Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- The 'Smoking Gun': Hard Evidence That the EPO Has Been Lying About GDPR Compliance

What the EPO says:

EPO CA-20-19 page 49 of 88

Summary: The EPO's Annual Reports of the Board of Auditors help show that the cronies of Benoît Battistelli have been lying all along about GDPR compliance; António Campinos is, as expected, just another one of those Battistelli cronies, in effect passing EPO funds into a gambling black hole and overseas violators of everybody's privacy

We have managed to track down copies of the "audit reports" which allegedly confirm a close alignment between the EPO's data protection framework and the GDPR.



As far as we have been able to work out, the "audit reports" that the EPO refers to in its data protection "puff pieces" are the annual reports of the supposedly independent Board of Auditors (warning: epo.org link). One of these "independent" auditors is Battistelli's old crony from the INPI, Frederic Angermann.

" One of these "independent" auditors is Battistelli's old crony from the INPI, Frederic Angermann."Anyway, the annual audit report is usually issued as Administrative Council document no. 20 at the end of April or beginning of May each year.

So for 2020, the document is numbered CA/20/20 [PDF].

For 2019 it is CA/20/19 [PDF] and for 2018, the reference number is CA/20/18 [PDF].

"From this it can be seen that the the annual reports of the Board of Auditors just parrot the party line of EPO management..."We've made local copies as we want this to last and remain unchanged, just in case something mischievous was to happen at the EPO's end. As happened in the past...

The documents are publicly available via the official webpage of the Council (warning: epo.org link) and can be found using the search keyword "auditors".

The first mention of GDPR is in the 2018 audit report, CA/20/18, on page 6 of 81:

42) As of 25 May 2018, a new, uniform General Data Protection Regulation (GDPR) on data privacy will apply across the European Union (EU) to all organisations collecting and/or processing data from EU residents. 43) On July 2017, the President issued a task force with a mandate to assess the potential impact of this new EU GDPR on the EPO's current data protection guidelines. 44) It is noted that the EPO's current data protection guidelines are relatively closely in line with the new GDPR. However, an action plan is in place to address the potential impact of the GDPR on the EPO.


EPO CA-20-18 page 6 of 81

The 2019 audit report, CA/20/19, contains the following statement:
259) The new European General Data Protection Regulation (GDPR) has been in force since 25 May 2018. Even though the EU regulations do not directly apply to the EPO as an international organisation, basic principles have been implemented, as European citizens' data is processed at the EPO.


It then goes on to talk about a the implementation of a "data protection register to record all the processing operations carried out on personal data" which can be accessed by EPO employees on the EPO intranet. It is not accessible to external data subjects but external parties can make a data subject access request "thus ensuring the right to information". This is followed by a recommendation that data protection register needs to be updated and to be completed in order to ensure that all relevant information is available.

The report then states that the EPO's IT department, referred to as IM (= Information Management) is "only involved in the GDPR analysis on a high-level basis" and that IM does not prepare the necessary implementation, such as deletion concepts.

This section of the report concludes with a recommendation to include IM much more in the GDPR evaluation "to ensure that technical and organisational measures are addressed adequately. Additionally technical solutions need to be evaluated."

The 2020 audit report, CA/20/20, contains a section entitled "Analysis of implementation of GDPR requirements in the HR area" on page 7 of 89. According to this:

41. Since the Office, as an international organisation that does not fall under the EU regulations, is not subject to the General Data Privacy Regulation (hereinafter: "GDPR"), the internal "Guidelines for the protection of personal data" were developed and introduced by the Office with the latest revision in 2014. The abovementioned guidelines are very close to the requirements of the GDPR and Regulation (EU) 2018/1725 and as such are to be implemented and followed by the Office.


EPO CA-20-20 page 7 of 89

There are two short paragraphs explaining that "audit procedures were carried out in respect of the adherence of the Office to the requirements of the above-mentioned guidelines within the HR area" and that the audit "resulted in a number of recommendations", such as the need to update the Data Protection Registry and to define retention and deletion periods and actions for events such as retirement and leaving the Office.

"There hasn't actually been any independent audit of the EPO's data protection framework to determine the level of GDPR compliance."Additionally, it recommends that "the awareness of the responsibilities of controllers in terms of data protection topics should be raised, and regular training sessions should be held for the HR department, as well as for other departments working with the personal data, to inform them about critical areas in the data protection process."

From this it can be seen that the the annual reports of the Board of Auditors just parrot the party line of EPO management according to which "the EPO's current data protection guidelines are relatively closely in line with the new GDPR" (CA/20/18) and "the internal 'Guidelines for the protection of personal data' [which] were developed and introduced by the Office with the latest revision in 2014 ... are very close to the requirements of the GDPR and Regulation (EU) 2018/1725" (CA/20/20).

There hasn't actually been any independent audit of the EPO's data protection framework to determine the level of GDPR compliance.

All that we have are bald assertions of GDPR compliance by EPO management which have been rubber-stamped by the auditors without further ado.

"All that we have are bald assertions of GDPR compliance by EPO management which have been rubber-stamped by the auditors without further ado."Given that EPO management claimed at the time of adoption of the EPO's internal "Guidelines for the protection of personal data" in 2014 that they were closed aligned to the earlier EU Regulation (EC) 45/2001, it remains to be explained how these same Guidelines could now manage to be compliant with the GDPR which was not adopted by the EU until 2016 and entered into force in 2018.

Of course it's complete nonsense but as long as nobody actually goes to the trouble of carrying out an independent audit who's going to notice anything?

Recent Techrights' Posts

Lovers and Haters
Always beware hate preachers and demagogues (or how they frame issues or whose fault they distract from)
 
Links 25/09/2025: More European Airports Shut Down Due to What Seems Like Russian Drones
Links for the day
Gemini Links 25/09/2025: Amiga Revived and Hackers (UTF-8)
Links for the day
Purchasing Concert Tickets in 2025 in Manchester: The "Modern" Experience
I recently spent a couple of days here testing the "terrain" in order to better understand how large public venues, for concerts rather than sporting events like football, currently "work"
Links 25/09/2025: French Unions Want Another Strike, Super Typhoon Ragasa Kills Many
Links for the day
Microsoft 'Secure Boot' and Shim as Barrier or Obstacle to New GNU/Linux Users Trying to Escape Microsoft
Just as intended all along
Focusing on What People Have in Common Instead of Killing and Cancelling One Another
Men and women of both "wings" stand to gain a lot by working together on common interests
'Cancel Culture' Isn't About Enforcing Ethics (and It's Done by People on the Right, Not "The Leftists")
Smarter folks would leave social control media
Russia's Attack on Europe (and NATO) Will Worsen Censorship and Corruption in Europe
Can we still debate issues that predate the invasion of Crimea?
Lawyers Should Permanently Lose Their Licence (and Worse) for Using Chatbots in Legal Work
They not only waste people's money and time. They pollute the literature with falsehoods. They commit perjury. [...] Brett Wilson LLP sent the Judge nearly 1,000 pages of material (mostly mine, copied without proper permission) shortly before a short Hearing, which lasted less than an hour
GAFAM and MATA (Mythical, Metaphor) as Explained by analognowhere.com
They're instruments of suppression that sponsor the oppressor
We've Already Mentioned Who Nowadays Funds Garrett's SLAPP Against Us (Not Garrett), Let's Examine Who Sponsored His Litigation Partner (Other Than Microsoft Salaries There's a Buddy of Bill Gates)
it's alleged that the Serial Strangler from Microsoft got money from him
Florian Müller: Using Software Patents to Attack Software Developers, Agitate Against Patent Reform
He also promotes attacks on the German Constitution and laws
Reliance on Typepad Seems to Have Doomed the Voice of Software Patents and Patent Maximalists in PatentDocs
Follow the money
UEFI 'Secure Boot' is Potential Mayhem to the Environment (Older and Leaner Distros Stop Working)
creating new problems, disguised as "solutions" to problems that do not exist
Sometimes 'Cancel Culture' Backfires Badly
There's no such thing as "too much" coverage
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 24, 2025
IRC logs for Wednesday, September 24, 2025
Links 25/09/2025: Jimmy Kimmel Returns to Air (With Limitations) and London Stansted Airport Latest to Have Incident (Fire)
Links for the day
Slopwatch: Fake Articles, SPAM With Slop, and Google News Directs People to Read Slopfarms
why does Google News insist on still linking to prolific slopfarms?
Gemini Links 25/09/2025: New Game for Gemini Protocol, Eleven, and Network Solutions Woes
Links for the day
Punching People Doesn't Work
It makes nobody any safer
Look Ma, No "Cloud"
So far this year we've had an almost perfect uptime
Links 24/09/2025: Autism Blame-Shifting and Typhoon Ragasa Enters China
Links for the day
Buying From Oneself is Not Business Success
This isn't at all a joking matter even if you already laugh at the whole thing because your pension, savings etc. are tied to this scam at some level
This is How Microsoft's XBox and Entire Consoles (If Not Gaming) Ventures Will Ultimately Die
Ensure you can blame "Tariffs" (politics)? If not "hey hi", the fashionable go-to excuse when businesses fail?
What They Really Hate David Heinemeier Hansson (DHH) for
Nothing to do with code
Smart People Won't Buy 'Smart' Cars
Imagine trying to sell someone a house (proper home) while insisting that it'll need to be demolished 5 or 10 years later, then rebuilt again from scratch on the same vacant lot
The Relationship Between IBM Red Hat and Microsoft, Visualised
This metaphor goes a long way (projects, collaborations, and outsourcing
The Complaint About Brett Wilson LLP - Part III - Spying on Reporters' Families, Chaining Cases for Microsoft Employees Who Demand Censorship of Facts (Even Politely Expressed)
the time seems right to wrap up this introductory series
The Complaint About Brett Wilson LLP - Part II - UK SLAPPs for Americans, SLAPPs for Profit
Brett Wilson LLP has a track record of this kind
Cloudflare Gives Us All Another Reason to Boycott Cloudflare
If Cloudflare wants to use its vast surveillance network (which is what it does as a CDN) to foist paywalls and maybe something worse (like DRM on top), then Cloudflare should be more widely rejected as a company
Links 24/09/2025: "NASA Moving Out of Entire Buildings as It's Gutted" and Purge of Online Critics (Opposing Fascism Becomes Unlawful)
Links for the day
Science is Under Attack
Oligarchy prefers a dumbed-down population
Someone Expiring Certificates on the Day of the 9/11 Attacks is Not Someone I Would Want Controlling My PC (or Deciding What's Authorised for Booting)
"social justice warriors"
The Solicitors Regulation Authority (SRA) Has Reportedly Failed People With Wrong Advice
At the moment the SRA has a PR blunder
The Man Suing Brett Wilson LLP and Gervase de Wilde (5RB)
Now he's probably using the (almost) 200,000 pounds he's supposed to receive to sue Brett Wilson LLP and former colleagues/partners
More Microsoft-Red Hat Cross-Pollination as the Company Loses a Managing Director
some people move from Microsoft to Red Hat and some do the opposite
Slopwatch: A World Wide Web That's Rotting for Companies That Won't Even Exist in a Few Years
some of the junk Google News is promoting
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 23, 2025
IRC logs for Tuesday, September 23, 2025
Links 24/09/2025: Qt Creator 18 Beta, Microsoft Cannot Bail Out "ChatGPT" Anymore, China and US Intensify Censorship
Links for the day
Gemini Links 24/09/2025: Gemlogs and Politics
Links for the day
Links 23/09/2025: Japan Limits Uses of Skinnerboxes ('Smartphones') With Toxic "Apps", Fentanylware (TikTok) Tapped by "MAGAts"
Links for the day
Brett Wilson LLP Has Just Been Sued (by Their Own Clients!)
Vladimir and Alla Yanpolsky sued Brett Wilson LLP in BL-2025-001167 at the end of last week
Mayday: Optus emergency calling crisis
Reprinted with permission from Daniel Pocock
Links 23/09/2025: Massive Data Breach, Slop Versus Productivity, and Vista 11 Update Breaks Things Again
Links for the day
Code of Censorship
Extortion is peace
The Free Software Foundation (FSF) Has Un-cancelled the Best People, Just in Time for the Big 4-0
Mr. Oliva should have been there all along (since 2019)
Most "Modern" Technology Makes You Slower and Dumber
Because proprietary software makes you worse off
"What Comes After Free Software?" Wrongly Insinuates We've Reached the Goal (Prison is Not the Goal)
The oil tycoons use similar tactics against environmentalists, giving them fake "wins"
Making More Work Space
I learned the hard way that less is more in circumstances where more means distraction
MAHA is a Lie, Public Officials Never Valued Citizens' Health (They Still Value Private Businesses, Their Sponsors)
Reject demagogues
Free Software Foundation (FSF) Has a New Press Kit for the Weekend After Next Weekend (40th Anniversary)
miles better than social [sic] media [sic] quips, moderated by narcissists and oil tycoons.
Microsoft Had Two Waves of Mass Layoffs This Month (That We Know of) and It'll Get Worse for Microsoft Soon
Will the axe fall again by month's end?
Gemini Links 23/09/2025: Happy Equinox, Photronic Arts, and Perception Cognition
Links for the day
Lessons We've Learned After 17 Years of American Hosting
GAFAM is "all-in" with the "Trump agenda"
Back to Normal Now, We Plan to Do More In-Depth Series (or Multi-part Stories)
Articles (or series thereof) that contain philosophy are important to us
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 22, 2025
IRC logs for Monday, September 22, 2025
Microsoft Media is Panicking Amid Mass Layoffs Every Month, H-1B Fees, and "Seattle’s Tech Scene in Trouble"
In "late stage Microsoft", copyleft becomes proprietary
The Next Wave of IBM/Red Hat Layoffs Being Discussed Already
Red Hat is sort of disappearing the way Tivoli did
New Techrights Turns 2
Today starts the third year of the SSG-based Techrights