What are the EPO’s Data Processing Agreement regulations?

Where a contractor will be processing personal data on behalf of the EPO, they must sign Annex E in order to comply with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – "General Data Protection Regulation".

The terms "personal data" and "processing" are very broad. "Personal data" means "any information relating to an identified or identifiable natural person", in other words any information relating to an individual (as opposed to a legal person, such as a company) that can identify such individual. It includes names, addresses and ID card numbers, as well as online identifiers such as IP and email addresses. "Processing" means doing just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing or destroying it or otherwise making it available to someone else.