Privacy Policy

If you are a customer, a prospect, a partner, a supplier or if you are a manager, an employee, or an agent of the latter ("Agent(s)") and/or you use a service of OVHcloud, OVH Limited and other OVH Group affiliates (hereinafter "OVHcloud") collect and process personal data relating to you.

This is the case when you visit an OVHcloud website, when you communicate or interact with OVHcloud (by phone, email, via your OVHcloud account, online forms or other communication tools such as Chatbot, live chat, etc.), when you participate to OVHcloud events, or when you use OVHcloud services.

The purpose of this Policy is to describe such processing activities performed on your personal data, as well as the conditions under which we process your personal data.

This policy covers personal data processing performed by OVHcloud as a controller, i.e. those processes for which OVHcloud determines the means and purposes. The processing conditions performed by OVHcloud as a data processor notably under its customers’ instruction are set out in the Appendix “Data Processing Agreement”.

The terms that are defined into the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019  (hereinafter “UK GDPR”), such as “Personal Data”, “Controller”, “Processor”, etc., have the same meaning when they are used in this Policy.

Part I – Description of the personal data processing
Part II – Conditions of personal data processing

OVHcloud processes your personal data for specific purposes:

1. Contract management;
2. Performance of services;
3. Marketing and commercial prospecting activities;
4. Compliance with legal obligations;
5. Pursuit of legitimate interests.

As part of the performance of contracts concluded with customers, services providers, suppliers and partners, OVHcloud processes personal data relating to them or to their agents, and which processing is necessary for managing the contracts thus established.

Service providers, suppliers and partners

The personal data collected by OVHcloud concerning its service providers, suppliers and partners consists essentially of identification data (first name, last name, email address and telephone number) of their agents with whom OVHcloud interacts, as well as the communications and interactions (emails and other electronic messages, activity reports, reports) between them and OVHcloud.

Customers

Customer data collected by OVHcloud includes:

1. Customer’s identification data (first name, last name, mailing address, email address, telephone number, proof of identity, proof of address, OVHcloud account number or NIC handle)
2. Communications between the customer and OVHcloud (exchanges such as emails and support tickets relating to the conclusion and execution of the contract, history of requests and responses)
3. Services consumption data (order and usage history or attempted usage of services)
4. Method of payment (method of payment used such as credit card number or bank account number, and holder of the method of payment).

When the customer is a legal entity, OVHcloud collects the aforesaid personal data relating to the customer’s agents interacting with OVHcloud.

The aforesaid data are processed for the purpose of management of commercial activities (information and support, commercial proposals, management of orders, management of complaints, invoicing), management of payments, and management of customer accounts.

In case of events organisation, whether physical or online, OVHcloud processes personal data related to the registrants and participants to the event, in particular their identification data (first name, last name, contact information, email address, phone number, company and function within the company) as well as data related to their participation (conferences and workshops in which they are registered and participate). This data is collected to organise the event and to manage the participations (registration, information, itinerary).

Legal basis: The processing activities described below are necessary to deliver and maintain the OVHcloud services (Article 6.1b) UK GDPR).

In order to deliver and maintain its services, as well as in the context of providing support and assistance to use using those services, OVHcloud collects and processes the following data relating to the customers, the users and the services that they used:

1. Customer identification data (essentially first name, last name, contact details, customer ID, user ID or NIC handle)
2. Communications between the Customer or its agents and OVHcloud (exchanges such as emails and support tickets relating to provision and utilization of the services, maintenance operations, potential incidents)
3. Services identification data (list of services used, characteristics, period of use, location)
4. Technical data (machines ID, configurations, connection data, status of the services, usage data and event logs).

Since OVHcloud determines the means and purposes of such personal data processing which is carried out as part of its tools and information system, OVHcloud is the data Controller.

This Section 2. does not apply to data that the customers entrust to OVHcloud as part of their utilization of OVHcloud Services, including data hosted by the customers within OVHcloud infrastructures and services; such data being processed by OVHcloud as a Processor under its customers’ instruction in the conditions provided in the Appendix “Data Processing Agreement”.

Legal basis: The personal data processing activities described below are carried out based on either the legitimate interest of OVHcloud to promote its services and develop its activities, or the consent of the data subjects(in particular customers and prospects) (Articles 6.1 a) and f) UK GDPR).

As part of its commercial activities, OVHcloud processes data relating to its customers and prospects (and their agents) to communicate to them information about its the activities and the activities of its partners, propose services, and invite them to events.

The data subjects concerned may be customers (i.e. individuals who use OVHcloud services or have just opened an OVHcloud customer account), or individual who are not OVHcloud customer but may be interested in OVHcloud activities or services, due to their professional activities or because they get in touch with OVHcloud through its websites, during an event.

Processing requiring the consent of data subjects (such as commercial actions not related to the data subject’s professional activities or to services already used by him or her) is carried out if the data subject has given his or her free, specific, informed and unambiguous consent. When the collection of consent is carried out online, in particular when opening an OVHcloud customer account, registering for an event, or sending a request via a form, a specific check box called "opt in" is used. When the collection of the consent is operated off-line, a process, such as oral presentation, or via paper form, of the purpose and conditions of the data collection, and a request for the express consent of the data subject is implemented.

Concerning processing carried out based on legitimate interests (in particular commercial actions related to the professional activities or services already used by the data subject), OVHcloud takes care to respect the data subject's right of opposition and ensures that this right can be easily exercised in the context of each communication that is sent.

OVHcloud may also contact data subjects whose contact details have been communicated by partners. In this case, OVHcloud ensures that the partners undertake that the personal data has been collected according to applicable law, and that the data subjects have consented to their data being communicated for the purposes of promotion and commercial prospecting.

For business contacts, OVHcloud ensures that the services offered to them are related to their business activity, and that they can exercise their right to object at any time and in an effective way.

Subject to comply with the data subject’s rights, the processing carried out in the context of marketing and commercial prospection activities shall cover the following data:

1. Identification data (first name, last name, contact details, email address)
2. Internet navigation data (IP address, User ID, websites navigation history)
3. Data subject area of interests (data relating to services use, order history, consumption habits, participation to event)
4. Data subject’s interactions with OVHcloud (request, “call to action”).

For more information on cookies and information collected by OVHcloud concerning users of its websites, please see the OVHcloud Cookie Policy.

Legal basis: The personal data processing activities described below are carried out to comply with legal obligations (Article 6.1.c) UK GDPR).

As part of its activities, OVHcloud is subjected to some legal obligations which require the processing of personal data.

Thus, to comply with its accounting and fiscal obligations, OVHcloud has to process data and retain evidence of the orders placed by its customers and the relevant transactions and payment.

Similarly, to ensure the security of its services, in accordance with the provisions of Article 32 of the UK GDPR, as well as to comply with its obligations as a public communications provider pursuant to Article 2 of the Privacy and Electronic Communications Regulations 2003, OVHcloud retains identification data (first name, last name, user ID, customer ID, proof of identity, proof of address) as well as technical data related to the use of the services (traffic and localisation data, connection and event logs).

OVHcloud also has the obligation to respond to requests data subjects exercising theirs rights with respect to the processing of their personal data, or to certain requests from courts and judicial or administrative authorities to provide information, or to report certain data breaches, which may involve personal data.

Legal basis: Processing necessary to safeguard vital interests, and processing necessary for the purposes of legitimate interests pursued by OVHcloud or by a third party (Article 6.1.f) UK GDPR)

OVHcloud may be required to carry out processing operations necessary to safeguard the vital interests of the data subject or another natural person, or necessary for the purposes of the legitimate interests pursued by OVHcloud.

When processing data necessary for the purposes of legitimate interests, OVHcloud shall ensure that the interests or fundamental freedoms and rights of the data subject do not take precedence over such legitimate interests, and that the processing carried out is compatible and has a link with the services provided to the data subject and the purposes for which the data was originally collected.

Processing carried out by OVHcloud for the purpose of legitimate interests includes processing carried out to ensure the security of services, combat fraud, and manage outstanding payments.

As part of the processing covered by this policy, OVHcloud complies, as a Controller, with the regulations in force, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as well as any domestic laws and regulations of the United Kingdomthat may apply to such processing, in particular Data Protection Act 2018.

As such, OVHcloud commits to:

• Collect only personal data necessary for the above purposes;
• Implement processes to ensure the accuracy and updating of the data used in such processing, and erasure when the data is not anymore necessary;
• Not processing personal data in its possession for purposes other than those mentioned in this Policy, except to obtain the consent of the persons concerned, or to inform them in case of processing based on another legal basis than consent;
• Document the processing within a register and carry out any required data processing impact assessment;
• Set up a process to manage incidents and data breaches, and in the event of a breach, notify the competent authorities in accordance with Article 33 of the UK GDPR, and inform the data subjects, in accordance with Article 34 of the UK GDPR, when the breach is likely to present a high risk to their rights and freedoms; and
• Implement technical and organisational measures to protect personal data against security risks, as defined in OVHcloud’s Information System Security Policy.

Personal data protection is integrated into OVHcloud’s information security program for which OVHcloud intends to achieve the following objectives:

• Deployment of an industrial, large-scale approach to security
• Positioning OVHcloud as a trusted player in the ecosystem
• Operate a secure cloud for everyone
• Implementation of Information Security Management Systems (ISMS) and Personal Information Management System (PIMS)
• Risk-based approach to safety
• Evidencing security through certification, internal control and external audit
• Unified response to security incidents and personal data breaches
• Integrating security and privacy issues into products development
• Safety assessment and continuous improvement.

These elements are detailed in OVHcloud’s Information System Security Policy.

OVHcloud reserves the right to anonymise the data covered by this Policy, i.e. to modify it so that it no longer allows the data subject to be identified, even indirectly, and to reuse it in this anonymised form only.

OVHcloud strives to apply the following anonymisation principles:

1. The impossibility of isolating an individual within a larger group on the basis of the data;
2. The impossibility of linking two records concerning the same person; and
3. The impossibility to infer, with high probability, unknown information about a person.

Since the anonymised data is no longer personal data, OVHcloud reserves the right to store and use it for purposes other than those set out in this Policy, in particular, but not limited to statistics, new or improved services, marketing analysis and business strategies.

OVHcloud Affiliates, with the exception of US-based entities, may participate in the data processing covered by this Policy, carried out by OVHcloud as a data Controller.

OVHcloud also relies on third-party providers such as security service providers, network providers, providers of internal applications and tools, payment service providers, marketing analysts, web analysts, email solution providers, satisfaction surveys, consultancy companies, auditors, etc. acting as data “processors” under OVHcloud instructions.

OVHcloud ensures that its Processors undertake to comply with the regulations in force, and to implement appropriate technical and organisational measures to ensure the protection of the Personal Data that they are required to process under OVHcloud instructions. In particular, OVHcloud ensures that the Processors only have access to the data necessary to carry out their tasks.

Furthermore, when using third-party software solutions to process data related to the use and delivery of its services (including ticketing and support management tools, tools used for provisioning and maintenance, and even a business relationship management solution), OVHcloud prefers on-premisessolutions hosted on its own infrastructures.

In all cases, a contract is established between OVHcloud and the subcontractor, and appropriate technical and organisational measures are put in place in accordance with Articles 28 and 32 of the UK GDPR.

This Section 4. does not cover the conditions under which OVHcloud is authorised to use sub-processors in the context of Personal Data processing carried out under its customers’ instructions. These conditions are set out in the Appendix “Data Processing Agreement”.

OVHcloud aims to limit the transfer of Personal Data outside the European Union.

Data hosting

For customers of OVHcloud's European entities, hosting of their data within the European Union is always preferred, including when using Processors. However, where such European customers choose services hosted in OVHcloud data centers located outside the European Union, such as in Canada, Australia or Singapore, the Personal Data necessary for the performance of the services may be hosted outside the European Union.

Processing in remote

Due to OVHcloud's international organisation, the data processing activities described in this Policy may be carried out from locations outside the European Union by OVHcloud's Affiliates and third-party service providers as provided in Section 2. D.

This section relates only to data processed by OVHcloud as Controller according to this policy, excluding Personal Data entrusted by customers to OVHcloud which are processed by OVHcloud as a data Processor under customers’ instructions. The conditions to transfer Personal Data processed by OVHcloud under its customers’ instructions are set out in the Annex “Data Processing Agreement”.

When personal data subject to this Policy is transferred (including in the case of remote access) to non-European third countries which are not subject to an adequacy decision of the Secretary of State under section 17A of the Data Protection Act 2018 (“Adequacy Decision”), OVHcloud ensure that appropriate safeguards are implemented, regardless of whether the data importer is an OVHcloud entity or not.

If the importer is an OVHcloud entity, the said appropriate guarantees shall consist of the standard contractual clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Data Protection Act and for the time being in force, or the standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Data Protection Act and for the time being in force (the “Standard Contractual Clauses”).

In this respect, OVHcloud, reserves the right to substitute the said standard contractual clauses with any other appropriate safeguards provided for in Chapter V of the UK GDPR.

In any case, OVHcloud implements technical and organisational measures (such as traceability, access limitation) to protect the transferred data in particular against any unauthorised access or disclosure, and ensures to comply with the UK GDPR, in the event of requests from third-countries authorities to obtain communication of personal data.

OVHcloud may receive requests from judicial, administrative or other authorities which purpose is to obtain communication of personal data in its possession relating to its customers.

In this case, OVHcloud makes reasonable efforts to:

• Check the competence of the requesting authority;
• Only respond to requests that are not obviously invalid;
• If authorised, beforehand inform the data subject to enable him/her to assert his/her rights; and
• Limit communication to what is required by the authority.

In case of requests received from a non-UK authority to obtain communication of data relating to a UK customer, OVHcloud objects to the request, subject to the following cases:

(a) the request is made in accordance with an international agreement, such as a mutual legal assistance treaty, in force between the requesting country and the UK; or

(b) the customer has registered an OVHcloud customer account to an OVHcloud entity which is under the same jurisdiction than the requesting authority; or

(c) in accordance with Article 49 of the UK GDPR, in particular where the application pursues a public interest recognised by Union law or by the law of a Member State of the European Union or is necessary to safeguard vital interests.