Document about Personal Data Processing (art. 13, 14 of EU Regulation 2016/679)

Glossary of Terms

Personal Data is any information related to a natural person that can be used to directly or indirectly identify him/her

Processing is any operation performed on Personal Data, whether or not by automated means, such as collection, use, recording, …

Data Controller is the entity that determines the purposes, conditions and means of Personal Data Processing

Data Processor is any entity that processes Personal Data on behalf of the Data Controller

Data Subject is the natural person whose Personal Data is processed by a Data Processor

Recipient is any entity to which Personal Data is disclosed

Right to be Forgotten is the right entitling the Data Subject to have the Data Controller erase his/her Personal Data, cease further dissemination and potentially have third parties cease Processing

Data Erasure is the action performed by the Data Controller to allow the Data Subject to exercise his/her Right to be Forgotten

Data Portability is the requirement for the Data Controller to be able to provide the Data Subject with a copy of his/her Personal Data in a format that can be easily read by another Data Controller

Pseudonymization is any processing of Personal Data such that it can no longer be attributed to a single Data Subject without the use of additional data

Data Subjects: Unified Patent Court (UPC) Case Management System (CMS) users

Centre des Technologies de l’Information de l’Etat, 1 rue Mercier, L-2144 Luxembourg (CTIE) as a representative of UPC, with reference to the Processing of your Personal Data, is the Controller of this Processing, according to EU Regulation 2016/679, in the sequel General Data Protection Regulation (GDPR).

With this document, the Data Controller wants to inform you about the principles according to which your Personal Data will be processed, considering that this processing will be characterized by appropriacy, licitness, transparency and protection of your privacy and your rights.

Every Processing is compliant with the articles 6 and 32 of the GDPR and adopts the appropriate security measures envisaged there.

Processing purpose: Until the Court becomes fully operational, your Personal Data will be processed by computer systems and software managed also by third parties (our suppliers or sub-suppliers) with the only purpose of performing functional tests to implement the correct functioning of the procedures envisaged by the EU Regulations 1527/2012 and 1260/2012 and by the Unified Patent Court Agreement (16351/12). This will allow you to perform some tests on the systems set up for the Unified Patent Court. In any case, the Processing will be performed by virtue of the consent you give by approving this document and by next using the test system. Without this consent, you will not be allowed to access the test system.

Providing your Personal Data is optional (in any case, we will not be able to check out its truthfulness) but, lacking it, we will not be able to allow you to perform the above test activities.

Your Personal Data will be shared with third parties who act as Data Processors. The latter are

• Net Service S.p.A. as a software supplier — Galleria Marconi 2, 40122 Bologna (BO); e-mail: info@netserv.it; tel.: +39 0516241989; fiscal code: 04339710370;

• Telindus S.A as a hardware infrastructure supplier — Route d’Arlon 83, L-8009 Strassen, Luxembourg; ; tel.: +352 45 09 15 1;

The Data Processors and all the staff explicitly authorized by the Data Controller (Software Developers, Analysts and Court back office staff) guarantee an appropriate Processing, ensuring that the rights of the Data Subject are safeguarded.

Dissemination: By accepting these conditions, you allow your Personal Data to be published on the institutional Web site (www.unified-patent-court.org).

In compliance with the EU Regulation 2016/679, your Personal Data might be communicated out of the European Union. In particular,

• by using some Proxy and Caching services, it can be communicated to Cloudflare Inc. with whom the associated model clauses have been agreed (the latter can be viewed here https://www.cloudflare.com/media/pdf/cloudflare-customer-dpa-20180402.pdf)

• by using some Cloud services, it can be communicated to some companies of the group Google LLC with whom the associated model clauses have been agreed (the latter can be viewed here https://cloud.google.com/terms/eu-model-contract-clause)

Retention time: We inform you that, in accordance with the principles of licitness, purpose limitation and data minimization (article 5 of the GDPR), your Personal Data will be retained 3 years since the end of the relationship.

You have the right of obtaining from the Data Controller

• the Erasure (Right to be Forgotten)

• the limitation

• the update

• the rectification

• the Portability

of your Personal Data, by sending a communication to the aforementioned contacts. We will proceed according to the regulations envisaged by the GDPR.

At any moment, you will be allowed to revoke the consent given by approving this document. Under this revocation, the Data Controller will no longer be able to guarantee the test activities of the portal.

In any case, you can file a complaint to the Luxembourg DATA PROTECTION regulation’s body (https://cnpd.public.lu/en/droits/faire-valoir/formulaire-plainte.html), if you deem it appropriate.

At any moment, you can object to the Processing of your Personal Data and, in general, exercise the rights envisaged by the articles 15, 16, 17, 18, 20, 21 of the GDPR.

EU Regulation 2016/679: Articles 15, 16, 17, 18, 19, 20, 21, 22 – Rights of the Data Subjects

1. The Data Subject has the right of knowing about the existence of Personal Data referring to him/her, even though not yet recorded, and of obtaining that it be communicated to him/her in an intelligible format.

2. The Data Subject has the right of knowing

   1. the sources of his/her Personal Data

   2. the purposes and the details of the Processing

   3. how the Personal Data is processed, in case of automated processing

   4. any information needed to identify the Data Processors

   5. the persons or the categories of persons Personal Data can be communicated to or who can learn about it either as representatives appointed on the State territory or as Data Processors

3. The Data Subject has the right of obtaining

   1. the update, the rectification and, when he/she has a stake in, the integration of his/her Personal Data

   2. the Erasure or the Pseudonymization of his/her Personal Data

   3. the certification that the above operations have been communicated, even in their contents, to those who Personal Data was communicated or disseminated to, except when this is impossible or requires an amount of resources blatantly disproportioned with respect to the safeguarded right

   4. the Data Portability

4. The Data Subject has the right to file a complaint to the Luxembourg DATA PROTECTION regulation’s body (https://cnpd.public.lu/en/droits/faire-valoir/formulaire-plainte.html), if the Data Controller does not satisfy his/her requests.

MODIFICATIONS:

The Data Controller reserves the right to modify, update, add or remove parts of this document at its own discretion and at any moment.

The Data Subjects are held to periodically check any possible modifications.

To make this check easier, this document displays the date it was last updated.

The use of the on-line services of the CMS after the modifications have been published, will imply these modifications are approved by the user.

EFFECTIVE DATE:

This Policy was last updated on May 9, 2018.

CONTACT INFORMATION:

Should you have any inquiry, please contact our Data Protection Officer (DPO) at

Data Protection Officer

Centre des technologies de l’information de l’État

Post: 1, rue Mercier. L-2144 Luxembourg

Tel: +352 247 81800