Data Protection and IP law: when identification becomes unlawful. A practical guidance

di Federica Pezza -

Known as OHIM until 23 March 2016, the European Union Intellectual Property Office (hereinafter “EUIPO” or “the Office”) was established in 1994 with the main aim of providing its users with exclusive rights for trade marks and design protection throughout the EU . Over the years, the Office has experienced a significant growth, which has been mainly related to its ability of identifying new trends (both commercial and legal) and, by this, meeting business needs and expectations. In other words, EUIPO success has historically been connected to its capacity of keeping up with innovation in all its aspects. For this very reason, also when faced with the adoption of the new trade mark and privacy laws, the Office, and namely its International Cooperation and Legal Affair Department issued a legal document with the purpose of not only adapting its procedures to the new rules but also providing “some explanatory notes” to its users on the personal data processed within the framework of its tasks (“The Note”).
The question is particularly critical when it comes to trade mark law. And in fact, if on the one hand trade marks are widely known as distinctive badges of origin, enabling users to identify the commercial source of one’s goods and services, on the other under data protection laws restrictions apply with regard to the processing of those very data enabling the identification of individuals. In other words, in this area a line has to be drawn between admissible (and still necessary) identification of the commercial source and (possibly unlawful) processing of data likely to identify individuals.
In the present contribution, after a brief recap on the relevant legal framework, we will try and summarize the key concepts arising from the Note. While doing so, we will look at some of the main practical implications of the new privacy rules, focusing in particular on the processing of personal data for the purpose of the “ESearch Plus” database.
The legal framework
The overlap among different sets of rights and interests in the area considered results in the need for different sets of legal instruments and corresponding rules to be taken into account in our analysis.
In general terms, these legal sources can be grouped as follows:
1. Data Protection legal texts: Regulation (EU) No 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union Institutions, bodies, offices and on the free movement of such data, and repealing Regulation (EC) No 45/2011 and Decision No 1247/2002/EC (the ‘EU Data Protection Regulation’).
2. EU Trade mark legal texts: EU trade mark Regulation (EU) No 2017/1001 (“EUTMR”) and implementing acts. For more details here
3. Community Design legal texts: Community Design Regulation (EC) No. 6/2002 (“CDR”) and implementing acts. For more details here
The Note in a nutshell: the notions of Register Data and Data Base Data
Following the Note, personal data processed by the EUIPO can be distinguished in mandatory and non-mandatory data. In this sense, the latter expression is used to refer to data that can only be processed by the EUIPO based on the consent of the applicant or third parties . Differently, “mandatory personal data” consist in those data which are processed in relation to the tasks of the Office (as laid down in Article 151 and 152 EUTMR). These data can themselves be divided in (i) register data and (ii) database data. This second distinction is also crucial for the present analysis insofar as mandatory personal data will be subject to a different treatment depending on the specific category they belong to.
• The expression “register data” (“Register Data”): refer to “personal data of applicants and, where applicable, of their representatives” which, under Article 111 EUTMR or Article 72 CD, shall be included in the Register of EU trade marks and Community designs. Indeed, as it is clarified in the Note, the mandatory nature of the data processed depends in this case on the fact that these data are either (i) necessary for the performance of a task carried out in the public interest or in the exercise of office authority or (ii) necessary for compliance with a legal obligation of the controller. As for the purposes of processing, an exhaustive list is set out under Article111 (5) (8) and 112 (2) EUTMR.
The legal status and corresponding treatment: following the Note, Register Data including personal data, will be considered of public interest, with the consequence they might be accessed by any third party. However, a further clarification is required on this point. And in fact, one thing is mere access to personal data and another, very different, is the possibility for personal data to be downloaded. In regard to the latter, more restrictions apply, given that under article 111 EUTMR, download shall be permitted only if a license exists. Eventually, restrictions will apply also with regard to the exercise of data subjects’ rights. In particular, if on one hand and for obvious reasons, right of access will not have room in a similar scenario (given the public nature of the Register) on the other, reasons of legal certainty will also pre-empt the exercise of the “right to erasure (right to be forgotten)” as provided under Article 19 Regulation (EU) 2018/1725.
• The expression “data base data” (“Database Data”): refer to “personal data to the extent they are required by Regulation (EU) 2017/1001, by acts adopted pursuant to it, by Regulation (EC) no 6/2002 or by its implementing Regulation, within the meaning of Article 112(2) of Regulation (EU) 2017/1001”. Following the Note, the non-mandatory nature of the data processed depends on the fact they are not necessary nor proportionate for the purposes of the processing . These purposes, as defined under Article111 (5) (8) and 112 (2) EUTMR include, among the others, (i) accessing the information necessary for conducting the relevant proceedings more easily and efficiently and (ii) communicating with the applicants and other parties to the proceedings.
The legal status and corresponding treatment: Database Data, in contrast with Register Data, will not be made publicly available unless the part concerned has given express consent. In other words, in this context, publicity does not amount to a rule anymore, but it rather assumes an exceptional nature. This new perspective also impacts on the exercise of rights by data subjects. And in fact, when it comes to Data Base Data if on the one hand no restriction will apply with respect to the exercise of the right of access, on the other data subjects will also be able to freely exercise their right to be forgotten, provided that certain conditions are met (i.e. exercise within 18 months from the expiry of the trade mark or closure of inter partes proceedings).The distinction: practical implications
As it was shown above, the qualification of personal data as Register Data or Data Base Data does have an impact on their legal status and corresponding treatment. This finding is particularly true when it comes to the management of those personal data which are stored on “Esearch Plus”. As you all will be aware, the latter is the name given to a public register that the Office is required to maintain including all the relevant information related to EUTMs mad RCDs (e.g. personal data of owners, representatives, appeals, recordals) for the purpose of allowing third parties and public authorities to exercise their rights under the EUTMR and the CDR.
Indeed, the above mentioned distinction is useful for us insofar as Esearch Plus does include both mandatory and non-mandatory personal data. For this very reason, a communication was issued by the Office on 13 December 2018 (“the Communication”) with the aim of clarifying the legal status of the data involved in the processing. Based on the Communication, “the phone numbers, fax numbers and email addresses provided by users as contact information in the User Area are no longer automatically available and searchable via ESearch Plus, TMview and DesignView” . This is because these data are non-mandatory and can therefore be processed on the basis of consent only. However, following the general principles, users are given the opportunity to “opt-in” to having these details displayed within those databases. This will be possible for them by going to the User Area of the EUIPO website and ticking the Yes-box next to the corresponding approval statement.