Protecting intellectual property today means processing personal data. Anti-counterfeiting investigations, online trademark surveillance, AI training datasets and employee invention disclosures all collect data covered by the EU General Data Protection Regulation (GDPR) and, since 2024, the EU AI Act. Dreyfus & Associés helps international rights holders run their IP strategy in full GDPR compliance, in France, the EU and beyond.
Enforcement creates personal data. Cease-and-desist letters, customs interventions, civil and criminal proceedings, online take-down notices and UDRP cases all collect names, addresses, IP addresses, transaction records and sometimes biometric data. The GDPR applies to every step.
Your assets contain personal data. Software products, AI models, databases and trademark portfolios increasingly involve datasets covered by the GDPR or the AI Act. Treating IP and privacy in silos is no longer a viable strategy.
The fines are high enough to dwarf IP damages. GDPR fines can reach 4 percent of worldwide annual turnover or 20 million euros, whichever is higher. AI Act fines go up to 7 percent of turnover for prohibited practices.
Article 83 of the GDPR allows fines up to 4 percent of worldwide annual turnover or 20 million euros, whichever is higher. Several enforcement decisions exceed 1 billion euros since 2023.
Article 99 of the AI Act sets fines up to 7 percent of worldwide turnover or 35 million euros for prohibited AI practices, with phased application from 2025.
Companies established outside the EU that process EU residents’ data must appoint an EU representative. Failure to comply exposes them to administrative fines.
Since 2020, every transfer to a third country requires a transfer impact assessment and an appropriate mechanism: EU-US DPF, SCC or BCR.
GDPR applies. Lawful basis is usually legitimate interest. Data minimisation and retention policy are essential.
GDPR applies. The purpose must be documented, storage secured, deletion organised after litigation.
GDPR applies to registrant data. Use only what is strictly necessary for the dispute.
GDPR applies. Article 88 rules on employment data and French Labour Code obligations apply jointly.
Multiple regimes apply: text and data mining opt-out, GDPR, AI Act transparency.
GDPR applies. Lawful disclosure to customs must be documented in the record of processing.
Cross-border IP work necessarily involves transferring personal data outside the EU/EEA. Since the Schrems II CJEU ruling in 2020 and the EU-US Data Privacy Framework in 2023, every transfer must be backed by a valid mechanism.
Practical playbook for IP teams:
We routinely draft SCCs adapted to anti-counterfeiting cooperation agreements and IP litigation between France, the US, the UK, China and India.
The AI Act is the first horizontal regulation on artificial intelligence in the world. For IP rights holders, the most relevant rules combine three layers.
Transparency obligation (Article 53). Providers of general-purpose AI models must publish a sufficiently detailed summary of their training data. This is the gateway for copyright owners to identify whether their works have been used.
Text and data mining opt-out (Directive 2019/790, Article 4). Rights holders can reserve their rights through machine-readable opt-outs (robots.txt, ai.txt, metadata). Failure to respect a valid opt-out can amount to copyright infringement.
Prohibited practices (Article 5). Some IP uses cross the line: emotion recognition in the workplace, biometric categorisation by political views, mass scraping of facial images for facial recognition databases.
Review of trademark watch, anti-counterfeiting, UDRP and litigation workflows for GDPR risks.
SCC drafting, TIA, BCR, EU-US DPF assessment, transfer mechanisms for India, China and UK.
Training data audits, opt-out strategy, transparency reports, fundamental rights impact assessments.
Article 88 GDPR compliance, French Labour Code interplay, NDA and assignment templates.
Analysis of joint controller status when licensing IP that involves shared data processing.
Combined trade secret breach and data breach handling, regulator notifications, coordinated cease-and-desist.
The GDPR applies to most IP enforcement workflows because they involve processing personal data: names of alleged infringers, IP addresses, transaction records, customer testimony. Rights holders must identify a lawful basis, document a record of processing, apply data minimisation and adopt clear retention rules.
Yes, but only with a valid transfer mechanism. Options include the EU-US Data Privacy Framework if the law firm is certified, standard contractual clauses combined with a transfer impact assessment, or binding corporate rules for intra-group transfers.
Yes. Article 53 of the AI Act requires providers of general-purpose AI models to publish a sufficiently detailed summary of the training data used. This obligation applies regardless of where the provider is established.
Article 4 of EU Copyright Directive 2019/790 allows commercial text and data mining of lawfully accessible works, unless the rights holder has expressly reserved its rights through a machine-readable opt-out.
A DPO is required for large-scale systematic monitoring of individuals (typical of trademark watch programs), large-scale processing of special categories of data, or public authority status.
Yes. The GDPR applies extraterritorially under Article 3 when a non-EU company offers goods or services to individuals in the EU, monitors their behaviour, or is established in the EU. Non-EU companies must appoint an EU representative under Article 27.
