On 15 July 2025, the European Commission adopted an adequacy decision for the European Patent Organisation (EPO).  This marks the first time such a decision has been granted to an international organisation.  From now on, personal data can be transferred from the EU to the EPO based on this decision, without the need for additional safeguards such as Standard Contractual Clauses (SCCs).

Adequacy Decision under the GDPR

The General Data Protection Regulation (GDPR) strictly regulates the transfer of personal data from the EU to third countries or international organisations.  One mechanism for lawful transfer is an adequacy decision, where the European Commission determines that a third country or international organisation ensures data protection that is essentially equivalent to that in the EU.  Where such a decision exists, personal data can be transferred from the EU to that jurisdiction or organisation, without requiring additional safeguards such as SCCs or binding corporate rules.

European Patent Organisation

The European Patent Organisation, established under the European Patent Convention, is an intergovernmental organisation headquartered in Munich.  It currently comprises 39 contracting States.  The EPO is responsible for examining and granting European patents.

The EPO receives personal data from various EU-based actors such as patent applicants and national patent offices.  However, as an international organisation with privileges and immunities, the EPO is not subject to the GDPR.  To govern its internal data processing, the EPO adopted a new data protection framework in June 2021, centred on its Data Protection Rules.  The European Commission has assessed these rules and concluded that they offer an adequate level of protection, comparable to the safeguards under the GDPR.

Thanks to the Commission’s adequacy decision, EU-based organisations may now transfer personal data to the EPO without implementing additional safeguards like SCCs. This greatly facilitates data flows in the European patent system and sets an important precedent for other international organisations seeking similar recognition in the future.

Further Adequacy Developments

As of July 2025, the Commission has adopted adequacy decisions for several countries (e.g. Japan, South Korea, the UK), and the EPO. 

On 22 July 2025, the Commission also launched the process to adopt new adequacy decisions for the UK, aiming to maintain free and safe data flows between the EU and the UK following its assessment of the UK Data Use and Access Act.  The Commission is also advancing discussions with Brazil on a mutual adequacy decision, which was identified as a priority during their Digital Dialogue on 20 March 2024 and is expected to be finalised in the near future.

*          *          *

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging compliance issues in the EU and other key markets, including on international data transfers.  Covington is monitoring how more and more countries are adopting standard transfer clauses for international data transfers.  Examples include Brazil, Turkey, and Saudi Arabia.  Our team is happy to assist companies with any other inquiries on this topic.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Matsumoto Ryoko

Ryoko Matsumoto is a global visiting lawyer who attended Kyoto University, Kyoto University Law School, and Stanford Law School.

Email