Gemini version available ♊︎

EPO’s Illegal Surveillance Covered Up by Buzzwords Bingo and Acronyms: Data Protection Board (DPB), Data Protection Rules (DPR), and Data Protection Officer (DPO)

Posted in Europe, Microsoft, Patents at 2:35 pm by Dr. Roy Schestowitz

EPO's B&W logo
CSC members of the GCC wrote a publication to explain the laughable situation (albeit very politely or “diplomatically” as ‘suits’ like to put it)

Summary: Years after the surveillance scandals (blunders and actual crimes) of Benoît Battistelli it seems clear that António Campinos carries on with the same tradition of violating privacy of staff and stakeholders, who are of course being lied to (with euphemisms such as “Data Protection”)

The Central Staff Committee (CSC) of the EPO has published a report on the consultative ‘meeting’ (Webchat or “videoconference”) which took place 11 days ago regarding “Data Protection” (the EPO prefers to use this positive-sounding term whilst illegally spying on staff and sending confidential data of applicants to Microsoft/United States). The irony isn’t lost either; like ViCo ‘courts’ dealing with or deciding on ViCo. We now have videoconferences dealing with the legality of surveillance, which certainly these videoconference facilities introduce (the EPO could self-host its videoconferencing, but it probably lacks the technical staff that can configure Free software; good workers have been driven out for years).

In any case, this 6-page publication which currently circulates among EPO staff was ‘leaked’ to us, so we can reproduce it in full below, as HTML:


GCC meeting on 9 December 2021

Data Protection

Dear Colleagues,

The President convened a one-hour GCC meeting via videoconference in order to deal with documents about data protection, in particular to consult on new Circular 420. The Circular deals with the implementation of Article 25 of the Data Protection Rules, which is about restricting the rights of data subjects (read: employees) in specific cases. The CSC members of the GCC unanimously abstained on the document.

The CSC members of the GCC also gave an opinion (without a vote) on the Rules of Procedure of the Data Protection Board, which will act as an “Appeals Committee” for data protection disputes.

Both opinions are attached to this report.

At the end of the meeting we asked about the President’s intentions with his draft social agenda, in particular the “Review of Leave1”. The President announced that all aspects of leave would be addressed, but with the aim making them fair, transparent, predictable and simple, as always2.

The Central Staff Committee

Annexes: opinions of the CSC members of the GCC

- Circular 420: Implementing Article 25 of the Data Protection Rules (DPR) (document GCC/DOC 26/2021)
- Rules of Procedure of the Data Protection Board (document GCC/DOC 27/2021)

1 See also our publication “Social Agenda 2022” of 3 December 2021.
2 He made the same promise for the reform of the education benefits.


Opinion of the CSC members of the GCC on GCC/DOC 26/2021
Circular 420: Implementing Article 25 of the Data Protection Rules (DPR)

General Remarks

In June 2021, the Administrative Council adopted amendments to the ServRegs and the Implementing Rules for Articles 1b and 32a ServRegs (Protection of personal data and data protection oversight), the “DPR”, with decision CA/D 5/21. The GCC consulted on 2 June 2021 on the corresponding CA document CA/26/21. The opinion1 of the CSC members of the GCC was published with their report on the GCC meeting. Obviously, the main flaws of the regulation remain and cannot be remedied in a lower-ranking Circular No. 420.

Human rights should never be taken for granted. The recent judgments regarding the rights for strike at the EPO provide proof for that. The rights to privacy and protection of personal data are such human rights.

Therefore, the CSC members of the GCC appreciate the efforts of the Office to align with highest standards and best practices in data protection. What are these highest standards? It is the GDPR, the general Data Protection Regulations from the EU, as well as the EUDPR, the regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies, which have been introduced in 2018. These are widely considered the Gold Standard in data protection.

Already in February 2019, so almost three years ago, in a publication 2 Staff Representation denounced that the rights to privacy and protection of personal data of EPO employees and its stakeholders did not correspond to these highest standards. Staff representation asked that:

1. The EPO policies on data protection should be aligned with the EU regulations;
2. The role of the Data Protection Officer should be strengthened, and its independence should be assured;
3. An external and independent oversight body should be appointed with the task of monitoring the application of data protection policies at the EPO;
4. Separate data protection policies should be defined for investigative procedures (e.g., misconduct or fraud). Its implementation should be the responsibility of a distinct Data Protection Officer nominated, e.g., by the Administrative Council.

Although late (almost 3 years after that publication and 4 years after the introduction of the EU regulations, and although not as ambitious as we might have liked, finally the EPO has taken some steps forward. We see that indeed the EPO policies have been aligned with the EU regulations and that we have a Data Protection Officer who is more independent and has more resources.

Still the new framework deviates in some important points from the EUDPR. Indeed, it does not provide the same level of protection afforded to employees in the EU institutions.

The main problem is that the President of the Office is both the controller and the appointing authority for the members of the supposedly independent Data Protection Board (DPB). The task

1 Opinion of the CSC members of the GCC on GCC/DOC 5/2021 (CA/26/21 and CA/26/21 Add.1): Modernisation of the Data Protection Framework of the European Patent Office under the Strategic Plan
2023, 10.06.2021, link
2 Data Protection @ EPO, quo vadis?, CSC, 20.02.2019, link

of the Data Protection Board is to check that the controller is doing the right things. The second problem is that the powers of the Data Protection Board are limited: it cannot make binding opinions or impose sanctions. It just provides an opinion which the EPO President (the controller) can follow or not. For further information please refer to the Opinion of the CSC members of the GCC on GCC/DOC 5/20211.

Evidently, the EPO has a specific institutional set-up which differs from that of the EU institutions. However, this does not explain the important deviations from the Data Protection Regulation of the EU on such fundamental points. So, we observe some improvements, but unfortunately no Gold Standard at the EPO on the topic of data protection regulations.

On Circular No.420

One critical provision is Article 25 DPR, which restricts the rights of the data subject. Article 25 DPR essentially corresponds to Article 25 EUDPR. The rights concerned are the rights to information, access, rectification, erasure, restriction of processing, data portability, notification and communication of a personal data breach and confidentiality of electronic communications. The rights which remain untouched are the right to object and the right to be preserved from decisions based solely on automated processing.

In the EU, the restrictions either relate to the Member States, to “dispute” proceedings or exclusively to the internal security of Union institutions and bodies, including of their electronic communications networks (Article 25.(1)(d)).

Whereas the CSC members of the GCC are able to compare the EPO DPR with the EUDPR, they lack information (e.g. benchmarks) allowing them to compare with other international organisations or EU agencies, as regards the implementation of Article 25. They also lack benchmarks on how often these restrictions are applied in other organisations. Data on the past and current practice of imposing such restrictions at the EPO are also not available.

Consultation process

The Circular mentions “extensive consultation with those relevant internal stakeholders over the last few months”. One of the main stakeholders, the representatives of the EPO staff, i.e., its Staff representation was excluded from the task force. A single one-hour ViCo was convened by the DPO for explaining the Circular and for the Staff Representation to give their input. However, IT issues prevented the circular from being available for all staff representatives on time. Due to the very tight time line and the extremely late involvement of the Staff Representation, no replacement ViCo could be convened. The GCC meeting is de facto the first opportunity to discuss the Circular with management. One informal meeting with the DPO took place beforehand.

As to the content

Article 4 provides a list of situations, or legal grounds, in which restrictions to the rights of the data subject are possible. It lists inter alia also internal audits. One can reasonably assume that some right on data protection might have to be temporarily restricted during investigative or disciplinary proceedings. However, in the case of internal audits this is questionable. “Internal audits” is a broad term. It might be that there are some specific internal audits for which such restrictions are

necessary. These specific internal audits should have been listed instead of the broad term “internal audits”.

Restrictions are discretionary acts by a data controller, hence subject to limited review. In reply to a request for review, the (delegated) controller will only inform the requester whether the data have been processed correctly and, if not, whether any necessary corrections have been made3. It is therefore very different from a usual request for review within the meaning of Article 109 ServRegs, which calls for a reasoned decision4. The controller must be able to demonstrate compliance with the DPR, for accountability purposes, but the requester is not informed of that “demonstration”.

The Office might impose restrictions, e.g., as regards confidentiality of electronic communications, in investigations, disciplinary proceedings, appeals proceedings, health-related processes. The grounds for the restriction have to be given, i.e., the “legal basis” for the restriction as listed in Article 4. Reasons for restrictions might remain hidden to the data subject in certain cases5. When it comes to disputes in such cases, the facts available to one party, the Office, shall be made available to the Data Protection Board upon request. The other party, i.e., the staff member, will not necessarily have access to those facts. This jeopardises the right to a “fair trial” before the DPB.

This shows again that these restrictions should be imposed only in very specific and exceptional cases. And this is further proof of the importance of the independence of both the Data Protection Board and the DPO, which is crucial for building trust..


The Office deliberately chooses not to follow the EUDPR, which can be considered the “gold standard”. Even when taking into account the institutional set-up of the Organisation6, the new framework could have been aligned closer to the EUDPR. The main problems are, in particular, that the President of the Office is both the controller and the appointing authority for the members of the DPB and that the DPB cannot make binding opinions.

The new framework will require re-evaluation in a few years, hopefully with a view to coming closer
to the EUDPR.

Based on the foregoing, the CSC members of the GCC unanimously abstain on the document.

3 Article 25(3)c DPR.
4 Article 109(4) ServRegs: “The competent appointing authority shall take a reasoned decision on the outcome of the review…”
5 See Article 7(4); see also Article 25(3)b. and 25(4) DPR
6 See, e.g., Article 10 EPC

Opinion of the CSC members of the GCC on document GCC/DOC 27/2021:
Rules of Procedure of the Data Protection Board

The CSC members of the GCC give the following opinion on document GCC/DOC 27/2021.


The Administrative Council (AC) has been informed in June 2021 of the Data Protection Rules (DPR) with document CA/26/21 Add. 1. The AC has adopted the new data protection framework with decision CA/D 5/21.

The Data Protection Board (DPB) has two functions, namely an oversight / advisory function and a function as part of the mechanism for legal redress1. The Rules of Procedure (RoP) of the DPB describe the role and the responsibilities of the DPB, including the procedure for dealing with complaints on data protection issues.

The RoP of the DPB relate to the second function, i.e. dealing with complaints. The DPB will replace the Appeals Committee (ApC) for decisions on data protection issues. The RoP for the DPB resemble the RoP for the ApC. In comparison, they include inter alia additional directions for the Board, e.g. as regards criteria for receivability (Article 5), various constraints on time limits for internal processing, the concrete form of opinions (Article 10), etc. The DPB is composed of members having a recognised technical and/or legal background, especially in data protection matters. One would expect that the DPB would be in a position to sort out such matters in an autonomous manner, i.e., deciding on the RoP themselves without interference by the President of the Office, taking for instance good judicial practice and ILOAT jurisprudence into account.

The RoP of the DPB are adopted by the President of the Office in consultation with the President of the Boards of Appeal. With the GCC document, the President informs the GCC members that he adopts the RoP of the DPB. The role of the DPB is limited to proposing amendments to these RoP, which the President may adopt or reject. The DPO confirmed this in the GCC meeting: the DPO would consider whether the proposed amendments could be taken over. By contrast, the Appeals Committee adopts its own Rules of Procedure (with additional approval from the President of the EPO). The latter is the more appropriate sequence for a body intended to be an independent supervisory.

The general impression is that the DPO is willing to retain control on the procedure, which the DPB is expected to follow, although the DPB is the DPO’s supervisory.

The missing bits: rules for oversight / advisory and whistleblowing functions

The RoP include a general statement as to its role, viz. an expert, reliable and authoritative body in the field of data protection ensuring an appropriately informed decision-making process by the President. However, the rules exclusively relate to its function as a replacement for the ApC for dealing with individual disputes. No rules are set up for its advisory function.

Furthermore, under Article 68 of the EU Regulation, staff members of the EU institutions, bodies and agencies can lodge complaints with the European Data Protection Supervisory

1 Article 47 DPR

(EDPS), which roughly corresponds to the DPB, even if they are not personally affected by the alleged breach. This is a whistle-blower provision. The EPO excludes this possibility in Article 3(1): only the data subject whose data protection rights have allegedly been infringed is entitled to lodge a complaint.

This could be explained by external institutional constraints, such as the regulations at ILOAT, if the DPB was regarded exclusively as a replacement for the ApC. However, this is not the case and there is a need for establishing a formal channel for dealing with whistle-blowers, in data protection matters as well as in other matters. Presently there is no such channel formalised in the Service Regulations.

Specific positive aspects in the RoP of the DPB:

- Article 10(6): the reasoned opinion of the DPB is communicated to all parties at the same time, including the complainant.

- Article 15(2): a possibility is created for the Board to further examine a complaint of
its own motion after the complainant has withdrawn.

- Article 9(7): there is a provision for urgency.

- Article 16(1): the communication of the final decisions is apparently managed by the
DPB itself (Secretariat).

The CSC members of the GCC suggest that the ApC should consider including these aspects, mutatis mutandis, into their own rules.

Negative aspect in the RoP:

- Contrary to the ApC, no hearing is foreseen.

The CSC members of the GCC suggest that the DPB should consider including this essential possibility, mutatis mutandis, into their own rules and regret that the DPO is of the opinion that proceedings in writing are sufficient in all cases.

Another publication has been passed along — an even more interesting one. The EPO has become a technical blunder which not only breaks laws but also has broken systems. This is what happens when the President hires friends (nepotism) instead of people with suitable qualifications. Aside from illegal outsourcing (to external companies) they end up with a circus of a patent office.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New

  1. The Developing World Abandons Microsoft Windows, GNU/Linux at All-Time Highs on Desktops/Laptops

    Microsoft, with 80 billion dollars in longterm debt and endless layoffs, is losing the monopolies; the media doesn’t mention this, but some publicly-accessible data helps demonstrate that

  2. Links 02/06/2023: Elive ‘Retrowave’ Stable and Microsoft's Half a Billion Dollar Fine for LinkeIn Surveillance in Europe

    Links for the day

  3. Linux Foundation 'Research' Has a New Report and Of Course It Uses Only Proprietary Software

    The Linux Foundation has a new report, promoted by Clickfraud Spamnil and others; of course they’re rejecting Free software, they’re just riding the “Linux” brand and speak of “Open Source” (which they reject themselves)

  4. Links 02/06/2023: Arti 1.1.5 and SQL:2023

    Links for the day

  5. Gemini Links 02/06/2023: Vimwiki Revisited, SGGS Revisited

    Links for the day

  6. Geminispace/GemText/Gemini Protocol Turn 4 on June 20th

    Gemini is turning 4 this month (on the 20th, according to the founder) and I thought I’d do a spontaneous video about how I use Gemini, why it's so good, and why it’s still growing (Stéphane Bortzmeyer fixed the broken cron job — or equivalent of it — a day or two after I had mentioned the issue)

  7. HMRC Does Not Care About Tax Fraud Committed by UK Government Contractor, Sirius 'Open Source'

    The tax crimes of Sirius ‘Open Source’ were reported to HMRC two weeks ago; HMRC did not bother getting back to the reporters (victims of the crime) and it’s worth noting that the reporters worked on UK government systems for many years, so maybe there’s a hidden incentive to bury this under the rug

  8. Our IRC at 15th Anniversary

    So our IRC community turns 15 today (sort of) and I’ve decided to do a video reflecting on the fact that some of the same people are still there after 15 years

  9. IRC Proceedings: Thursday, June 01, 2023

    IRC logs for Thursday, June 01, 2023

  10. Links 02/06/2023: NixOS 23.05 and Rust 1.70.0

    Links for the day

  11. Gemini Links 02/06/2023: Flying High With Gemini and Gogios Released

    Links for the day

  12. Links 01/06/2023: KStars 3.6.5 and VEGA ET1031 RISC-V Microprocessor in Use

    Links for the day

  13. Gemini Links 01/06/2023: Scam Call and Flying High With Gemini

    Links for the day

  14. Links 01/06/2023: Spleen 2.0.0 Released and Team UPC Celebrates Its Own Corruption

    Links for the day

  15. IRC Proceedings: Wednesday, May 31, 2023

    IRC logs for Wednesday, May 31, 2023

  16. Tux Machines Closing the Door on Twitter Because Twitter is Dead (for a Lot of People)

    Tux Machines recently joined millions of others who had already quit Twitter, including passive posting (fully or partly automated)

  17. Links 31/05/2023: Inkscape’s 1.3 Plans and New ARM Cortex-A55-Based Linux Chip

    Links for the day

  18. Gemini Links 31/05/2023: Personality of Software Engineers

    Links for the day

  19. Links 31/05/2023: Armbian 23.05 Release and Illegal UPC

    Links for the day

  20. IRC Proceedings: Tuesday, May 30, 2023

    IRC logs for Tuesday, May 30, 2023

  21. Gemini Protocol About to Turn 4 and It's Still Growing

    In the month of May we had zero downtime (no updates to the system or outages in the network), which means Lupa did not detect any errors such as timeouts and we’re on top of the list (the page was fixed a day or so after we wrote about it); Gemini continues to grow (chart by Botond) as we’re approaching the 4th anniversary of the protocol

  22. Links 31/05/2023: Librem Server v2, curl 8.1.2, and Kali Linux 2023.2 Release

    Links for the day

  23. Gemini Links 31/05/2023: Bayes Filter and Programming Wordle

    Links for the day

  24. [Meme] Makes No Sense for EPO (Now Connected to the EU) and Staff Pensions to be Tied to the UK After Brexit

    It seems like EPO staff is starting to have doubts about the safety of EPO pensions after Benoît Battistelli sent money to reckless gambling (EPOTIF) — a plot that’s 100% supported by António Campinos and his enablers in the Council, not to mention the European Union

  25. Working Conditions at EPO Deteriorate and Staff Inquires About Pension Rights

    Work is becoming a lot worse (not even compliant with the law!) and promises are constantly being broken, so staff is starting to chase management for answers and assurances pertaining to finances

  26. Links 30/05/2023: Orc 0.4.34 and Another Rust Crisis

    Links for the day

  27. Links 30/05/2023: Nitrux 2.8.1 and HypoPG 1.4.0

    Links for the day

  28. Gemini Links 30/05/2023: Bubble Version 3.0

    Links for the day

  29. Links 30/05/2023: LibreOffice 7.6 in Review and More Digital Restrictions (DRM) From HP

    Links for the day

  30. Gemini Links 30/05/2023: Curl Still Missing the Point?

    Links for the day

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts