IP, data protection, and company form before you sell to ESA or the EU
Why legal basics decide whether ESA and the EU take you seriously
The clearest walkthrough of this we've found is EU Space Academy's free Selling to Europe course, where two lawyers from BHO Legal — Dr. Ingo and Dr. Philip — cover the ground a young space company actually needs. BHO Legal is a Cologne-based technology law firm founded in 2008 by lawyers who came out of the German space agency DLR; per the course, the firm has worked continuously in the European GNSS programme (Galileo) since the early 2000s, plus Copernicus and GovSatCom, and more recently SSA/SST, advising the European Commission, EUSPA, ESA, national agencies, and industry along the way.
Their core message: intellectual property, data protection, and company form aren't paperwork you clean up after winning a contract. ESA and the EU screen for exactly these things during a tender's early "selection phase" — get them wrong and you can be filtered out before anyone reads your technical proposal.
The IP toolkit — what protects what
Founders tend to reach for "patent" as a catch-all, but the course walks through several distinct legal tools, each suited to a different kind of asset.
| IP type | What it protects | Registration | How long it lasts |
|---|---|---|---|
| Patents & utility models | New technical inventions | Yes, territorial; utility models ("small patents") are not checked for novelty by the registry | Patents: 20 years |
| Trademarks & trade names | The name/branding of your products, services, or company | Yes for trademarks; trade names can also arise through market use | Renewable indefinitely if used and renewed (every 10 years in the EU) — lost if unused or not renewed |
| Designs | The appearance/shape of a product | Yes (the EU also has narrow unregistered-design protection) | 25 years |
| Copyright | Creative works — including software code as a literary work, and databases in some cases | None — exists automatically from the moment of creation, not publication | Roughly 70 years after the author's death (EU) |
| Trade secrets / know-how | Confidential technical or business information | None, but EU trade-secret rules require "suitable" protective measures to actually be in place | As long as it stays secret and protected |
Patents and utility models share one hard rule: the invention has to be new. The EU runs on a first-to-file basis — whoever applies first gets the right — and publishing an idea before you file, including some kinds of informal disclosure, can destroy its novelty. Sharing details under a proper non-disclosure agreement, or within a tightly controlled development partnership, is the standard way founders keep an invention "unpublished" while still collaborating on it, per the course.
One counterintuitive warning from the course: sending a cease-and-desist letter over a patent or trademark can invite a counterattack that gets your own right examined — and potentially invalidated — if it turns out to be weaker than you assumed. Check that a right is actually enforceable before you try to enforce it. Trademarks carry a similar trap in reverse: protection isn't limited to identical marks — names that just sound alike can still infringe, so a "close enough" rebrand isn't automatically safe.
Freedom-to-operate (FTO): check before you ship, not after
A freedom-to-operate search asks a narrower question than "can I protect my invention" — it asks whether you can put your product, technology, or service on the market at all without infringing someone else's existing patent, trademark, design, or copyrighted material, including open-source license terms baked into your own code. The course's practical starting points: a plain search-engine check as a first pass, then the relevant patent registry — the example given is Germany's DEPATISnet tool — and the EU's trademark database, TMDN. Patent registries are genuinely hard to read without help; budget for a patent attorney rather than assuming a DIY search is conclusive.
Two details worth remembering. First, utility models are not novelty-checked by the registry the way patents are, so an existing "small patent" can be sitting there unexamined — an FTO search is your real check. Second, if your product ships with open-source components, review each license's terms before launch: some open-source licenses are "copyleft" and require you to publish your own derivative code under the same open terms, which can undercut the exclusivity you were trying to build. Skipping FTO isn't just a paperwork risk — the course is blunt that an infringement claim can force an immediate stop to your business, on top of damages and legal costs.
For EU-level help, EUIPO publishes general guidance on trademarks and designs, and per the course has at points supported SME funding schemes that cover part of filing costs — worth checking current eligibility directly. The IPR Helpdesk network offers free-to-SME assistance on IP questions specifically, which the course recommends as a first stop before paying for a full legal opinion.
GDPR basics — and why ESA is not the same as GDPR
Two ideas anchor GDPR, per the course. First, data protection and data security are not the same thing: data security protects all of a company's valuable information, while data protection specifically protects the individual behind personal data. Second, the GDPR applies the moment you're handling "personal data" — any information relating to an identified or identifiable natural person, including indirect identifiers like an IP address or location data. That scope is deliberately broad, and the course notes some legal experts argue there's barely any data left that isn't personal data in some sense.
That's why the anonymization/pseudonymization distinction matters. Data only escapes GDPR entirely once re-identifying a person from it is impossible or so disproportionately difficult that it's no longer realistic — genuine anonymization. Pseudonymized data, where direct identification isn't necessary for day-to-day processing but re-identification remains technically possible, stays inside GDPR's scope. There's no single industry checklist for what counts as "anonymized enough" — the regulation expects a risk-based judgment call, not a one-time technical trick.
On the legal-basis side, GDPR runs on a default-prohibition model: processing personal data is forbidden unless a specific legal basis applies (GDPR Article 6). The bases founders actually use day to day are consent, necessity for performing a contract (only when the other contracting party is a natural person — for a business customer's employees, you rely on legitimate interest instead), a legal obligation, or legitimate interest more broadly. One purpose-limitation rule trips people up: data collected for one purpose generally can't be repurposed for another, with a narrow carve-out for scientific research. Consent, while the most familiar basis, is operationally the weakest one — it has to be documented, requires upfront information to the person about who's processing their data and why, and can be withdrawn at any time without a reason, potentially cutting off your ability to keep using that dataset.
Two more terms worth knowing before you sign a vendor contract: a controller decides the purposes and means of processing; a processor (Article 28 — think a cloud hosting provider) only acts on the controller's documented instructions and needs a written data-processing agreement, not its own legal basis. If two companies jointly decide the purposes and means of processing together, they become joint controllers (Article 26) — which creates cooperation duties toward the people whose data it is, not a legal basis by itself. The course's practical tip: when a vendor hands you their standard data-processing agreement, check it against Article 28's requirements, and watch for liability-limitation clauses quietly inserted that conflict with your underlying service contract.
Here's the part specific to space: ESA is an independent intergovernmental organization and is not itself directly bound by the GDPR. It has built its own data-protection rules instead — described in the course as "very close to" the GDPR, but distinct, with their own systematics. Both ESA and EUSPA write detailed privacy provisions directly into their contracts and tender documents, and clicking "I agree" or signing binds you to those specific terms — they don't automatically equal your existing GDPR compliance programme. Read the contract-specific data provisions every time, rather than assuming your GDPR policy already covers it.
The course also flags a couple of everyday gray zones that leave companies unsure: participant lists from project meetings (names, contact details) and training records for engineering staff — for example, documentation that someone completed satellite-operations training. Neither has a clean off-the-shelf answer; treat them as GDPR questions worth a specific check rather than an assumption.
Company form: why the cheapest entity can cost you the tender
Forming a proper legal entity — instead of operating as a freelancer, sole trader, or informal partnership — limits your personal liability. The course's illustrative example is Germany's GbR/OHG partnership forms, where liability stays personal: your own bank account, even your house, is exposed to business creditors. That's a German-law example, not a claim about every EU jurisdiction's partnership rules — but the underlying principle, that informal structures carry personal liability while incorporated entities don't, holds generally.
On the other end, the course also uses a German example for the "easy" incorporated option: the UG (Unternehmergesellschaft), informally a "mini-GmbH" that can be founded with as little as €1 in capital, versus a full GmbH, which needs €25,000 in registered capital, at least €12,500 paid in, to properly capitalize. Worth being precise here: this is specifically how German company law is structured — there is no harmonized EU corporate law, and forming a company is governed by each member state's own rules. The one EU-wide vehicle the course mentions is the "Societas Europaea" (SE), essentially a stock-corporation structure, not something you'd default to at the founding stage.
Why does the entity type matter for tenders specifically? Because the European Commission, EUSPA, ESA, and national space agencies — the main buyers in this market — operate mainly through public procurement tenders and research grants, and those processes actively check whether you look like a company capable of delivering. Per the course, a bare minimum-capital entity is a reasonable way to get started, but it is "generally not suitable" once you're seriously pursuing tenders and grants — you need to show you're a fully established company, or risk being excluded already at the tender's first selection stage. The fully recognized forms the course points to are a standard GmbH in Germany or an S.r.l. in Italy: ordinary, properly capitalized limited-liability companies, not the minimal starter version.
There's a capital-planning angle too: beyond the entity itself, you need reserves to pre-finance product development, market entry, and the tender-preparation work — proposal writing, compliance documentation, reference-building — before any contract revenue arrives. As we cover in our companion piece on ESA vs. EU procurement rules, that pre-revenue period for a large tender can run six months to two years.
What to do with this before your next tender
- Map your assets to the right IP tool — patent/utility model, trademark, design, copyright, or trade secret — before building a protection plan around the wrong one.
- Run an FTO search — search engine, national/EU patent registry, EU trademark database — before you ship, not after a competitor's lawyer contacts you.
- Keep a GDPR compliance baseline, but read ESA's and EUSPA's own contract-specific privacy provisions separately. Don't assume one satisfies the other.
- If you're incorporated as a minimal-capital entity, plan your move to a fully recognized company form before you seriously pursue ESA or EU tenders — not during a live bid.
- Get independent legal review of any IP license inherited from a university or research-organization spin-out, at the point you sign it — see our companion piece on background vs. foreground IP ownership for why this matters even more once you're under an ESA or EU contract.
FAQ
What's the difference between a patent, a trademark, and a copyright for a space startup?
Patents and utility models protect new technical inventions and must be registered territorially. Trademarks protect the name or branding of your products, services, or company, and also require registration (or, for trade names, can arise through market use). Copyright protects creative work — including software code and, in some cases, databases — and needs no registration at all; it exists automatically from the moment you create the work.
What is a freedom-to-operate (FTO) search, and when should I do one?
A freedom-to-operate search checks whether you can place a product, technology, or service on the market without infringing someone else's existing patent, trademark, design, or copyrighted material, including open-source license terms in your own code. Per EU Space Academy's Selling to Europe course, it should happen before you ship, using tools like a national or EU patent registry and the EU's trademark database, since skipping it risks an enforced stop to your business plus damages and legal costs.
Does GDPR apply to ESA contracts?
Not directly. ESA is an independent intergovernmental organization and is not itself bound by the GDPR — it runs its own data-protection rules, which the course describes as close to the GDPR but distinct, with their own systematics. ESA and EUSPA both write detailed, contract-specific privacy provisions into their tenders and contracts, so compliance with your general GDPR programme does not automatically satisfy ESA's own rules.
Can a German UG (or similar minimal-capital company) bid for ESA or EU tenders?
A UG can be a workable early vehicle — the course describes it as an easy, low-capital way to get a limited-liability entity. But for serious tender participation the course's advice is to move to a fully established form: evaluators check whether you look like a fully established company, and informal setups (the course's example of an unsuitable form is the German GbR partnership) risk exclusion already at the tender's first selection stage. The course points to fully recognized forms like a standard GmbH (Germany) or S.r.l. (Italy). Company law is set at the member-state level, so exact entity types and thresholds vary by country.
Where can I get free help with IP questions as an EU space startup?
EU Space Academy's course points to the IPR Helpdesk network, which offers SMEs free assistance on intellectual-property questions, alongside EUIPO's general guidance on trademarks and designs. Both are useful before paying for a full legal opinion, though for space-specific contract clauses such as background and foreground IP, the course still recommends dedicated legal counsel.
Sources
- EU Space Academy — Selling to Europe course, Module 3 "Regulatory Guidelines" (Intellectual Property & Copyrights, Data Protection, Corporate Essentials), featuring Dr. Ingo and Dr. Philip of BHO Legal.
- EUIPO — EU Intellectual Property Office — trademark, design, and IP guidance.
- DPMA — DEPATISnet patent and prior-art search tool.
- EUIPO — TMDN — EU trademark search database.
- IPR Helpdesk — European SME assistance network on IPR.
- ESA — European Centre for Space Law (ECSL).