Data protection statement for job applicants

At the European Patent Office (EPO), every invention is unique. So too is everyone in our team. To enable us to continue building our team with exceptional talent like you, we use personal data in a variety of different ways. Your privacy is important to us, and we can assure you that we are committed to respecting and protecting your personal data and ensuring your rights. All data of a personal nature that identifies you directly or indirectly will be processed lawfully, fairly and with due care.

By submitting your application, you acknowledge that you have read and understood our data privacy policy for job applicants and newcomers, which sets out how we collect, process and use your personal data.

The processing operations described below are subject to the EPO Data Protection Rules (DPR).

The information in this statement is provided in accordance with Articles 16 and 17 DPR.
 

   1. What is the nature and purpose of the processing operation?

This data protection statement relates to the processing of personal data submitted by applicants to job positions at the EPO in the framework of recruitment and onboarding procedures.

Personal data are processed to enable the EPO to conduct recruitment and onboarding procedures in the framework of its official tasks.

During the selection phase, we collect and process your personal data only to the extent necessary to enable us to evaluate your eligibility, expertise and profile with respect to the specific job vacancy concerned.

We will use any personal data you provide to process your application for the specific position you have applied for. We may also use it to process your application for other current and future open positions at the EPO which may be suitable for you, provided you have opted to receive such notifications on career opportunities and/or have been invited – and have agreed – to join our Talent Pool. You can withdraw from the Talent Pool at any time by informing us via email.

We may also use the personal data you provide when creating a candidate profile and/or completing a data capture form to notify you of appropriate job postings and career opportunities and events at the EPO, provided you have opted to receive such notifications by selecting one or  more of the options in your candidate profile. You can manage these settings in your candidate profile at any time by clearing the relevant check box in the Data privacy section or by modifying any job alerts you have configured under Options/Job Alerts.

If, after completion of the above process, we consider you eligible for the position offered, you we will use your personal data for our pre-employment screening check, which will be conducted by Signum, an external service provider. You will be provided with detailed information about the personal data that Signum will process prior to the start of the screening check.

As mentioned above, you will also be required to undergo a medical examination. The results of the examination will be forwarded to the EPO's Health and Safety department (doctor/nurse). The HR department will only be informed about whether or not you meet the health requirements of the post.

The onboarding procedure will begin as soon as we receive confirmation that you have passed the medical examination and will run in parallel to the pre-employment screening check. We will   collect and process additional personal data (e.g. information related to your spouse and children) only to the extent necessary to enable us to evaluate your eligibility for certain allowances and other benefits before joining the EPO.

We will use your private email address to send you useful information such as credentials (user ID and password) for logging on to EPO systems before your first day of service. We may also use it, prior to that day, to provide you with helpful links and contact details about relevant EPO support services. We will also connect you to other newcomers through an integrated onboarding  community platform on SuccessFactors.

The processing is not intended to be used for any automated decision-making, including profiling.
 

   2. What personal data do we collect and process?

The personal data you provide in your application and otherwise as part of the recruitment and onboarding procedures, including data in any attachments you load into the system, will be held  and processed solely for the purposes of our recruitment and onboarding procedures.

Categories (with examples)

• Contact information (Name, address, email address, phone number)
• Education and training (University degrees and certificates obtained, academic results)
• Personal information (Date of birth, age, nationality, gender, languages spoken)
• Bank account details (Reimbursement of travel expenses and payment of salary)
• Information related to spouse and children (Date of birth, age, nationality, gender)

We may also process the results of your performance at interview (phone, MS Teams or face-to-face)  and in any written and/or oral tests, as well as in any psychometric assessments and/or pre-recorded video interviews. Psychometric assessments and advance video interviews are carried out by our external provider, SHL, in compliance with this data protection statement. The categories of personal data that are processed by SHL as part of its talent assessment services are as follows: name, email address, gender, language, account login details, demographic information, responses to questionnaires and assessments, audio recordings, video recordings and visual images. If you are invited to an assessment, you will be also provided with details of SHL's  data protection policy.

If after completion of the above process we consider you eligible for the position offered, additional data will be required for the recruitment and onboarding procedures. This includes reference checks, your availability to start work at the EPO, a medical examination to assess whether you meet the requirements of the post, an extract from the national police register/certificate of good conduct, proof of education and professional experience, and any documents required to determine your entitlements under our Service Regulations. You will be  provided with details of how your personal data will be processed prior to the start of the recruitment and onboarding procedures.
 

   3. Who is responsible for processing the data?

The processing of personal data is carried out under the responsibility of the Director Talent Management acting as the EPO’s delegated data controller.
 

   4. Who has access to your personal data and to whom is it disclosed?

Within the EPO

To ensure proper operation of the system, only nominated EPO staff responsible for conducting the selection and recruitment procedure will have access to your personal data. Your data will be disclosed to staff working in the Talent Acquisition department, line managers and authorised staff in the department of the vacancy concerned, and members of the selection board.

If your application is successful, your personal data – excluding your medical data – will be disclosed on a need-to-know basis to the appointing authority and the relevant departments within the EPO’s Directorate-General Corporate Services.

Access by third parties

As indicated above, your personal data may also be collected or managed by, and/or transmitted to external service providers who support the EPO in its recruitment procedures and who are subject to EU data protection legislation.

Personal data will only be shared with authorised persons responsible for the necessary processing operations. They will not be used for any other purposes or disclosed to any other recipients.
 

   5. How do we protect and safeguard your personal data?

The EPO implements all the technical, organisational and security measures required to protect the confidentiality and security of the personal data collected from this website and/or our applications, including sensitive personal data. Your personal data will be protected against unauthorised access through encrypted transmission and storage, a role and authorisation concept, a data backup concept and physical security measures for the servers.

These measures include the following:

• An EPO username and password are required in order to access our systems and databases.
• Authentication and authorisation are based on roles.
• Service providers sign confidentiality and data protection clauses.
• Editing rights to the back office tools in which your personal data is processed are  restricted to a limited number of duly authorised persons with a specific IT profile.

For our job application site we use SAP SuccessFactors Recruiting Management, a web-based application using “software as a service”. The application is accessed through a browser. SSL technology protects information by using both server authentication and data encryption to help ensure that data is safe, secure and available  only to the user concerned.

External users must log on using their own email address. When logging on for the first time, you will be asked to create an account and choose a password.

SAP SuccessFactors requires a unique username and password that must be entered each time   you log on. Passwords must be strong and conform to specific requirements. They must be changed at regular intervals. The password and login policy setting for staff and externals can be  set and modified by the EPO.

Our external processors have signed data processing agreements to ensure the secure processing of your personal data on behalf of the EPO.

In principle, the EPO has adopted a paperless policy management system; however, if paper files containing personal data need to be stored on EPO premises, they are locked in a secure location with a restricted access.
 

   6. Where is your personal data stored?

All personal data processed by the EPO will be stored in a database operated by a cloud provider. The cloud provider is SAP. EPO data is stored in the SAP Data Centre in Germany.
 

   7. How can you access, rectify and receive your data, request that your data be erased, or restrict/object to processing? Can your rights be restricted?

You are in control of your personal data and responsible for ensuring that it is truthful, correct, non‑ambiguous and up to date. You can amend and update your account at any time.

You can view, change or delete your CV and all personal data stored in your candidate profile at any time. You can also delete your user account on the applicant portal at any time via the Delete Profile button. Please note that deleting your user account will lead to your withdrawal from all activated and unfinished procedures.

You can also withdraw from the onboarding procedure at any time by informing us via email (talentacquisition@epo.org). Please note that this will lead to your withdrawal from all activated and unfinished procedures, including the relevant job offer.

You have the right to access, rectify and receive your personal data, not to be subject to a decision based solely on automated processing, to have your data erased and to restrict and/or object to the processing of your data (Articles 18 to 24 DPR).

Your right to rectification applies only to factual data processed as part of the selection procedure. In addition, your data relating to the admissibility criteria cannot be rectified after the closing date for submitting applications.

According to Annex II, par 6 of the ServRegs (Competition Procedures for posts for which the President of the Office is the Appointing Authority) "The proceedings of the Selection Board shall be secret.". This means that you cannot have access to any report/information reflecting the discussions of the Selection Board especially when they refer to individuals involved in your evaluation or to other candidates. 

If you would like to exercise any of these rights, please write to the delegated data controller at pdpeople-dpl@epo.org . In order to enable us to respond more promptly and precisely, you always need to provide certain preliminary information with your request. We therefore encourage you to fill in this form and submit it with your request.

We will reply to your request without undue delay and in any event within one month of receipt of the request. However, Article 15(2) DPR provides that this period may be extended by two further months where necessary in view of the complexity and number of requests received. We will inform you of any such delay.
 

   8. What is the legal basis for processing your data?

Personal data are processed on the basis of Article 5(a) DPR (processing is necessary for the performance of a task carried out in the exercise of the official activities of the European Patent Organisation or in the legitimate exercise of the official authority vested in the controller, which includes the processing necessary for the Office's management and functioning).

In particular, with regard to the pre-employment examination, the legal grounds for this medical check are Article 8(3)(d) of the EPO Service Regulations (“Before appointment, a successful candidate shall be medically examined by a medical practitioner designated by the President of the Office in order that the appointing authority may be satisfied that he fulfils the requirements of Article 8, paragraph 3, sub-paragraph (d)”) and Article 9 of the EPO Service Regulations (“To be eligible for appointment as an employee, a candidate must fulfil the following requirements: […] (d) he must meet the medical requirements of the post”). Therefore, the legal basis for the processing of this special category of personal data is Article 5(a) of the DPR  in combination with Article 11(2)(b) DPR (“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security law in so far as it is authorised by legal provisions of the European Patent Organisation providing for appropriate safeguards for the fundamental rights and the interests of the data subject.”) and Article 11(3) (“Paragraph 1 does not apply where processing of the special categories of data is required for the purposes of … occupational medicine, the assessment of an employee's working capacity, … and where those data are processed by a health professional subject to the obligation of professional secrecy or by another person subject to an equivalent obligation of secrecy.“).

Personal data are processed on the basis of the following legal instrument:
Annex II of the Service Regulations “Competition Procedures for posts for which the President of the Office is the Appointing Authority”.
 

   9. How long do we keep your personal data?

If you do not delete your profile, your personal data will remain stored for up to 24 months, starting from the last modification date or date of activity in the profile and provided that your application status is non-active. This means that you can re-use it should you apply for other vacancies at the EPO. If you do not modify your data or apply for another job with us during this 24-month period and provided that your application status is non-active, your data will automatically be deleted. When this happens, our applicant portal will retain anonymized data only. The 24-month retention policy also applies to the personal data processed by SHL. With regard to the screening checks carried out by Signum, the data concerned is anonymized three months after completion of each screening.

In the case of onboarding, your data will be automatically transferred on your first day of service to our system (SAP/FIPS) and will be stored in the personal file.
 

   10. How to contact us

If you have any questions about the processing of your personal data, please write to the delegated data controller at pdpeople-dpl@epo.org .

You can also contact our Data Protection Officer at dpo@epo.org.
 

   11. Review and legal redress

If you consider that the processing infringes your rights as a data subject, you have the right to request review by the controller under Article 49 DPR and, if you disagree with the outcome of the review, the right to seek legal redress under Article 50 DPR.