Data protection statement for job applicants

Protecting your privacy is of the utmost importance to the European Patent Office (EPO). We are committed to protecting your personal data and ensuring respect for data subjects' rights when performing our tasks and providing our services. All data of a personal nature that identify you directly or indirectly will be processed lawfully, fairly and with due care.

The processing operations described below are subject to the EPO Data Protection Rules (DPR).

The information in this statement is provided in accordance with Articles 16 and 17 DPR.

By submitting your application, you acknowledge that you have read and understood our data protection statement for job applicants and newcomers, which sets out how we collect, process and use your personal data.

1. What is the nature and purpose of the processing operation?
The recruitment and onboarding data processing operation aims to:

• provide job opportunities to candidates and recruit the EPO's future workforce
• enable the EPO to evaluate your eligibility, expertise and profile with respect to the specific job vacancy concerned
• enhance the recruitment process managing pools of applicants identified as suitable during selection processes
• produce reports and statistics
• further strengthen co-operation with the national patent offices and beyond through the EPO's secondment scheme

The relevant aspects and steps of this procedure are as follows.

A) Online application in response to a specific vacancy via the job portal (SAP SuccessFactors)
When you apply for a vacancy, you are asked to create a personal profile on the EPO job portal and to provide the following information:

• contact information (name, address, email address, phone number)
• education and training (university degrees and certificates obtained, academic results)
• personal information (date of birth, age, nationality, gender, knowledge of languages)
• job-specific information (job application form and any other information or documents that form part of the application, including a cover letter, CV (previous employment record, professional qualifications and other relevant skills) and references)

Personal data are accessed by the EPO staff responsible for conducting the selection and recruitment procedure, i.e.:

• Talent Acquisition staff
• line managers and authorised staff in the department in which the vacancy has arisen
• Selection Board members

and processed via

• SAP

B) Pre-selection procedure
The Talent Acquisition and hiring manager carry out the preselection procedure on the basis of the applications received using the criteria laid down in the vacancy notice.

This preselection procedure may be supplemented by a technical interview and/or a pre-recorded video interview to further narrow down the number of candidates by assessing your experience, technical qualifications, motivation and knowledge of languages.

A psychometric test or a test of certain skills may be included.

Psychometric tests and video interviews for candidates are conducted by the external service provider SHL.

The following further personal data are processed:

• application history at the EPO (if any)
• correspondence related to the specific vacancy
• a candidate's rating following technical assessments and tests of language knowledge
• audio and/or video recordings submitted by the candidate
• results of the test

In this step of the procedure, personal data are also accessed by

• the external provider of assessment methods

C) Interview(s) by the Selection Board and the Selection Board report for the appointing authority
The Selection Board holds a (virtual) interview with the candidate to assess whether they are suitable for the position and to allow them to ask the Selection Board questions.

In exceptional situations (e.g. when the number of candidates to be interviewed is very high as is usually the case for DG1 recruitment), the Selection Board is assisted in carrying out the interviews by an interview panel made up of e.g. directors, team managers etc.

The Selection Board assesses the suitability of a candidate for the vacant position and prepares a report for the appointing authority.

The appointing authority decides which candidate it will seek to appoint immediately (i.e. who will receive a job offer) and who will be placed on a reserve list (talent pipeline) for a duration of maximum 24 months. The candidate is informed accordingly.)

The types of personal data processed are:

• personal data contained in the application documents
• findings of the preselection procedure
• findings of the Selection Board
• statement on suitability (yes/no)
• decision on which names are to be "appointed" and which are to be placed "on the reserve list"

Personal data are accessed by:

• the Selection Board
• the appointing authority

and processed via

• SAP
• OpenText: a summary of the selection process and the results in respect of each candidate is submitted via OpenText (internal document management system) to the designated appointing authority; this summary includes the candidate's name, short employment history and suitability, any decision on appointment and any decision to include them on the reserve list.

D) Job offer and onboarding
The appointed candidate receives a job offer and if the candidate accepts the job offer, they must undergo pre-employment screening and a medical examination. Both are carried out by external service providers.

The pre-employment screening is conducted by Signum. You will be provided with detailed information about the personal data that Signum will process prior to the start of the screening.

The pre-employment medical examination is carried out by a different EPO delegated controller (please refer to the relevant data protection documentation for more information). The HR department will only be informed about whether or not you meet the health requirements of the post.

The onboarding procedure will begin as soon as we receive confirmation that you have passed the medical examination and will run in parallel to the pre-employment screening. We will collect and process the additional following personal data only to the extent necessary to enable us to evaluate your eligibility for certain allowances and other benefits before joining the EPO:

• date of birth, nationality, age and gender, permanent address, email and telephone number (data prefilled from the original application)
• marital status
• dependants
• certificates (birth certificate of candidates; marriage certificate, birth certificates of dependants)
• bank account information (not mandatory, but will be required to be provided within the first ten days of taking up duties)
• emergency contact details

Personal data are accessed by:

• HR colleagues involved in the onboarding (D422 and D423)

and processed via:

• SAP

We will use your private email address to send you useful information such as user credentials (user ID and password) for signing in to EPO systems before your first day of service. We may also use your email address prior to that day to provide you with helpful links and contact details for relevant EPO support services. We will also connect you to other newcomers through an integrated onboarding community platform on SuccessFactors.

E) Seconded national experts
Experts from national patent offices and other institutions have the opportunity to work at the EPO as a seconded national expert (SNE) for a limited time period (secondment scheme).
The EPO and the sending organisation will agree on the positions and tasks of SNEs.
In the case of SNEs, instead of a job offer, a tripartite agreement must be signed between the EPO, the sending entity and the SNE. The SNE candidate receives the agreement and, if they accept the offer, they must provide their police records before their start date.
The personal data processed are:

• date of birth, nationality, age and gender, permanent address, email and telephone number (data prefilled from the original application)
• bank account information

Personal data are accessed by:

• HR colleagues involved in the SNE programme

and processed via

• SAP
• Microsoft (SharePoint)

The requirement to carry out pre-employment screening, the psychometric test and the pre-employment medical examination do not apply in respect of SNEs.

F) Candidate pipeline/talent pool
Pipeline candidates ("pipeliners") are internal or external candidates who have been identified as suitable following a recruitment process, but who, however, have not been hired due to a lack of vacant posts and are therefore placed on a "reserve list" (also called a "candidate pool" or "talent pool") for potential future recruitment.

The Talent Acquisition (TA) staff place them on the list, inform them about the purposes of the list and how their data are processed.

Pipeline candidates' data are used to inform them of EPO news, relevant updates, to send out invitations for online or on-site events and information on suitable job vacancies at the EPO. The purpose is to maintain engagement with pipeliners in the hope they will be receptive to future offers.

Pipeliners can ask TA to delete their name from the list at any time.

The personal data processed are:

• email and telephone number (data prefilled from the original application)

Personal data are accessed by:

• HR colleagues involved in candidate pipelines

and processed via:

• SAP

G) Job alert
If you are interested in working at the EPO, you can register for job alerts on the EPO careers home page or you can select this option once you have created a candidate profile on our job portal. Once you have opted for this service, you will then be notified of any career opportunities that match your interests.

You can withdraw your consent at any time either via the portal directly or by sending an email to TA.

The following personal data will be processed:

• your email address
• your first and last name
• your country of residence

The processing is not intended to be used for any automated decision-making, including profiling.

Your personal data will not be transferred to recipients outside the EPO which are not covered by Article 8(1), (2) and (5) DPR unless an adequate level of protection is ensured. In the absence of an adequate level of protection, a transfer can only take place if appropriate safeguards have been put in place and enforceable data subject rights and effective legal remedies for data subjects are available, or if derogations for specific situations as per Article 10 DPR apply.

2. What personal data do we collect and process?
The personal data you provide in your application and otherwise as part of the recruitment and onboarding procedures, including data in any attachments you upload onto the system, will be held and processed solely for the purposes of our recruitment and onboarding procedures.

Categories (with examples)

• Contact information (name, address, email address, phone number)
• Education and training (university degrees and certificates obtained, academic results)
• Personal information (date of birth, age, nationality, gender, languages spoken)
• Bank account details (reimbursement of travel expenses and payment of salary)
• Information related to spouse and children (date of birth, age, nationality, gender)

We may also process the results of your performance at your interview (which may have taken place by phone, via Microsoft Teams or face-to-face) and in any written and/or oral tests, as well as in any psychometric assessments and/or pre-recorded video interviews. Psychometric assessments and advance video interviews are carried out by our external provider, SHL, in compliance with this data protection statement. The categories of personal data that are processed by SHL as part of its talent assessment services are as follows: name, email address, gender, language, account log-in details, demographic information, responses to questionnaires and assessments, audio recordings, video recordings and visual images. If you are invited to any talent assessment services run by SHL, you will also be provided with details of SHL's data protection policy.

If after completion of the above process we consider you eligible for the position offered, additional data will be required for the recruitment and onboarding procedures. This includes reference checks, your availability to start work at the EPO, a medical examination to assess whether you meet the requirements of the post, an extract from the applicable national police register/certificate of good conduct, proof of education and professional experience, and any documents required to determine your entitlements under EPO Service Regulations (ServRegs). You will also be provided with details of how your personal data will be processed prior to the start of the recruitment and onboarding procedures.

3. Who is responsible for processing the data?
The processing of personal data is carried out under the responsibility of the Director of Talent Management acting as the EPO's delegated data controller.

Personal data are processed by the EPO staff of the Department of Talent Acquisition involved in managing the activity referred to in this statement.

External contractors involved in providing technical support in IT and other specialist areas may also process personal data, which can include accessing it.

4. Who has access to your personal data and to whom are they disclosed?

Within the EPO
To ensure proper operation of the system, only nominated EPO staff responsible for conducting the selection and recruitment procedure will have access to your personal data. Your data will be disclosed to staff working in the Talent Acquisition department, line managers and authorised staff in the department of the vacancy concerned, and members of the selection board.

If your application is successful, your personal data – excluding your medical data – will be disclosed on a need-to-know basis to the appointing authority and the relevant departments.

Personal data may be disclosed on a need-to-know basis to the staff members of the units involved in the prevention and settlement of legal disputes (whether in internal, judicial or alternative redress mechanisms afforded by the EPO or any other legal processes involving the EPO), when this is necessary and proportional for them to perform tasks carried out in the exercise of their official activities, including representing the EPO in litigation and prelitigation. Such processing will take place on a case-by-case basis in accordance with DPR requirements and the principles of confidentiality and accountability.

Access by third parties
As indicated above, your personal data may also be collected or managed by, and/or transmitted to external service providers who support the EPO in its recruitment procedures and who are subject to EU data protection legislation.

Personal data will only be shared with authorised persons responsible for the necessary processing operations. They will not be used for any other purposes or disclosed to any other recipients.

5. How do we protect and safeguard your personal data?
We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss or alteration and unauthorised disclosure or access.

All personal data are stored in secure IT applications in accordance with the EPO's security standards. Appropriate levels of access are granted individually only to the above-mentioned recipients.

For systems hosted on EPO premises, the following basic security measures generally apply:

• user authentication and access control (e.g. role-based access control to the systems and network, principles of need-to-know and least privilege);
• logical security hardening of systems, equipment and network;
• physical protection: EPO access controls, additional access controls to data centre, policies on locking offices;
• transmission and input controls (e.g. audit logging, systems and network monitoring);
• security incident response: 24/7 monitoring for incidents, on-call security expert.

In principle, the EPO has adopted a paperless policy management system; however, if paper files containing personal data need to be stored on EPO premises, they are locked in a secure location with restricted access.

When data are outsourced (e.g. stored, accessed and processed), a privacy and security risk assessment is carried out.

For personal data processed on systems not hosted on EPO premises, the providers processing the personal data have committed in a binding agreement to comply with their data protection obligations under the applicable data protection legal frameworks. The EPO has also carried out a privacy and security risk assessment. These systems are required to have implemented appropriate technical and organisational measures such as: physical security measures, access and storage control measures, securing data at rest (e.g. by encryption); user, transmission and input control measures (e.g. network firewalls, network intrusion detection system (IDS), network intrusion protection system (IPS), audit logging); conveyance control measures (e.g. securing data in transit by encryption).

6. How can you access, rectify and receive your data, request that your data be erased, or restrict/object to processing? Can your rights be restricted?
You are in control of your personal data and responsible for ensuring that it is truthful, correct, non‑ambiguous and up to date. You can amend and update your account at any time.

You can view, change or delete your CV and all personal data stored in your candidate profile at any time. You can also delete your user account on the applicant portal at any time via the Delete Profile button. Please note that deleting your user account will lead to your withdrawal from all activated and unfinished procedures.

You can also withdraw from the onboarding procedure at any time by informing us via email (talentacquisition@epo.org). Please note that this will lead to your withdrawal from all activated and unfinished procedures, including the relevant job offer.

You have the right to access, rectify and receive your personal data, not to be subject to a decision based solely on automated processing, to have your data erased and to restrict and/or object to the processing of your data (Articles 18 to 24 DPR).

Your right to rectification applies only to factual data processed as part of the selection procedure. In addition, your data relating to the admissibility criteria cannot be rectified after the closing date for submitting applications.

According to Annex II, par 6 of the ServRegs (Competition Procedures for posts for which the President of the Office is the Appointing Authority), "The proceedings of the Selection Board shall be secret." This means that you cannot have access to any report/information reflecting the discussions of the Selection Board especially when they refer to individuals involved in your evaluation or to other candidates.

If you would like to exercise any of these rights, please write to the delegated data controller at pdpeople-dpl@epo.org. In order to enable us to respond more promptly and precisely, you always need to provide certain preliminary information with your request. We therefore encourage you to fill in this form (for externals) or this form (for internals) depending on the data subject concerned and submit it with your request.

We will reply to your request without undue delay and in any event within one month of receipt of the request. However, Article 15(2) DPR provides that this period may be extended by two further months where necessary in view of the complexity and number of requests received. We will inform you of any such delay.

7. What is the legal basis for processing your data?
Personal data are processed on the basis of Article 5(a) DPR (processing is necessary for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the EPO's management and functioning) in conjunction with Article 12 DPR.

Additional legal instruments are:

• Article 4 ServRegs Vacant Post
• Article 5 ServRegs General recruitment criteria
• Article 6 ServRegs Specific recruitment criteria
• Article 7 ServRegs Selection Procedure
• Annex II to the Competition Procedures for Posts for which the President of the EPO is the appointing authority
• Circular 364 Minimum Qualifications for recruitment, grading on recruitment, promotion and other rewards

The legal basis for the processing of the data via the job alert function is Article 5(d) DPR. You can withdraw your consent at any time either via the portal directly or by sending an email to TA.

The legal basis for the processing of the data in the framework of the pre-employment medical examination are:

• Article 5(a) DPR in conjunction with Article 11(2)(b) and Article 11(3) DPR.
• Article 9 in conjunction with Article 8(3)(d) ServRegs and Article 2 (New) Pension Scheme Regulations.

As this procedure is carried out by another delegated controller, please refer to the relevant data protection documentation for any further information.

For the provision on the status of the seconded of national experts (SNEs), please refer to the Policy on the Secondment of National Experts.

8. How long do we keep your personal data?
Personal data will be kept only for the time needed to achieve the purposes for which it is processed.

If you do not delete your profile, your personal data will remain stored for up to 24 months, starting from the last modification date or date of activity in the profile and provided that your application status is non-active.

This means that you can reuse it should you apply for other vacancies at the EPO.

If you do not modify your data or apply for another job with us during this 24-month period and provided that your application status is non-active, your data will automatically be deleted. When this happens, our applicant portal will retain anonymised data only.

The 24-month retention policy also applies to the personal data processed by SHL. With regard to the screening checks carried out by Signum, the data concerned is deleted three months after completion of each screening.

Data of candidates who are placed on a reserve list (talent pipeline) are stored for a duration of a maximum 24 months before being deleted.

In the case of onboarding, your data will be automatically transferred on your first day of service to our system (SAP/FIPS) and will be stored in the e-personal file.

The results of the selection procedure are stored in the document management system of the EPO (OpenText-CommonLog) permanently.

In the event of a formal appeal/litigation, all data held at the time the formal appeal/litigation was initiated will be retained until the proceedings have been closed.

9. How to contact us
If you have any questions about the processing of your personal data, please write to the delegated data controller at pdpeople-dpl@epo.org.

You can also contact our Data Protection Officer at dpo@epo.org (for internal users) or DPOexternalusers@epo.org (for external users).

10. Review and legal redress
If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.