Document about Personal Data Processing (art. 13, 14 of EU Regulation 2016/679)
Glossary of Terms
Personal Data is any information related to a natural person that can be used to directly or indirectly identify him/her
Processing is any operation performed on Personal Data, whether or not by automated means, such as collection, use, recording, …
Data Controller is the entity that determines the purposes, conditions and means of Personal Data Processing
Data Processor is any entity that processes Personal Data on behalf of the Data Controller
Data Subject is the natural person whose Personal Data is processed by a Data Processor
Recipient is any entity to which Personal Data is disclosed
Right to be Forgotten is the right entitling the Data Subject to have the Data Controller erase his/her Personal Data, cease further dissemination and potentially have third parties cease Processing
Data Erasure is the action performed by the Data Controller to allow the Data Subject to exercise his/her Right to be Forgotten
Data Portability is the requirement for the Data Controller to be able to provide the Data Subject with a copy of his/her Personal Data in a format that can be easily read by another Data Controller
Pseudonymization is any processing of Personal Data such that it can no longer be attributed to a single Data Subject without the use of additional data
Data Subjects: Unified Patent Court (UPC) Case Management System (CMS) users
Centre des Technologies de l’Information de l’Etat, 1 rue Mercier, L-2144 Luxembourg (CTIE) as a representative of UPC, with reference to the Processing of your Personal Data, is the Controller of this Processing, according to EU Regulation 2016/679, in the sequel General Data Protection Regulation (GDPR).
With this document, the Data Controller wants to inform you about the principles according to which your Personal Data will be processed, considering that this processing will be characterized by appropriacy, licitness, transparency and protection of your privacy and your rights.
Every Processing is compliant with the articles 6 and 32 of the GDPR and adopts the appropriate security measures envisaged there.
Processing purpose: Until the Court becomes fully operational, your Personal Data will be processed by computer systems and software managed also by third parties (our suppliers or sub-suppliers) with the only purpose of performing functional tests to implement the correct functioning of the procedures envisaged by the EU Regulations 1527/2012 and 1260/2012 and by the Unified Patent Court Agreement (16351/12). This will allow you to perform some tests on the systems set up for the Unified Patent Court. In any case, the Processing will be performed by virtue of the consent you give by approving this document and by next using the test system. Without this consent, you will not be allowed to access the test system.
Providing your Personal Data is optional (in any case, we will not be able to check out its truthfulness) but, lacking it, we will not be able to allow you to perform the above test activities.
Your Personal Data will be shared with third parties who act as Data Processors. The latter are
Net Service S.p.A. as a software supplier — Galleria Marconi 2, 40122 Bologna (BO); e-mail: firstname.lastname@example.org; tel.: 0516241989; fiscal code: 04339710370;
T-Systems Limited as a hardware infrastructure supplier — Futura House, Bradbourne Drive, Tilbrook, Milton Keynes MK7 8AZ, England; tel.: +44 800 036 46 56.
The Data Processors and all the staff explicitly authorized by the Data Controller (Software Developers, Analysts and Court back office staff) guarantee an appropriate Processing, ensuring that the rights of the Data Subject are safeguarded.
Dissemination: By accepting these conditions, you allow your Personal Data to be published on the institutional Web site (www.unified-patent-court.org).
In compliance with the EU Regulation 2016/679, your Personal Data might be communicated out of the European Union. In particular,
Retention time: We inform you that, in accordance with the principles of licitness, purpose limitation and data minimization (article 5 of the GDPR), your Personal Data will be retained 3 years since the end of the relationship.
You have the right of obtaining from the Data Controller
of your Personal Data, by sending a communication to the aforementioned contacts. We will proceed according to the regulations envisaged by the GDPR.
At any moment, you will be allowed to revoke the consent given by approving this document. Under this revocation, the Data Controller will no longer be able to guarantee the test activities of the portal.
In any case, you can file a complaint to the Luxembourg DATA PROTECTION regulation’s body (https://cnpd.public.lu/en/droits/faire-valoir/formulaire-plainte.html), if you deem it appropriate.
At any moment, you can object to the Processing of your Personal Data and, in general, exercise the rights envisaged by the articles 15, 16, 17, 18, 20, 21 of the GDPR.
EU Regulation 2016/679: Articles 15, 16, 17, 18, 19, 20, 21, 22 – Rights of the Data Subjects
The Data Subject has the right of knowing about the existence of Personal Data referring to him/her, even though not yet recorded, and of obtaining that it be communicated to him/her in an intelligible format.
The Data Subject has the right of knowing
the sources of his/her Personal Data
the purposes and the details of the Processing
how the Personal Data is processed, in case of automated processing
any information needed to identify the Data Processors
the persons or the categories of persons Personal Data can be communicated to or who can learn about it either as representatives appointed on the State territory or as Data Processors
The Data Subject has the right of obtaining
the update, the rectification and, when he/she has a stake in, the integration of his/her Personal Data
the Erasure or the Pseudonymization of his/her Personal Data
the certification that the above operations have been communicated, even in their contents, to those who Personal Data was communicated or disseminated to, except when this is impossible or requires an amount of resources blatantly disproportioned with respect to the safeguarded right
the Data Portability
The Data Subject has the right to file a complaint to the Luxembourg DATA PROTECTION regulation’s body (https://cnpd.public.lu/en/droits/faire-valoir/formulaire-plainte.html), if the Data Controller does not satisfy his/her requests.
The Data Controller reserves the right to modify, update, add or remove parts of this document at its own discretion and at any moment.
The Data Subjects are held to periodically check any possible modifications.
To make this check easier, this document displays the date it was last updated.
The use of the on-line services of the CMS after the modifications have been published, will imply these modifications are approved by the user.
This Policy was last updated on May 9, 2018.
Should you have any inquiry, please contact our Data Protection Officer (DPO) at
Data Protection Officer
Centre des technologies de l’information de l’État
Post: 1, rue Mercier. L-2144 Luxembourg
Tel: +352 247 81800