of special categories of data and the exercise of rights by individuals. Article 2(1) and 32A of the Service Regulations establish independent oversight mechanisms (the Data Protection Officer (DPO) and the Data Protection Board (DPB)) to supervise compliance with the data protection rules (28).

(14)

The same substantive requirements governing the protection of personal data apply to the Administrative Council and the Office, as well as all their departments. In particular, the processing of personal data by the Office is regulated by the Implementing Rules for Articles 1B and 32A of the Service Regulations for Permanent and Other Employees of the European Patent Office on the Protection of Personal Data (Data Protection Rules (DPR)), which have been adopted by the Administrative Council (29). The processing of personal data by the Administrative Council is subject to the Administrative Council Data Protection Rules (AC DPR), which apply the DPR mutatis mutandis (30). Where this Decision refers to the DPR, the references include the corresponding requirements that apply to the Administrative Council, its Secretariat and its committees. The structure and content of the DPR is closely aligned with the Union data protection framework (31). In particular, it shares many commonalities with Regulation (EU) 2018/1725 of the European Parliament and of the Council (32) which lays down data protection requirements for the Union institutions and bodies and is thus well suited to the specific structure and features of international organisations, while closely mirroring Regulation (EU) 2016/679.

(15)

As regards data processing by the Office, further legally binding instruments have been issued by the President, such as circulars, decisions, and internal administrative instructions (33). In particular, the DPR is complemented by Decision of 13 December 2021 of the President concerning the processing of personal data in patent-grant and related proceedings (PGP Decision) (34); Decision of 7 December 2022 concerning the processing of personal data in proceedings related to European patents with unitary effect (UP Decision) (35); Decision of 17 November 2022 concerning countries and entities considered to ensure adequate protection of personal data (36); Decision of 2 May 2024 identifying the operational units of the Office acting as delegated controllers (37); and Circular No. 420 Implementing Article 25 of the DPR on restrictions to data subject rights (Circular 420) (38). Specifically for the processing of data in the context of patent granting proceedings, it is important to note that requirements for the processing of personal data provided for directly in the EPC and PCT prevail over the DPR. The interplay between the EPC and PCT on the one hand and the DPR on the other is clarified in the PGP Decision (39) and the UP Decision. The specific data protection requirements following directly from the EPC and PCT are assessed in recitals 55 to 59. The DPR and its complementary instruments are legally binding and enforceable and can be invoked by individuals before independent redress mechanisms, as described in recitals 89 to 96.

(16)

The rules provided for in the legal instruments mentioned in recital 15 are further operationalised in instruments issued by the Data Protection Officer (see recitals 83 to 88) (40), which apply to the Administrative Council and the Office, as well as all of their departments (41).

(17)

Pursuant to the DPR and the Service Regulations (42), all employees of the EPO are required to comply with the DPR when processing personal data. The material and personal scope of application of the DPR is determined by the terms ‘personal data,’‘processing,’‘controller’, ‘delegated controller’ and ‘processor’ therein defined.

(18)

The definitions of ‘personal data’ and ‘processing’ in the DPR are identical to the ones in Regulation (EU) 2016/679 (43). The DPR applies to any processing of personal data by the EPO, regardless of whether such processing concerns personal data of its own employees or data of other individuals (44). Data that has undergone pseudonymisation (45) is also considered personal data, whereas data of deceased persons or legal persons, or anonymous information (46) is not treated as personal data under the DPR (47).

(19)

The DPR applies to the processing of personal data by the EPO wholly or partly by automated means and to processing other than by automated means of personal data which form or are intended to form part of a filing system (48).

(20)

The DPR defines a ‘controller’ as an ‘an entity, namely the European Patent Office, which, alone or jointly with others, determines the purposes and means of the processing of personal data’ (49). In principle, the President acts as a controller for the data processing operations carried out by the Office (50). The same applies to the Administrative Council (where the Chair acts as controller), the Boards of Appeal acting in its judicial capacity (where its President acts as controller (51)) and the Select Committee (where the Chair acts as controller (52)). The controller can delegate this power to operational units, represented by a manager at senior level (53). In such cases, operational units act as ‘delegated controllers’ (54) that define the purpose (for example reason, rationale and business needs), the means of a processing operation, and ensure that all processing operations involving personal data comply with the rules of the DPR (55). In such cases, the controller remains responsible for the processing of personal data. The DPR also provides for a scenario of ‘joint controllership,’ where a controller determines the purpose and means of processing together with one or more controllers outside the EPO (56).

(21)

The definition of ‘processor’ in the DPR is identical to the one in Article 4(8) of Regulation (EU) 2016/679, that is to say a natural or legal person, public authority, agency, or any other entity which processes personal data on behalf of the controller (57). The controller is only allowed to use processors providing sufficient guarantees that appropriate technical and organisational measures will be implemented to ensure that the processing meets the requirements of DPR (58). The relationship between the controller and a processor must be governed by a contract or legal act that is binding on the processor and, among other things, sets out the subject-matter, duration, nature and purpose of the processing (59). The processor is only allowed to process the data on documented instructions of the controller. The processor is required to assist the controller with fulfilling its obligations under the DPR The processor is prohibited from engaging sub-processors without the prior authorisation of the controller (60). A standard data processing agreement is available to delegated controllers (61). Moreover, if a processor is located in a third country, any sharing of personal data with that processor must also comply with the DPR’s requirements for international transfers, as described in recitals 68 to 73 of this Decision (62).

(22)

Personal data should be processed lawfully and fairly.

(23)

Those general principles are laid down in Article 4(2)(a) DPR in a way that can be considered identical to Article 5(1)(a) of Regulation (EU) 2016/679.

(24)

The principle of lawfulness is further developed in Article 5 DPR, which lists the legal bases on which personal data may be processed. Those legal bases are (a) the necessity to carry out a task in the exercise of the official activities of the EPO (63) or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the Office’s management and functioning (64); (b) the necessity to comply with a legal obligation to which the controller is subject (for example to publish information mentioned in a patent application in the European Patent Register) (65); (c) the necessity to perform a contract to which the data subject is a party or to take steps at request of the data subject prior to entering a contract; (d) the data subject’s consent; or (e) the necessity to protect the vital interests of the data subject or another natural person.

(25)

Consent is defined in the DPR in the same way as in Regulation (EU) 2016/679, that is to say ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to processing of personal data relating to him or her’ (66). It is for the controller to demonstrate that the data subject has consented (67). When assessing whether consent is freely given, account should be taken of whether the performance of a contract is conditional on consent to the processing of data that is not necessary for the performance of that contract (68). Consent cannot be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment (69). Moreover, for consent to be informed, the DPR requires the data subject to be aware at least of the identity of the controller and the purposes of the processing for which personal data are intended (70). Finally, a data subject has the right to withdraw consent at any time (71).

(26)

Specific safeguards should exist where ‘special categories’ of data are being processed.

(27)

The DPR contains specific rules as regards the processing of special categories of personal data (72), which are defined in the same way as under Regulation (EU) 2016/679, that is to say ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data (73) or biometric data (74) for the purpose of uniquely identifying a natural person and of data concerning health (75) or data concerning a natural person's sex life or sexual orientation’ (76). Pursuant to the DPR, the processing of special categories of data is in principle prohibited unless a specific exception applies (77).

(28)

The specific exceptions listed in Article 11(2) DPR are similar to those in Article 9(2) and (3) of Regulation (EU) 2016/679, with a few adaptions to the legal framework in which the EPO operates. The processing of special categories of personal data is only permitted in specific and limited circumstances (78), that is to say where (1) the data subject has given explicit consent; (2) the processing is necessary to protect the vital interests of an individual (where the data subject is physically or legally incapable of giving explicit consent); (3) the personal data has been manifestly made public by the data subject; (4) the processing is necessary for a specific purpose relating to the exercise of the official activities of the EPO or in the exercise of legitimate authority vested in the controller (79); or (5) the processing is necessary for the establishment, exercise or defence of legal claims.

(29)

In addition to the special categories of personal data referred to in recital 27, the DPR also requires specific protections for the processing of personal data relating to criminal convictions and offences, that is to say by only allowing such processing after prior consultation of the DPB or where the processing is required by a legally binding instrument that provides for appropriate safeguards for the rights and freedoms of individuals (80).

(30)

Personal data should be processed for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of processing.

(31)

That principle is ensured in Article 4(2)(b) DPR, pursuant to which personal data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with these purposes’.

(32)

Similar to Regulation (EU) 2016/679, the DPR allows further processing (regardless of the compatibility of the purpose of the further processing with the original one) on the basis of the data subject’s explicit consent or on the basis of applicable legal provisions of the EPO (81). In the latter case, the DPR requires that the processing must be a necessary and proportionate measure to safeguard a general public interest objective (82).

(33)

Where further processing is not based on those two grounds, the DPR provides for the factors to be taken into account when assessing the compatibility of the purpose for further processing with the purpose for which the personal data were originally collected (83). This approach and the factors listed in the DPC are identical to those set out in Article 6(4) of Regulation (EU) 2016/679 and Article 6 of Regulation (EU) 2018/1725 (84).

(34)

Personal data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed.

(35)

Those principles are laid down in Article 4(2)(c), (d) and (e) of the DPR in the same way as in Regulation (EU) 2016/679.

(36)

Personal data should also be processed in a manner that ensures their security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. Those measures should be assessed taking into consideration the state of the art and related costs.

(37)

Data security is enshrined in the legal framework of the EPO through the principle of integrity and confidentiality laid down in Article 4(2)(f) and Article 33 of the DPR, in an almost identical way as in Regulation (EU) 2016/679. In particular, the DPR requires that a level of security appropriate to the risk is ensured through appropriate technical and organisational measures, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of any risks for the rights and freedoms of individuals.

(38)

In addition, the DPR contains specific requirements on the handling and notification of a data breach (85). First, the controller is required to notify the DPO of a data breach without undue delay (and, where feasible, no later than 72 hours after having become aware of it), unless the breach is unlikely to result in a risk to the rights and freedoms of individuals (86). A processor is similarly required to notify the controller of a breach without undue delay (87). The notification must, in particular, describe the nature of the breach, its likely consequences and the measures taken or proposed to be taken to address the breach (88). Where a data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also communicate the personal data breach to the data subject without delay (89). The communication to the data subject must describe the nature of the personal data breach in clear and plain language (90) and is not required if the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer to materialise (91).

(39)

Data subjects should be informed of the main features of the processing of their personal data.

(40)

In accordance with the DPR, the controller is required to, at the time when obtaining personal data, provide individuals with information, in particular, on its identity and contact details (as well as the contact details of the DPO), the purpose of processing and the legal basis thereof, the recipients or categories of recipients, the fact that it intends to transfer the data outside of the EPO, as well as applicable rights and the possibility to obtain redress (92). The same applies when personal data is processed for a purpose other than that for which the data was collected (93). Both obligations only apply in as far as the concerned individual does not yet have the information (94).

(41)

The same information must be provided to the data subjects when personal data is not collected directly from them, together with additional information on the source of the personal data and the categories of data concerned (95). Such information must be provided within a reasonable time after obtaining the data (but at the latest within one month), having regard to the specific circumstances in which the data is processed (96). In case that personal data are to be used for communication with the data subject, the same information should be provided at the latest at the time of the first communication with the individual (97). The information referred to in recital 40 must also be provided prior to any further processing or, if a disclosure to another recipient is envisaged, at the latest when personal data are disclosed to a third party (98). That obligation does not apply in a number of cases, namely where a data subject already has the information concerned; where that information must remain confidential because of an obligation of professional secrecy regulated on the basis of the EPC and/or other legal provisions applicable to the EPO (99); where the provision of that information proves impossible or would involve disproportionate effort, in particular for processing for archiving, scientific or historical research, or statistics, in so far as it would render impossible or seriously impair the achievement of the objectives of the processing; or where obtaining or disclosure of that information is expressly laid down in the EPC or other applicable legal provisions that provide appropriate measures to protect the data subject’s legitimate interests (100).

(42)

Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to rectification, the right to object to processing and the right to have data erased. At the same time, such rights may be subject to restrictions, insofar as these restrictions are necessary and proportionate to safeguard important objectives of general public interest.

(43)

The need to facilitate the exercise of individual rights is laid down in Article 1B(4) of the Service Regulations. To further implement this requirement, the DPR provides individuals with the same rights as those laid down in Regulation (EU) 2016/679, namely a right of access (Article 18 of the DPR), a right to rectification (Article 19 of the DPR), a right to erasure (Article 20 of the DPR), a right to restriction of processing (Article 21 of the DPR), a right to data portability (Article 22 of the DPR), a right to object (Article 23 of the DPR) and a right not to be subject to automated decision-making (Article 24 of the DPR).

(44)

The DPR also lays down general provisions for the handling of requests for the exercise of rights from individuals, requiring the controller to communicate with data subjects using clear and plain language, in a concise, transparent, intelligible, and easily accessible form (in writing or by other means) (101). The controller must provide individuals with information on the measures taken in response to a request without undue delay and in any event within one month of the receipt of the request (which may be extended with two further months where necessary in view of the complexity and number of requests) (102). Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may refuse to act on the request (103). When the controller does not act upon a request, it must inform the individual thereof and provide information on the possibility to seek redress (104).

(45)

Firstly, as regards the right of access, the DPR provides individuals with the right to obtain from the EPO confirmation as to whether or not personal data concerning them are processed and, if so, to access the personal data easily (105) and at reasonable intervals (106). In addition, individuals have the right to obtain information, in particular, on the purpose of processing, the categories of data concerned, the recipients with whom data is shared, and the envisaged period for which data will be stored (107).

(46)

Secondly, the DPR provides that the right to rectification provided for under the DPR allows individuals to obtain the rectification of inaccurate data or the completion of incomplete data (for example by means of providing a supplementary statement) (108). Once rectification takes place, the controller is required to communicate it to each recipient to whom the personal data have been disclosed (109). Pursuant to the DPR, the right to rectification applies to objective and factual data and not to subjective statements (110), although in this case individuals are allowed to complement existing data with a second opinion or counter-expertise or provide comments (111).

(47)

Thirdly, the DPR also provides individuals with a right to erasure (112), in particular if (a) personal data are no longer necessary for the purpose for which they are processed; (b) the data subject withdraws consent and there is no other legal basis for the processing; (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (d) the data was processed unlawfully; (e) or the data has to be erased to comply with a legal obligation that applies to the controller (113). The controller must communicate any erasure to each recipient with whom the data has been shared unless this proves impossible or involves disproportionate effort (114). Similarly, if the controller made the personal data public, it must take reasonable steps to inform other controllers that are processing it that erasure has been requested by the individual (115). The right to erasure does not apply to the following scenarios, to the extent that the processing of the data is necessary, (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation of the EPO or an obligation deriving from the EPO’s duty to cooperate with its contracting States (116) or for the exercise of official authority vested in the EPO (117); (c) for reasons of co-operation with the contracting States in the area of public health (118); (d) for archiving, scientific or historical research and statistical purposes (in so far as erasure would likely render impossible or seriously impair the achievement of the objectives of the processing); or (e) for the establishment, exercise or defence of a legal claims (119).

(48)

Fourthly, Article 21 of the DPR provides a right to restriction of processing, that is to say the marking of personal data with the aim of limiting their processing in the future (including programming measures to permanently prevent access to such data) (120). That right can, in particular, be invoked where the accuracy of personal data is contested by the individual (for a period required by the controller to verify the accuracy) or where the processing is unlawful, but the individual opposes to the erasure of the data (121). Where processing is restricted, personal data may, with the exception of storage, only be processed with the individual’s explicit consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of others or for the performance of a task carried out in the exercise of the official activities of the EPO (that is to say a task which is necessary for the administrative and technical work that the EPO is required to perform in accordance with the EPC) (122).

(49)

Fifthly, a right to object is set out in Article 1B(4) of the Service Regulations and Article 23 of the DPR. In particular, individuals have the right to object at any time to processing of personal data carried out for the performance of a task in the exercise of the official activities of the EPO or in the legitimate exercise of the official authority vested in the controller (123). Individuals must be informed of the existence of such right in a clear manner and at the latest at the time of the first communication with them (124). In case an individual object to the processing of personal data, the DPR requires the controller to cease the processing unless the controller is able to demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defence of legal claims (125).

(50)

Sixthly, the DPR establishes a right to data portability, providing individuals with the possibility to receive their personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller (126). Such right applies where the processing is carried out by automated means and takes place on the basis of the consent of the individual, or for the performance of a contract with or in the interest of the individual (127).

(51)

Finally, pursuant to the DPR, individuals have a right not to be subject to automated decision-making, that is to say a decision based solely on automated processing, including profiling, which produces legal effects concerning or similarly significantly affecting him or her (128). The DPR sets out that automated decision-making may take place where it is based on the data subject’s explicit consent or if it is necessary for entering into, or the performance of, a contract with the individual, in which case the controller must implement suitable safeguards, such as by providing the right to obtain human intervention, express the individuals’ point of view, and to contest the decision (129). Automated decision-making may also be authorised by a legal act if that act lays down suitable measures to safeguard the rights of individuals (130). If the controller engages in automated decision-making, including profiling, it must proactively inform the individual thereof as part of its transparency obligations and provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (131). The same information must be provided upon request (132).

(52)

Similar to Article 23 of Regulation (EU) 2016/679 and Article 25 of Regulation (EU) 2018/1725, Article 25 DPR provides that specific legal provisions in the EPO’s legal framework may restrict the application of the rights referred to in recitals 43 to 51 (133) (that is to say limit their application temporarily) (134), when such a restriction respects the essence of fundamental rights (135) and freedoms and is a necessary and proportionate measure in a democratic society to safeguard specific objectives (136). Furthermore, a restriction must be provided in ‘clear and precise’ provisions that are intended to produce legal effects vis-à-vis data subjects and that must be adopted at least at the level of the President (137). Such provisions must, in particular, lay down the purpose of processing, the scope of the restriction, the safeguards to prevent abuse and the storage periods and applicable safeguards (138).

(53)

Currently, the only legal instrument that provides for restrictions to individual rights is Circular 420 (a legally binding instrument adopted by the President). It clarifies how and under which conditions restrictions can be applied by the controller and lays down, in an exhaustive way, the specific scenarios in which rights can be restricted and for which objectives (139). In particular, it provides that the EPO may restrict individual rights for certain specific objectives: (a and b) when conducting investigative or disciplinary proceedings in relation to its staff (140); (c) in the context of internal dispute settlement or the establishment, exercise or defence of legal claims, including arbitration, to preserve confidential information and documents obtained from the parties, interveners or other legitimate sources; (d) when processing health data in medical procedures and files, but only to protect the rights of individuals (141); (e and f) when conducting internal audits and inspections (the latter are conducted by the DPO); (g) for the purposes of IT incident management and physical security incident reports; and (h) when providing or receiving assistance to or from competent public authorities, including from the EPO’s contracting States and international organisations, or when co-operating with them on activities defined in relevant service level agreements, memoranda of understanding and co-operation agreements, either at their request or on the Office's own initiative (142).

(54)

Whether or not a restriction can be applied in a specific case is to be determined by the controller in individual cases in light of the relevant circumstances (143). In deciding whether or not to apply a restriction, the controller first must assess the necessity and proportionality thereof in the specific case, with the involvement of the DPO (144). That assessment involves weighing the potential risks to the rights and freedoms of the data subject against the risks and freedoms of other data subjects and the risks of hindering the purpose and outcome of the processing operation (145). Restrictions must be documented, including by recording the assessment of the rights restricted, for how long, for what reasons and on which grounds (146). In addition, as long as a restriction applies, appropriate technical and organisational measures must be put in place (147). Any restriction may only be applied for as long as the reasons for the restriction exist (148). If a right is restricted, the controller must inform the individual of the principal reasons therefor and of the right to submit a complaint (149).

(55)

Provisions of the constitutive treaty of the EPO (that is to say the EPC), of the PCT, and provisions applicable under them (all constituting primary legislation for the EPO) contain certain specific requirements in the context of the patent granting procedure that may impact the exercise of certain rights under the DPR (150). The PGP Decision provides an overview of those primary legislation requirements, explains how data subject rights can be exercised in that context, and clearly sets out possible exceptions (151). Circular 420 establishes that those provisions that may limit the application of data protection rights must clearly identify the scope of any exemption, and therefore balance the different interest at stake (152).

(56)

First, pursuant to Article 127 of the EPC, the Office is obliged to maintain the European Patent Register, where certain legally defined personal data are published. According to primary legislation, patent applications must be published during the patent granting procedure, generally, as soon as possible after expiry of a period of eighteen months from the date of filing. The EPC provides that personal data included in such patent applications can either be accessed by means of file inspection or inspecting the Register (153). Before publication, patent applications are not available for inspection without the explicit consent of the applicant. Similar rules are laid down in the PCT (154).

(57)

Second, the possibility to obtain changes to information used in the context of a patent granting procedure is specifically regulated by the EPC (155). In particular, the EPC only provides for the possibility to obtain the correction of errors in documents filed with the EPO (156), correction of errors in decisions (157), corrections of translations (158) and rectification of inventor designation (159). The rectification of personal data included in documents used in the patent granting procedure can therefore also only be obtained in those cases. The same applies to the possibility to obtain a restriction of data processing (160).

(58)

Thirdly, the EPC imposes specific retention and publication requirements for certain documents used in the patent granting procedure, which have an impact on the possibility to obtain deletion of information contained therein, including personal data (161). In particular, published patent applications and patent information published in the European Patent Bulletin must be retained and kept publicly available (162). As a result, erasure of personal data contained in those documents would go against fundamental legal obligations of the EPO (Article 129(a) EPC) and cannot be obtained. Other files must be kept by the EPO for a period specified in the EPC, which is in principle five years (163). As long as that period applies, erasure of information contained in those files (including personal data) cannot be obtained.

(59)

Therefore, taking into account in particular their limited scope and conditions for their application, the restrictions to the exercise of rights that derive from the provisions referred to in recitals 55 to 58 can be considered to be limited to what is necessary and proportionate to ensure the correct functioning of the patent granting procedure, as required in the public interest for the fulfilment of the EPO’s official tasks. To the extent that the EPC and the PCT do not specifically regulate the exercise of data protection rights, that is to say in all other scenarios than the ones described in recitals 55 to 58, the requirements of the DPR apply in full.

(60)

The level of protection afforded to personal data transferred from the Union to the EPO must not be undermined by the further transfer of such data to recipients in a third country or another international organisation.

(61)

The DPR distinguishes between ‘transmissions of personal data’ (that is to say the sharing of data by the EPO with its contracting States) and ‘transfers of personal data’ (the sharing of data by the EPO with any other person or entity outside the EPO) (164).

(62)

First, the DPR provides that a transmission of data to a national intellectual property office of an EPO contracting State may occur if the data is necessary for (a) the performance of the recipient’s competence or exercise of official authority and (b) the transmission is necessary for the exercise of the EPO’s official tasks/authority (165). Those transmissions take place in the context of the patent granting procedure provided for under the EPC and the PCT (166).

(63)

Second, the DPR allows a data transmission to a public authority of a contracting State of the EPO (167), where the data are necessary for the performance of that public authority’s tasks and the transmission is compatible with the tasks and functioning of the EPO (168). Such transmissions are not specifically required under the EPC or other legal instruments governing the patent granting procedure but may still be necessary for the performance of the EPO’s tasks, for example the cooperation of the EPO with its contracting States through consultation processes; the secondment and deployment of experts; or the provision of information on the EPO’s staff for the purpose of determining social benefits, tax requirements, etc.

(64)

The DPO has prepared model clauses to be included in memoranda of understanding governing such transmissions described in recitals 62 and 63, which, among other things, provide for data protection principles, limit further processing only for compatible purposes, provide for data subject rights, as well as obligations with respect to data security and data breaches and independent oversight (169).

(65)

In both scenarios described in recitals 62 and 63, the recipient, pursuant to the DPR, must provide evidence that it is necessary to have the data transmitted for a specific purpose deriving from the EPO’s obligations of co-operation with the contracting State or States (170). The controller must, for each transmission, be able to demonstrate that such transmission is necessary and proportionate to the specific purpose for which it is shared (171). Any transmission of data must be conducted in a way that ensures that the level of protection afforded by the DPR is maintained (172). According to guidance issued by the DPO, that means that appropriate safeguards shall be in place, including by ensuring that the data to be shared must be minimised and limited to what is adequate, relevant and strictly necessary to achieve that purpose (173). If there is any reason to assume that the legitimate interests of the individual concerned may be affected, the controller must establish that it is proportionate to transmit the personal data for that specific purpose, after having weighed the different interests at stake (174).

(66)

With regard to those two scenarios, it is also important to note that all EPO contracting States are party to the European Convention for the Protection of Human Rights and Fundamental Freedoms, subject to the jurisdiction of the European Court of Human Rights, as well as party to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS no. 108).

(67)

Finally, the DPR allows data transmissions to a processor located in the European Economic Area (EEA), provided compliance is ensured with the requirements laid down in the DPR for the engagement of processors (175).

(68)

The sharing of personal data with any entity outside of the EPO other than a public authority or national intellectual property office of the EPO’s contracting States or a processor in the EEA is considered a ‘transfer’ of personal data, subject to specific requirements under the DPR (176). Those requirements apply for instance to the sharing of data with processors outside the EEA, controllers located in or outside contracting States, public authorities in non-contracting States, and other international organisations. In general, the DPR requires that the level of protection guaranteed to individuals by the EPO is not undermined when data is transferred to third parties (177). According to the guidance of the DPO, the protection afforded to the transferred personal data in the third country or international organisation must be ‘essentially equivalent to that guaranteed in the DPR’ (178).

(69)

Pursuant to the DPR, a transfer of personal data outside the EPO may first of all take place if the country where the recipient is located, or the international organisation, ensures an adequate level of protection and if the transfer is solely done to allow the EPO to carry out tasks within its competence (179). An adequacy decision is adopted by the President (180), who, in case of doubt, decides after consulting the DPO and the DPB (181). The DPO has developed an ‘adequacy referential’ setting out the criteria for adequacy decisions (182). In particular, the legal framework of the third country or international organisation must, in particular, provide for key data protection principles, data subject rights, rules on onward transfers, procedural and enforcement mechanisms, and redress for individuals. If an adequacy decision is adopted by the President, the transfer can take place without the implementation of additional safeguards (183). Member States, as well as Norway, Iceland, Liechtenstein, all countries that benefit from an adequacy decision from the Commission (184) and the Union institutions and bodies are currently considered by EPO to provide an adequate level of protection (185).

(70)

Pursuant to the DPR, in the absence of an adequacy decision, the controller or processor may transfer personal data to recipients outside the EPO only if the controller or processor has provided appropriate safeguards and on condition that enforceable data subjects’ rights and effective legal remedies for data subjects are available (186). Such appropriate safeguards can be included in administrative arrangements with public authorities or international organisations, in contractual clauses (after consultation of the DPB) (187) or certification mechanisms (188). The DPO has developed an outline of provisions to be included in administrative arrangements (189). A model data protection agreement for transfers to processors is also available (190). According to the guidance of the DPO, the EPO must assess whether the data importer would be prevented from complying with its obligations under a transfer tool due to the legal framework it is subject to and, if necessary, put in place supplementary measures (191). To carry out that assessment, the DPO recommends, in EPO’s explanatory notes on transmission and transfer of personal data, to take into account relevant guidance of the EDPB and the European Data Protection Supervisor (192).

(71)

Pursuant to the DPR, for data transfers to countries or organisations benefiting from an adequacy decision, as well as for data transfers on the basis of appropriate safeguards, the EPO must demonstrate the necessity and proportionality of each transfer for the purpose of the processing (193). In addition, the EPO must establish, after having weighed the various interests at stake, that the transfer is proportionate, if there is reason to believe that the data subjects’ legitimate interests might be prejudiced (194). In addition, it must be ensured (through contractual safeguards) that the recipient may only process or use the data for the purposes for which they were transferred and must delete the data as soon as the purpose has been achieved (195).

(72)

Pursuant to the DPR, in the absence of an adequacy decision or of appropriate safeguards, the transfer of personal data outside the EPO is permissible ‘only exceptionally’ if a so-called ‘derogation’ applies under similar conditions as the ones in the corresponding provisions of Union data protection law (196). That is the case when (a) the data subject has explicitly consented to the transfer (197); (b and c) the transfer is occasional and necessary for the performance of a contract with or in the interest of the data subject (or for the implementation of pre-contractual measures at the data subject’s request) (198); (d) the transfer is necessary for the performance of a task in the exercise of the official activities of the EPO or in the legitimate exercise of official authority vested in the controller (199); (e) the transfer is occasional and necessary for the establishment, exercise or defence of legal claims (200); (f) the transfer is necessary in order to protect the vital interests of an individual, where the data subject is physically or legally incapable of giving explicit consent (201); or (g) the transfer is made from a register intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down for such consultation are fulfilled in the particular case (202). By nature, and according to the guidance of the DPO, those derogations may not be relied on for systematic, regular transfers (203).

(73)

Finally, as regards transfers of specific categories of data to countries or organisations that do not benefit from an adequacy decision, the President may further limit such transfers for important reasons relating to the legitimate exercise of the official authority vested in the Office (204). So far, the President has not made use of such powers.

(74)

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

(75)

Article 4(1) DPR establishes a general principle of accountability, making clear that the controller is responsible for, and must be able to demonstrate, compliance with the DPR. In particular, the controller must implement appropriate technical and organisational measures to ensure and be able to demonstrate compliance, taking into account the nature, scope, context and purposes of processing and the varying likelihood and severity of any risks for the rights of individuals (205). In that respect, the DPR also implements the principles of privacy by design and by default by requiring the controller to implement measures designed to implement the data protection principles and ensure compliance with the DPR, and to ensure that, by default, only personal data that is necessary for each specific purpose of processing is processed (206).

(76)

The controller and processors must maintain a record of processing activities, containing, among other things, information on the purpose of processing, the categories of data processed, the categories of recipients to whom data is disclosed, and any transfers of personal data (207). Those records are in principle publicly accessible (unless they contain confidential information), and included in a publicly available Data Protection Register, and must be made available to the DPB on request (208). Each operational unit must also appoint at least one Data Protection Liaison (for a renewable term of one to three years), who must undergo compulsory data protection training and assist the controller in complying with its obligations (209).

(77)

Finally, the DPR provides different instruments that can assist the controller and processors in their compliance efforts. For example, pursuant to the DPR, adherence to approved certification mechanisms may serve as evidence of compliance with DPR obligations (210). In addition, under certain conditions, the DPR requires carrying out a data protection impact assessment, or a prior consultation of the DPO and DPB. A data protection impact assessment is required where a type of processing is likely to result in a high risk to the rights and freedoms of an individual (211). That is, for instance, required where there is a systematic and extensive evaluation of personal aspects on which automated decisions are based, or there is processing of special categories of data on a large scale (212). If an impact assessment indicates that the processing would result in a high risk for the rights and freedoms of individuals and the risk cannot be mitigated by reasonable security measures, the controller must consult the DPB (213). The DPB must provide written advice if it is of the opinion that the intended processing would be in violation of the DPR (214). More generally, the controller is required to consult the DPO when preparing rules or operational documents on the implementation of restrictions to individual rights (215).

(78)

In order to ensure that an adequate level of data protection is guaranteed in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules should be in place. That authority should act with complete independence and impartiality in performing its duties and exercising its powers.

(79)

The legal framework of the EPO entrusts two bodies with the oversight of compliance with the data protection rules by the EPO: the DPO and DPB. Both bodies are created by Article 32A of the Service Regulations, while their status and powers are further specified in the DPR (216). Their roles are complementary and involve cooperation, while each body remains independent in their respective functions.

(80)

Pursuant to the Service Regulations, the DPO and DPB act completely independently of any internal or external interference in performing their tasks and exercising their powers (217). That principle is complemented by different additional safeguards that guarantee their independence.

(81)

The DPO (and their deputies) are appointed by the President on the basis of their professional qualifications and, in particular, their expert knowledge of data protection law and practices (218). The DPO is appointed for a renewable term of three to five years. The DPB shall be consulted prior to any proposed removal or dismissal of the DPO from his or her role (219). Such prior consultation before removal or dismissal of the DPO is designed to ensure additional scrutiny and review in case of proposed removal or dismissal. Such removal or dismissal can be put forward for one of the following reasons (220): where the DPO no longer fulfils the conditions required for the performance of the duties (221); for professional incompetence (222); or as a result of disciplinary measures (223). The DPR also establishes that the DPO cannot be dismissed or penalised for performing its tasks and cannot receive any instructions (224). The DPO must be involved in all issues relating to the protection of personal data and issues annual activity reports to the President and the Administrative Council (225). The Office must provide the DPO with the resources necessary to carry out its tasks (226).

(82)

The DPB is composed of three external experts in the field of data protection, namely a chair and two other members (227), as well as an alternate member, appointed by the EPO President for a renewable term of three years (228). DPB members must have the qualifications required for appointment for judicial office or be data protection professionals with proven expertise and experience in the area of data protection law acquired at national or international level. They may not be employees of the EPO or have been employed by it within the past ten years (229). Pursuant to Article 48(6) DPR, the members of the DPB are completely independent in carrying out their function. In particular, DPB members may not seek instructions from the Office or the Administrative Council and cannot be bound by such instructions. The Rules of Procedure of the DPB also provide that it must act impartially and with complete independence when performing its tasks (230). Moreover, DPB members can only be terminated by EPO from their position for serious cause (231). DPB members are bound by an obligation of confidentiality (232) and must refrain from acting in a case in which they have a conflict of interest, in particular a personal interest (233). The EPO is required to support the DPB in performing its tasks by providing it with the necessary resources, as well as legal and administrative support (through a Secretariat and by providing the DPB with access to personal data and processing operations) (234).

(83)

The tasks of the DPO include the following: informing the controller or processors of their obligations and advising them accordingly; raising awareness among and providing training for staff involved in processing operations; ensuring that data subjects are informed of their rights under the DPR; and monitoring in an independent manner the internal application and compliance with the DPR, as well as other legal provisions of the EPO having data protection implications (235). Data subjects may contact the DPO on any issue relating to the processing of their data or the exercise of their rights (236), and the controller and processors may consult the DPO on any matter concerning the interpretation and application of the DPR (237).

(84)

As part of its oversight role, the DPO has the power to carry out data protection audits and investigations (238). Audits are initiated by the DPO in accordance with an annual audit plan that is prepared in consultation with the DPB (239). An audit focuses on assessing data protection records, statements and relevant documentation, for instance, to verify the accuracy and completeness of relevant data protection documentation, the correct application of risk management methodologies, the accuracy and timeliness of responses to data subjects, or the proper conduct and the number of data protection impact assessments (240). According to information received by the Commission from the DPO, three audits were conducted in 2023 and four in 2024. An investigation can be initiated by the DPO on its own initiative, on the basis of a request received from the DPB or a body within the EPO (for example the President or a delegated controller), or on the basis of information otherwise received (including for example from third parties and individuals) (241). Investigations requested by the DPB are conducted by the DPO in an independent manner. The DPB can comment and/or request a supplementary investigation on any issue that potentially emerged (242). Inspections focus on processing operations or particular aspects thereof or occurrences related thereto, with a view to ensuring that the processing in question meets the requirements of the DPR and to ensure the protection of the rights and freedoms of data subjects (243).

(85)

The DPO has access to all relevant information, including the personal data being processed as well as all offices, data-processing installations and data carriers (244). All EPO employees and operational units are required to assist the DPO in performing its duties, including by providing access to premises and relevant information (245).

(86)

When concluding an audit or investigation, the DPO adopts a report setting out its findings, conclusions and recommended remedial measures (246). Such measures may for instance include preventative or mitigating measures to improve compliance, as well as measures to remedy non-compliance (for example to bring processing in compliance with the DPR, to handle requests from data subjects to exercise their rights, to suspend or terminate a processing, etc.) (247). The DPO may also bring failures to comply with the DPR by employees to the attention of the competent appointing authority and recommend launching an administrative investigation to determine whether disciplinary or other action is needed (248). Any employee failing to comply with the DPR, whether intentionally or through negligence, may be liable to disciplinary sanctions or other action pursuant to the Service Regulations (249).

(87)

The outcome of audits and investigations must be communicated to the DPB (250). The audit or investigation report must be shared with the DPB upon request. The DPB is allowed to comment on the DPO’s report, including on the DPO’s findings as to whether or not a violation of the DPR occurred, on proposed remedial measures, and it can request additional investigative measures (251). If an audit or inspection by the DPO concludes that there has been a non-compliance (that is to say a violation of the DPR), the DPO’s report must be submitted to the DPB for validation of the conclusions and the recommended remedial measures. In case of disagreement by the DPB with the conclusions or recommended remedial measures of the DPO, the DPB share its comments with the DPO, including to amend the proposed conclusions and recommended remedial measures, which should implement them accordingly. Remedial measures that are validated by the DPB are binding towards the controller and delegated controllers and can be invoked by individuals before the redress mechanisms described in recital 95 (252). The DPO must verify the implementation of the remedial measures (in principle after six months from their communication) and report annually to the President on the status of implementation (253).

(88)

In addition to its role to enforce compliance with the DPR, other tasks of the DPB include advising the President on the adoption of adequacy decisions, advising the controller on the need to carry out a data protection impact assessment and reviewing complaints from individuals (see recitals 92 to 96) (254).

(89)

In order to ensure adequate protection and in particular the enforcement of individual rights, the data subject should be provided with effective redress, including compensation for damages.

(90)

The legal framework of the EPO offers redress to individuals through a combination of different avenues.

(91)

Firstly, data subjects who believe that the processing of their personal data by the EPO infringes their rights (that is to say violates the DPR) may submit a request for review by the delegated controller in accordance with Article 49 of the DPR. The delegated controller will review the complaint and take a decision (255). Before taking a decision, the delegated controller must consult the DPO, who provide a written opinion no later than fifteen calendar days after receipt of the request for review (256). The delegated controller must respond to the individual within one month from the date of receipt of the request (257). The decision must be communicated to the individual, together with information on the possibility to obtain further redress (258). If the delegated controller fails to take any action within three months, this is considered an implicit rejection of the request.

(92)

Secondly, individuals may challenge a decision or an implicit rejection of a request for review by a delegated controller by filing a complaint with the DPB (259).

(93)

When examining a complaint, the DPB must invite the data subject, the controller and, where applicable, the processor to set out in writing their position on the claims and facts at issue and to provide evidence or comments and arguments on available evidence (260). In that context, the DPB may request any information it needs from the parties to handle the complaint and can, in addition, obtain further information through the DPO (261). In deciding on the necessary follow-up to a complaint, the DPB must take into account, among other things, the nature and gravity of the alleged infringement, the number of data subjects affected, the categories of data affected and the duration of the infringement (262). The DPB may invite the parties to seek an amicable settlement and encourages and actively facilitates such settlement (263). The complainant may also ask the DPB to apply an urgency procedure, for reasons of gravity of the alleged infringement or due to the severity of the risk imposed on the rights of individuals (264).

(94)

After examining a complaint, the DPB issues a reasoned opinion to the controller, which shall include a statement of facts, the main arguments of the parties, the DPB’s considerations and its recommendations (265). In case of an urgency procedure, the DPB must formally issue a reasoned opinion within two months of the lodging of the complaint (266). In its reasoned opinion, the DPB can issue any recommendations it considers necessary, including injunctive relief (for example terminating unlawful data processing, deleting unlawfully processed data), compensation for material or non-material damage (267). The reasoned opinion must be communicated to the data subject and the controller (that is to say the President of the Office, the President of the Boards of Appeal, the Chair of the Administrative Council, or the Chair of the Select Committee depending on whether the complaint concerned the Office, the Boards of Appeals, the Council or the Select Committee). The controller will then take a final binding decision, following the DPB’s reasoned opinion (268). The final decision is communicated to the data subject, the DPB, and the DPO (269). If the controller was to decide to not follow one or more aspects of the reasoned opinion, it shall explain it in writing in the decision (270).

(95)

A data subject that is not satisfied with the decision by the controller can appeal it further and reference the DPB reasoned opinion in the appeal. Employees of EPO can challenge the decision before the Administrative Tribunal of the International Labour Organisation (271). Any other data subject that disagrees with the decision of the controller can, within three months of the receipt of the decision, submit a request to the President for ad-hoc arbitration (272). The DPR provides for a specific procedure to be followed in case of ad hoc arbitration (273). In particular, within three months of receipt of the request by the data subject, one arbitrator must be appointed by the Secretary-General of the Permanent Court of Arbitration based on criteria laid down in the DPR (274). The arbitrator must be legally qualified, admitted to practice law in one of the EPO’s contracting States, be able to demonstrate relevant expertise in data protection matters and be familiar with the law governing international organisations (275). In addition to fulfilling those criteria, only individuals who have not worked for or at the service of either the EPO or the data subject may be appointed. The DPR provides that the arbitrator must act independently and impartially (276), treat each party equally and give them the opportunity of presenting their case at every stage of the proceedings (277). The arbitration proceedings are not public (278) and are governed by the EPC, the DPR, including any implementing legislation, the law of international organisations and the principles of public international law (279). While each party has to bear its own costs and expenses for legal representation (unless the arbitrator decides otherwise), the arbitrator’s fees and expenses, the cost of possible expert advice and witnesses are paid by the EPO (280). A settlement must be concluded in the form of a written arbitration award with an agreed wording, which is final and binding (281).

(96)

Any individual that has suffered damage as a result of a violation of the DPR may request compensation from the EPO using the procedures described in recitals 91 to 95 (282). The EPO will not be held liable if it proves that it was not responsible for the event giving rise to the damage.

(97)

The legal framework under which the EPO assesses and responds to requests from public authorities – in its contracting States and in third countries – concerning personal data processed by the EPO follows from the EPO Protocol on Privileges and Immunities (PPI) (283), the DPR requirements on transmissions and transfers of personal data, and public international law.

(98)

Firstly, the processing of personal data by the EPO for the purpose of its official activities is covered by the Organisation’s immunities. EPO’s immunities are complemented by a duty of cooperation set out in Article 20 of the PPI. Consequently, any request from a public authority of a contracting State to obtain data processed by the EPO shall be assessed by the President in accordance with (Article 20(1)) of the PPI, which provides that the Organisation ‘shall co-operate at all times with the competent authorities of the Contracting States in order to facilitate the proper administration of justice, to ensure the observance of police regulations and regulations concerning public health, labour inspection or other similar national legislation, and to prevent any abuse of the privileges, immunities and facilities provided for in this Protocol.’ As an exception, the Organisation may waive its immunity from jurisdiction and execution (284). When deciding on a request for cooperation, the President exercises discretion, considering the compliance of the request with the Organisation’s legal framework (285). The conclusion may be that the Office can respond to a request under the PPI and may only disclose personal data in compliance with the requirements for transmissions of data provided for in the DPR (see recitals 62 to 67). Pursuant to the DPR, the recipient must provide evidence that it is necessary to have the data transmitted for a specific purpose deriving from the EPO's obligations of co-operation with the contracting State(s) (286). The controller must, for each transmission, be able to demonstrate that such transmission is necessary and proportionate to the specific purpose for which it is carried out (287). Any transmission of data must be conducted in a way that ensures that the level of protection afforded by the DPR is maintained (288). According to guidance issued by the DPO, that means that appropriate safeguards shall be in place, including by ensuring that the data to be shared must be minimised and limited to what is adequate, relevant and strictly necessary to achieve that purpose (289). If there is any reason to assume that the rights and freedoms of the individual concerned may be affected, the controller must establish that it is proportionate to transmit the personal data for that specific purpose, after having weighed the different interests at stake (290).

(99)

Secondly, there is no legal instrument applicable to the EPO that specifically regulates the handling of requests from public authorities of third countries (that is to say that are not a contracting party to the EPO) to obtain data processed by the EPO. As a result, any disclosure in response to such a request can only take place if the requirements for international data transfers under the DPR (as described in recitals 68 to 73) are met. That would only be the case if an adequacy decision has been adopted for the relevant country that would cover the transfer, if appropriate safeguards are in place, or if a derogation applies.

(100)

Compliance by the President with the PPI, including the way that requests for cooperation by public authorities have been addressed, is subject to the supervision of the Administrative Council, whereas compliance with the requirements on transmissions and transfers of personal data in the DPR is subject to the oversight of the DPO and the DPB, as described in recitals 84 to 88. Individuals can make use of the redress avenues described in recitals 90 to 96 concerning transmissions or transfers of their personal data in violation of the DPR.

(101)

The Commission considers that the EPO ensures a level of protection for personal data transferred from the Union, that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.

(102)

On the basis of the findings of this Decision, it should be decided that the EPO ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679, interpreted in light of the Charter of Fundamental Rights of the European Union, for personal data transferred from the Union to the EPO.

(103)

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality.

(104)

Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. In particular, transfers from a controller or processor in the Union to the EPO may take place without the need to obtain any further authorisation.

(105)

It should be recalled that, pursuant to Article 58(5) of Regulation (EU) 2016/679 and as explained by the Court of Justice in Case C-362/14 (291), where a national data protection authority questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice.

(106)

According to the case law of the Court of Justice, and pursuant to Article 45(4) of Regulation (EU) 2016/679, the Commission should continuously monitor relevant developments in the third country or international organisation after the adoption of an adequacy decision in order to assess whether it still ensures an essentially equivalent level of protection. Such a check is required, in any event, when the Commission receives information giving rise to a justified doubt in that respect.

(107)

Therefore, the Commission should on an on-going basis monitor the situation as regards EPO’s legal framework and actual practice for the processing of personal data, as assessed in this Decision. To facilitate this process, the EPO is invited to inform the Commission of material developments relevant to this Decision, as regards the processing of personal data and the limitations and safeguards applicable to access to personal data by public authorities.

(108)

Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities, in particular regarding queries or complaints by Union data subjects concerning the transfer of personal data from the Union to the EPO.

(109)

In application of Article 45(3) of Regulation (EU) 2016/679, and in the light of the fact that the level of protection afforded by the EPO’s legal framework may be liable to change, the Commission, following the adoption of this Decision, should periodically review whether the findings relating to the adequacy of the level of protection ensured by the EPO are still factually and legally justified. Such evaluations should take place at least every four years and should cover all aspects of the functioning of this Decision, including the functioning of the relevant oversight and enforcement mechanisms.

(110)

To perform the review, the Commission should meet with the EPO, including its DPO and the DPB. Participation in that meeting should be open to representatives of the members of the European Data Protection Board. In the framework of the review, the Commission should request the EPO to provide comprehensive information on all aspects relevant for the adequacy finding. The Commission should also seek explanations on any information relevant for this Decision that it has received, including from the EDPB, individual data protection authorities, civil society groups, public or media reports, or any other available source of information.

(111)

On the basis of the review, the Commission should prepare a public report to be submitted to the European Parliament and the Council.

(112)

Where available information, in particular information resulting from the Commission’s monitoring of developments that could affect the functioning of this Decision pursuant to Article 45(4) of Regulation (EU) 2016/679 or provided by the EPO or Member States’ authorities reveals that the level of protection afforded by the EPO may no longer be adequate, the Commission should inform the EPO thereof and request that appropriate measures be taken within a specified, reasonable timeframe.

(113)

If, at the expiry of that specified timeframe, the EPO fails to take those measure or otherwise demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission will initiate the procedure referred to in Article 93(2) of Regulation (EU) 2016/679 with a view to partially or completely suspending or repealing this Decision.

(114)

Alternatively, the Commission will initiate that procedure with a view to amending this Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which an adequate level of protection continues to be ensured.

(115)

The Commission should also consider initiating the procedure leading to the amendment, suspension, or repeal of this Decision if, in the context of the review or otherwise, the EPO fails to provide the information or clarifications necessary for the assessment of the level of protection afforded to personal data transferred from the Union, or as regards compliance with this Decision. In that respect, the Commission should take into account the extent to which the relevant information can be obtained from other sources.

(116)

On duly justified imperative grounds of urgency, the Commission will make use of the possibility to adopt, in accordance with the procedure referred to in Article 93(3) of Regulation (EU) 2016/679, immediately applicable implementing acts suspending, repealing, or amending the Decision.

(117)

The European Data Protection Board published its opinion (292), which has been taken into consideration in the preparation of this Decision.

(118)

The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 93(1) Regulation (EU) 2016/679,