IP Helpdesk Privacy Policy

Your personal data is processed in accordance with Regulation (EU) No 2018/1725^[1] on the protection of individuals regarding the processing of personal data by the Union institutions, bodies, offices, and agencies and on the free movement of such data.

The data controller of the processing operation is the Head of Unit EISMEA I.02. of the European Innovation Council and SMEs Executive Agency (EISMEA^[2]).

Personal data is processed on our behalf by the consortium members of each of the IP Helpdesks. The Partners involved in those consortia are:

China IP SME Helpdesk

SD Policies Limited (Ireland)

European Chamber of Commerce in China (China)

European IP Helpdesk

Eurice GmbH (Germany)

University of Alicante (Spain)

Research and Innovation Services-RISE d.o.o. (Croatia)

India IP SME Helpdesk

University of Alicante (Spain)

Eurice GmbH (Germany)

Eurochambres Association des Chambres de Commerce et d’Industrie européennes (Belgium)

EBTC (India)

Latin America IP SME Helpdesk

University of Alicante (Spain)

Eurice GmbH (Germany)

Eurochambres Association des Chambres de Commerce et d’Industrie européennes (Belgium)

Cámara Española de Comercio en México, CAMESCOM - Subcontractor (Mexico)

Cámara Española de Comercio en Brasil, CAMACOES - Subcontractor (Brazil)

South-East Asia SME Helpdesk 

PRACSIS srl (Belgium)

SPI – Sociedade Portuguesa de Inovação (Portugal)

Eurocham VN – European Chamber of Commerce in Vietnam (Vietnam)

- The following entities process your personal data on the Helpdesk’s behalf, and you can find their privacy policies separately on their website, namely:

• Livestorm. Used to carry out online training for users.
• Freshdesk. Used to collect and manage enquiries submitted through the project Helpline. It also enables the team to extract anonymous statistics for internal monitoring and project reporting.
• EU Survey. Used to conduct ad hoc surveys for various project-related purposes (e.g. feedback, needs assessment). We usually do not collect personal data through these surveys unless clearly stated and with appropriate safeguards in place.
• SurveyMonkey. Used to conduct ad hoc surveys for various project-related purposes (e.g. feedback, needs assessment). We usually do not collect personal data through these surveys unless clearly stated and with appropriate safeguards in place.
• GoTo. Used for communication and stakeholder management.
• JIRA (Atlassian). Used to collect and manage enquiries submitted through the project Helpline. It also enables the team to extract anonymous statistics for internal monitoring and project reporting.
• Microsoft SharePoint. Used to upload reports and related documents to the European Commission for its assessment.
• Google Drive: Used to store project-related files securely, including attendance lists from events. These lists are not shared with third parties and are used strictly for internal reporting and statistical purposes, in line with data protection obligations.
• OneDrive. Used to store project-related files securely, including attendance lists from events. These lists are not shared with third parties and are used strictly for internal reporting and statistical purposes, in line with data protection obligations.
• Dropbox. Used to store project-related files securely, including attendance lists from events. These lists are not shared with third parties and are used strictly for internal reporting and statistical purposes, in line with data protection obligations.
• Campaign Monitor.  Used as a mailing marketing provider. To send out mass communications to stakeholders.

Entities that process data only by consent:

• YouTube. Used to upload and share promotional videos and recordings of training sessions or webinars. These videos are made publicly available to increase outreach and engagement with project content.
• X (formerly Twitter). Used for the promotion of project resources, updates, and events, aiming to attract and inform users and potential beneficiaries of the project’s services.
• Google Workspace. Used as a business email and workspace provider.
• LinkedIn. Used for the promotion of project resources, events, and activities, to reach and engage potential users and beneficiaries of the project’s services.
• Zoom: Used for online training sessions. Attendee information and participation statistics are collected solely for reporting and follow-up purposes, with prior consent.

The legal basis for the processing activities is/are 

- Article 5(1)(a) of Regulation (EU) 2018/1725 because processing is necessary for the performance of a task carried out in the public interest (or in the exercise of official authority vested in the Agency)^[3] laid down in Union law; 

- Article 5(1)(d) of Regulation (EU) 2018/1725 is based on your explicit prior consent for your non-mandatory personal data indicated below.

The purpose(s) of this processing is/are to: 

-compile project statistics for project reporting purposes; 

-if you are using the Helpline service, to ask for more information about your query in case clarifications are needed; 

-to send an answer to your IP question; 

-ask your feedback about the usefulness of the answers provided, follow up on your case; 

- for project promotion purposes (use of pictures and/or audiovisual items on social media and on the project’s website); social media channels are used to promote project activities for outreach purposes. The Helpdesks do not extract or process personal data of individuals who interact with the project’s social media profiles (e.g. likes, comments, shares). Suppose we receive an enquiry via the messaging tools on social media. In that case, we inform the user that their message and related personal data (name, email, company affiliation) will be shared with a specific colleague responsible for handling the enquiry. Social media is also used to promote recorded events (e.g., webinars) uploaded on YouTube. These recordings may include the video feed of speakers. However, the IP Helpdesk do not publish the names of webinar attendees—only those of speakers (e.g. IP experts and project representatives) when needed. A pop-up notification or disclaimer is displayed before the start of any recorded event, allowing participants to take appropriate action (e.g. switching off their camera, hiding their name, or choosing not to participate).

-to subscribe to the Newsletter, to send you a Newsletter via e-mail; 

- to organise a training session or awareness-raising event, - other: e.g., information about an update to the privacy policy, offering collaboration opportunities, or for a survey about user needs and service improvements.

The following of your personal data is collected: your first name, last name, email, country of origin, city, and company name (if any). Type of organisation, sector, preferred gender pronoun, telephone, IP address. All personal data is mandatory for the purpose(s) outlined above. 

In addition, the following non-mandatory personal data are collected: official photos of the events, multimedia items showing the people participating in official events, their image, voices, statements, opinions, testimonials, session recordings and transcripts, etc, for the delivery of our trainings and promotion of the services on the website and social networks. We may also follow up with you and contact you about similar EU-related initiatives in the future. All the above-mentioned personal data can only be processed based on your explicit prior consent^[4].

The recipients of your personal data will or may be only accessible by the Helpdesk and the controller and Commission staff in charge of the IP Helpdesk, as well as the bodies charged with monitoring or inspection tasks in application of the EU law (e.g. internal audits, Court of Auditors, European Anti-fraud Office (OLAF)), European Public Prosecutor’s Office (EPPO). Data is not used for any other purposes or disclosed to any other recipient, nor to third countries or international organisations.

Images and other audiovisual items are published on the websites and social media and are available to the general public, upon prior explicit consent of individuals featuring those materials.

Your personal data will not be transferred to third countries or international organisations.

The China IP SME Helpdesk uses LinkedIn and X for communication and stakeholder engagement, which may involve processing personal data. LinkedIn and X, as U.S.-based providers, implement safeguards to comply with GDPR, including the standard contractual clauses (SCCs) where applicable. These measures help ensure that any personal data processed through these platforms remains protected and handled in compliance with the GDPR. All three service providers are certified under the EU-U.S. Data Privacy Framework. The Beijing team manages Jira (Atlassian) to collect and process enquiries. Jira offers data residency options, allowing data storage within the European Union. Enquiries are processed through the tool, and no personal data is downloaded. Only company information is extracted for reporting purposes, such as company headquarters, type of company (SME, business support organisation), and sector. The project stores personal data collected at training and trade fairs in OneDrive, and access to it is strictly limited to the Project Team.
We ensure the lawfulness of data processing through the following safeguards:

• Explicit Consent: We obtain your explicit consent to share your information with our Beijing team. At trade fairs, we inform individuals that their enquiries will be passed on to our team based in Beijing. If an enquiry is received via email, we follow up with the entrepreneur to seek their permission before liaising with the Beijing-based IP Business Advisor.
• Access Control & Security Measures: Personal data received through the helpline is securely stored in Jira. Access is strictly limited to authorised Beijing-based personnel involved in processing enquiries: the Project Manager, the Project Officer, the IP Business Advisor. The IT assistant is authorised to access the Jira platform only for technical updates and maintenance (please refer to the EUCCC privacy policy: https://www.europeanchamber.com.cn/en/privacy). A GDPR agreement is in place between SD Policies and the EUCCC to comply with the GDPR.
• Data Minimisation & Export Controls: Only necessary company data is collected and stored. The data may be exported solely for operational needs related to enquiry management and internal reporting, following strict security protocols.

The European IP Helpdesk uses Jira (Atlassian), LinkedIn, and GoTo for communication, project management, and stakeholder engagement, which may involve the processing of personal data. Atlassian offers data residency options, allowing data storage within the European Union. LinkedIn and GoTo, as U.S.-based providers, implement safeguards to comply with GDPR, including the standard contractual clauses (SCCs) where applicable. These measures help ensure that any personal data processed through these platforms remains protected and handled in compliance with the GDPR. All three service providers are certified under the EU-U.S. Data Privacy Framework.

• For Jira, see: Data privacy framework notice section.
• For LinkedIn, see EU/EEA, UK, and Swiss data transfers
• For GoTo, see Data Privacy Framework Notice 

The India IP SME Helpdesk uses Jira (Atlassian), Google Drive, and Livestorm for communication, project management, and stakeholder engagement, which may involve processing personal data. Atlassian offers data residency options, allowing data storage within the European Union. Whenever Livestorm transfers Data to countries that have not been subject to an adequacy decision by the European Commission, Livestorm ensures that the transfer is governed by the European Commission's standard contractual clauses and Data processing agreements. Google Drive, as a U.S.-based provider, implements safeguards to comply with GDPR, including the standard contractual clauses (SCCs) where applicable. Google Drive complies with the EU-US and Swiss-US Data Privacy Frameworks (DPF).

• For Jira, see: Data privacy framework notice section.
• For Google Drive, see Google's Terms of Service
• For Livestorm, see their Privacy Policy.

We ensure the lawfulness of data processing through the following safeguards:

• Explicit Consent: We obtain your explicit consent to share your information with our team in India (EBTC). At trade fairs, we inform individuals that their enquiries will be passed on to our team based in India. If an enquiry is received via email, we follow up with the entrepreneur to seek their permission before liaising with the India-based IP Expert.
• Access Control & Security Measures: Personal data received through the helpline is securely stored in JIRA (ATLASSIAN). Access is strictly limited to authorised India-based personnel involved in processing enquiries: the Project Manager, the Project Officer, and the IP Experts. The IT assistant is authorised to access the JIRA platform only for technical updates and maintenance. To access EBTC privacy notice: https://ebtc.eu/page.php?name=Privacy%20Policy. Whenever Personal Data is processed during a certain event in India, users will be previously informed during registration with a link to the third-party organiser’s privacy notice. IP experts attending face-to-face events will inform users that the queries received and their personal data will be collected in the JIRA Platform.
• Data Minimisation & Export Controls: Only necessary company data is collected and stored. The data may be exported solely for operational needs related to enquiry management and internal reporting, following strict security protocols.

The Latin America IP SME Helpdesk uses Jira (Atlassian), Google Drive, and Livestorm for communication, project management, and stakeholder engagement, which may involve processing personal data. Atlassian offers data residency options, allowing data storage within the European Union. Whenever Livestorm transfers Data to countries that have not been subject to an adequacy decision by the European Commission, Livestorm ensures that the transfer is governed by the European Commission's standard contractual clauses and Data processing agreements. Google Drive, as a U.S.-based provider, implements safeguards to comply with GDPR, including the standard contractual clauses (SCCs) where applicable. Google Drive complies with the EU-US and Swiss-US Data Privacy Frameworks (DPF).

• For Jira, see: Data privacy framework notice section.
• For Google Drive, see Google's Terms of Service
• For Livestorm, see their Privacy Policy.

We ensure the lawfulness of data processing through the following safeguards:

• Explicit Consent: We obtain your explicit consent to share your information with our team in Latin America. At trade fairs, we inform individuals that their enquiries will be passed on to our team based in Latin America. If an enquiry is received via email, we follow up with the entrepreneur to seek their permission before liaising with the Latin America-based IP Expert.
• Access Control & Security Measures: Personal data received through the helpline is securely stored in JIRA (ATLASSIAN). Access is strictly limited to authorised Latin American-based personnel involved in processing enquiries: the Project Manager, the Project Officer, and the IP Experts. To access CAMESCOM and CAMACOES privacy notice. The IT assistant is authorised to access the JIRA platform only for technical updates and maintenance. Whenever Personal Data is processed during a specific event in Latin America, users will be previously informed during registration with a link to the third-party organiser’s privacy notice. IP experts attending face-to-face events will inform users that the queries received and their personal data will be collected in the JIRA Platform.
• Data Minimisation & Export Controls: Only necessary company data is collected and stored. The data may be exported solely for operational needs related to enquiry management and internal reporting, following strict security protocols.

The South-East Asia IP SME Helpdesk uses Freshdesk (Freshworks), Google Worksuite, Dropbox, Campaign Monitor (Marigold), LinkedIn and X for communication, project management, and stakeholder engagement, which may involve the processing of personal data. 
Freshdesk and Campaign Monitor (Marigold) offer data residency options, allowing data storage within the European Union.
Google Worksuite, LinkedIn, and X, as U.S.-based providers, implement safeguards to comply with GDPR, including the standard contractual clauses (SCCs) where applicable. These measures help ensure that any personal data processed through these platforms remains protected and handled in compliance with the GDPR. All service providers are certified under the EU-U.S. Data Privacy Framework. 
The Vietnam team manages Freshdesk (Freshworks) to collect and process enquiries. Enquiries are processed through the tool, and no personal data is downloaded. Only company information is extracted for reporting purposes, such as company headquarters, type of company (SME, business support organisation), and sector. The project stores personal data collected at training and trade fairs in Dropbox, and access to it is strictly limited to the Project Team.
We ensure the lawfulness of data processing through the following safeguards:

• Explicit Consent: We obtain your explicit consent to share your information with our Vietnam team. At trade fairs, we inform individuals that their enquiries will be passed on to our team based in Vietnam. If an enquiry is received via email, we follow up with the entrepreneur to seek their permission before liaising with the Vietnam-based IP Business Advisor.
• Access Control & Security Measures: Personal data received through the helpline is securely stored in Freshdesk. Access is strictly limited to authorised Vietnam-based personnel involved in processing enquiries: the Project Manager, the Project Officer, and the IP Business Advisor. The IT assistant is authorised to access the Freshdesk platform only for technical updates and maintenance (please refer to the EuroCham Vietnam privacy policy: https://www.eurochamvn.org/privacy-policy/). A GDPR agreement is in place between PRACSIS and the Eurocham VN to comply with the GDPR.
• Data Minimisation & Export Controls: Only necessary company data is collected and stored. The data may be exported solely for operational needs related to enquiry management and internal reporting, following strict security protocols.

The following technical and organisational security measures are in place to safeguard the processing of your personal data: 

We take appropriate technical and organisational measures to safeguard and protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

All personal data related to the project’s procedures is stored in secure IT applications according to the Office’s security standards, and in specific electronic folders accessible to authorised recipients only. Appropriate levels of access are granted individually only to the recipients mentioned above.

The database is password-protected under a single sign-on system and connected automatically to the user’s ID. E-records are held securely to safeguard the confidentiality and privacy of the data therein.

Your personal data will be kept only for the time needed to achieve the purpose for which it is processed.

All data related to the project will be stored from its collection, with a duration of: 

• Queries: 5 years
• Personal data coming from events (matchmaking, training, awareness-raising events): 4 years
• To follow up/request to be contacted for similar initiatives: 2 years
• Newsletter: 3 years

In the event of a formal appeal, all data held at the time of the appeal will be retained until the completion of the appeal process.

You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy or erasure of your personal data held by the data controller. If processing is based on your consent, you can withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before it's okay.

Your request to exercise one of the above rights will be dealt with without undue delay and within one month. 

Your right to information, access, rectification, erasure, restriction or objection to processing, communication of a personal data breach, or confidentiality of electronic communications may be restricted only under certain specific conditions as set out in the applicable Restriction Decision in accordance with Article 25 of Regulation (EU) 2018/1725.

If you have any queries concerning the processing of your personal data, you may address them to the Head of Unit EISMEA I.02. of the European Innovation Council and SMEs Executive Agency (EISMEA) entity acting as data controller via EISMEA-SMP-COSME-ENQUIRIESec [dot] europa [dot] eu (EISMEA-SMP-COSME-ENQUIRIES[at]ec[dot]europa[dot]eu).

To contact the regional IP Helpdesks directly: 

• European IP Helpdesk: serviceiprhelpdesk [dot] eu (service[at]iprhelpdesk[dot]eu)
• China IP SME Helpdesk: infochina-iprhelpdesk [dot] eu (info[at]china-iprhelpdesk[dot]eu)
• India IP SME Helpdesk: indiaiprhelpdesk [dot] eu (india[at]iprhelpdesk[dot]eu)
• Latin America IP SME Helpdesk: infolatinamerica-ipr-helpdesk [dot] eu (info[at]latinamerica-ipr-helpdesk[dot]eu)
• South-East Asia IP SME Helpdesk: expertsea-iphelpdesk [dot] eu (expert[at]sea-iphelpdesk[dot]eu)

You shall have the right of recourse at any time to the EISMEA Data Protection Officer at EISMEA-DPOec [dot] europa [dot] eu (EISMEA-DPO[at]ec[dot]europa[dot]eu) and to the European Data Protection Supervisor at https://edps.europa.eu.

Additional information: 

Social media

Social media may be used to present the work being done by the International IP SME HELPDESKS stakeholders through widely used and contemporary channels.

For instance, when uploading content, the members/moderators disseminate it through the social media channels, while other members can, for example, follow links to X and LinkedIn.

Our display of social media buttons does not set cookies to connect to those services when our website pages are loaded on your computer (or other devices) or from components from those services embedded in our web pages.

Each social media channel (Facebook, X, LinkedIn) is a separate controller and has its own policy on the way it processes your personal data when you access its sites. For example, if you choose to watch a video on YouTube, you will be asked for explicit consent to accept YouTube cookies; if you look at your Twitter activity on Twitter, you will be asked for explicit consent to accept X cookies; the same applies for LinkedIn.

If you have any concerns or questions about their use of your personal data, you should read their privacy policies carefully before using them.

Cookies

Cookies are used for the technical functioning of a website or for gathering statistics.

Cookies are also typically used to provide a more personalised experience for a user, for example, when an online service remembers your user profile without you having to log in.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size, and other display preferences) over a period, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

When you visit the website, some data may be collected on your browsing experience, such as your IP address, the page you visited, when you visited, and the website page you were redirected from.

This information is used to gather aggregated and anonymous statistics to improve our services and enhance your user experience.

You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies on your computer and set most browsers to prevent them from being installed. Please note that in such a case, some services and functionalities may not work as designed. The system uses session cookies to ensure communication between the browser and the server. Therefore, the browser should be configured to accept cookies, and they are discarded once the browser session is terminated.

The collection, aggregation, and anonymising operations are performed in the data centre of the European Commission under adequate security measures.

^[1] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L295/39 of 21.11.2018).

^[2] EISMEA Establishment Act: Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Innovation Council and SMEs Executive Agency (OJ L 50/9 of 15.2.2021)

EISMEA Act of Delegation: Commission Decision C(2021)949 delegating powers to the European Innovation Council and SMEs Executive Agency with a view to the performance of tasks linked to the implementation of Union programmes in the field of Innovative Europe, Single Market and Interregional Innovation Investments comprising, in particular, implementation of appropriations entered in the general budget of the Union.

^[3] EISMEA Establishment Act: Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Innovation Council and SMEs Executive Agency (OJ L 50/9 of 15.2.2021)

EISMEA Act of Delegation: Commission Decision C(2021)949 delegating powers to the European Innovation Council and SMEs Executive Agency with a view to the performance of tasks linked to the implementation of Union programmes in the field of Innovative Europe, Single Market and Interregional Innovation Investments comprising, in particular, implementation of appropriations entered in the general budget of the Union.

Single Market Programme: Regulation (EU) 2021/690 of the European Parliament and of the Council of 28 April 2021 establishing a programme for the internal market, competitiveness of enterprises, including small and medium-sized enterprises, the area of plants, animals, food and feed, and European statistics (OJ L 153/1 of 3.5.2021)

^[4] Processing of non-compulsory personal data can only be based on consent, and individual tick boxes have to be provided when data is collected to document the consent. 

Last update: 04/11/2025