Privacy Policy


OVHcloud Personal Data Usage Policy

 

 

If you are a customer, a prospect, a partner, a supplier or if you are a manager, an employee, or an agent of the latter ("Agent(s)") and/or you use a service of OVHcloud, OVH Limited and other OVH Group affiliates (hereinafter "OVHcloud") collect and process personal data relating to you.

This is the case when you visit an OVHcloud website, when you communicate or interact with OVHcloud (by phone, email, via your OVHcloud account, online forms or other communication tools such as Chatbot, live chat, etc.), when you participate to OVHcloud events, or when you use OVHcloud services.

The purpose of this Policy is to describe such processing activities performed on your personal data, as well as the conditions under which we process your personal data.

This policy covers personal data processing performed by OVHcloud as a controller, i.e. those processes for which OVHcloud determines the means and purposes. The processing conditions performed by OVHcloud as a data processor notably under its customers’ instruction are set out in the Appendix “Data Processing Agreement”.

The terms that are defined into the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019  (hereinafter “UK GDPR”), such as “Personal Data”, “Controller”, “Processor”, etc., have the same meaning when they are used in this Policy.

Part I – Description of the personal data processing
Part II – Conditions of personal data processing

Part 1 - Description of personal data processing

1. Contract management

Legal basis: The processing operations described below are necessary for the execution of the contracts concluded by OVHcloud (including the execution of necessary pre-contractual measures), as well as for the management of various requests (such as job application or a request to participate in an event) (Article 6.1b) UK GDPR).

1.1 Contract management for customers, service providers, suppliers and partners

As part of the performance of contracts concluded with customers, services providers, suppliers and partners, OVHcloud processes personal data relating to them or to their agents, and which processing is necessary for managing the contracts thus established.

Service providers, suppliers and partners

The personal data collected by OVHcloud concerning its service providers, suppliers and partners consists essentially of identification data (first name, last name, email address and telephone number) of their agents with whom OVHcloud interacts, as well as the communications and interactions (emails and other electronic messages, activity reports, reports) between them and OVHcloud.

Customers

Customer data collected by OVHcloud includes:

  1. Customer’s identification data (first name, last name, mailing address, email address, telephone number, proof of identity, proof of address, OVHcloud account number or NIC handle)
  2. Communications between the customer and OVHcloud (exchanges such as emails and support tickets relating to the conclusion and execution of the contract, history of requests and responses)
  3. Services consumption data (order and usage history or attempted usage of services)
  4. Method of payment (method of payment used such as credit card number or bank account number, and holder of the method of payment).

When the customer is a legal entity, OVHcloud collects the aforesaid personal data relating to the customer’s agents interacting with OVHcloud.

The aforesaid data are processed for the purpose of management of commercial activities (information and support, commercial proposals, management of orders, management of complaints, invoicing), management of payments, and management of customer accounts.

Details of the personal data processing carried out in connection with the execution of contracts with customers, suppliers, service providers and partners

 
Purposes of processing*Categories of personal dataRetention periodRecipient Categories
Management of commercial activities

Communications

Identification Data

Services consumption data

1 year since the interaction concerned + 4 years in archive

Contract duration (duration of the customer account)

 

OVHcloud (sales, support, finance et invoicing departments).

SEPA direct debit mandate electronic signature service provider

Payment management, ease of purchasingMeans of payment (including the holder)

Single payment; Until full payment is done (+ the disputing payment period)

Service subscription with automatic renewal or pay-as-you-go; until the service is terminated, the payment method expires or is revoked (+ disputing payment period)

The method of payment may be retained beyond the above-mentioned periods with the consent of the holder to facilitate purchases until the consent is withdrawn or the payment method is revoked or expires (+ the disputing payment period)

OVHcloud (Support, Finance and Invoicing department) : Partial data only (truncated number).

Payment services providers

Electronic contract signature service provider

Customer accounts managementIdentification data

Proof of identity and proof of address**

Duration of the customer account

Duration necessary to performed pre-contractual identity check

OVHcloud (Sales and support departments)

OVHcloud Partners***

(*) The above-mentioned data may be processed for other purposes than contract management and retained for other shorter or longer periods, in particular for commercial prospecting purposes (more details in Part 1. 3 "Marketing and sales prospecting activities"), in order to comply with the regulations in force, in particular those applicable to location, traffic data retention, accounting and taxation (more details in Part 1. 4 "Compliance with legal obligations"), as well as for reasons of legitimate interest, in particular in case of litigation or to detect and prevent fraudulent acts (more details in Part 1. 5 "Pursuit of legitimate interests"). 
(**) The proof of identity and proof of address collection is not systematic. It is collected when it is required for the contracting of certain services such as certain domain names or electronic communication services. Proof of identity may also be requested when required by law (more details in Part 1 4. "Compliance with legal obligations") or when there is doubt about the identity of the applicant in order to prevent the risk of fraud (more details in Part 1 5. "Pursuit of legitimate interests"). 
(***) Some services are provided by OVHcloud in collaboration with partners such as registries of domain names marketed by OVHcloud, software license providers or technology partners, to whom some identification data may be communicated. In this case, more details concerning such data processing are specified in the specific conditions applicable to the services concerned.

1.2 Recruitment activities

Within the framework of its recruitment activities, OVHcloud processes candidates’ personal data that are necessary to manage their application(s). Such data are the candidate’s identity and contact details, his/her Curriculum Vitae, the letters, e-mails and documents sent by him/her, the dates and reports of interviews, the salary positioning, the follow-up given to the application, and the type and duration of the proposed contract.

The terms and conditions described in this Policy apply only to the processing of data from applicants, not to OVHcloud employees. The conditions into which OVHcloud employees’ personal data is processed, are described in another data use policy communicated during the hiring process.

Details of the personal data processing carried out in connection with recruitment activities

Purposes of processing*Categories of personal dataRetention periodRecipient Categories

Recruitment

Application data

15 months from the last contact*

OVHcloud (Human resources and recruiting departments)

(*) The above-mentioned data may be retained and processed for a longer period with the consent of the applicant.

1.3 Events management

In case of events organisation, whether physical or online, OVHcloud processes personal data related to the registrants and participants to the event, in particular their identification data (first name, last name, contact information, email address, phone number, company and function within the company) as well as data related to their participation (conferences and workshops in which they are registered and participate). This data is collected to organise the event and to manage the participations (registration, information, itinerary).

Details of the personal data processing carried out in connection with events

Purposes of processing*Categories of personal dataRetention periodRecipient Categories

Organization and management of OVHcloud events

Identification and participation data

Duration of the event + 90 days*

OVHcloud (team in charge of the events organization)

Partners of the event

(*) Subject to the exercise of the data subject's right to object, the data collected may also be processed for 180 days following the event in order to communicate information relating to the event (feedback) or on the organization of future similar events, or for marketing and commercial prospecting purposes under the conditions set out below (more details below in Part 1. 3 "Marketing and business development activities").

2. OVHcloud services delivery

Legal basis: The processing activities described below are necessary to deliver and maintain the OVHcloud services (Article 6.1b) UK GDPR).

In order to deliver and maintain its services, as well as in the context of providing support and assistance to use using those services, OVHcloud collects and processes the following data relating to the customers, the users and the services that they used:

  1. Customer identification data (essentially first name, last name, contact details, customer ID, user ID or NIC handle)
  2. Communications between the Customer or its agents and OVHcloud (exchanges such as emails and support tickets relating to provision and utilization of the services, maintenance operations, potential incidents)
  3. Services identification data (list of services used, characteristics, period of use, location)
  4. Technical data (machines ID, configurations, connection data, status of the services, usage data and event logs).

Since OVHcloud determines the means and purposes of such personal data processing which is carried out as part of its tools and information system, OVHcloud is the data Controller.

This Section 2. does not apply to data that the customers entrust to OVHcloud as part of their utilization of OVHcloud Services, including data hosted by the customers within OVHcloud infrastructures and services; such data being processed by OVHcloud as a Processor under its customers’ instruction in the conditions provided in the Appendix “Data Processing Agreement”.

Details of the personal data processing carried out for the purpose of OVHcloud services delivery

Purposes of processing*Categories of personal data processedRetention periodRecipient Categories

Support and assistance to services utilization
 
Maintenance of the services

Incident management

Customers identification

Services Identification

Communications    

Technical data

Duration of the contract (duration of the customer account)

1 year from the communication + 4 years in archive

Duration of service use

OVHcloud (support and product teams)

OVHcloud Partners**

(*) The above-mentioned data may be processed for other purposes than the execution of the services and retained for other shorter or longer periods, in particular to comply with the regulations in force, notably those applicable to localization, retention of traffic data, accounting and taxation (more details hereafter Part 1. 4 "Compliance with legal obligations") as well as for reasons of legitimate interest, in particular to ensure the security of the services or in case of litigation (more details hereafter Part 1. 5 "Pursuit of legitimate interests").
(**) Some services are provided by OVHcloud in collaboration with partners such as registries of domain names marketed by OVHcloud, software license providers or technology partners, to whom some identification data may be communicated. In this case, more details concerning such data processing are specified in the specific conditions applicable to the services concerned.

3. Marketing and commercial prospection activities

Legal basis: The personal data processing activities described below are carried out based on either the legitimate interest of OVHcloud to promote its services and develop its activities, or the consent of the data subjects(in particular customers and prospects) (Articles 6.1 a) and f) UK GDPR).

As part of its commercial activities, OVHcloud processes data relating to its customers and prospects (and their agents) to communicate to them information about its the activities and the activities of its partners, propose services, and invite them to events.

The data subjects concerned may be customers (i.e. individuals who use OVHcloud services or have just opened an OVHcloud customer account), or individual who are not OVHcloud customer but may be interested in OVHcloud activities or services, due to their professional activities or because they get in touch with OVHcloud through its websites, during an event.

Processing requiring the consent of data subjects (such as commercial actions not related to the data subject’s professional activities or to services already used by him or her) is carried out if the data subject has given his or her free, specific, informed and unambiguous consent. When the collection of consent is carried out online, in particular when opening an OVHcloud customer account, registering for an event, or sending a request via a form, a specific check box called "opt in" is used. When the collection of the consent is operated off-line, a process, such as oral presentation, or via paper form, of the purpose and conditions of the data collection, and a request for the express consent of the data subject is implemented.

Concerning processing carried out based on legitimate interests (in particular commercial actions related to the professional activities or services already used by the data subject), OVHcloud takes care to respect the data subject's right of opposition and ensures that this right can be easily exercised in the context of each communication that is sent.

OVHcloud may also contact data subjects whose contact details have been communicated by partners. In this case, OVHcloud ensures that the partners undertake that the personal data has been collected according to applicable law, and that the data subjects have consented to their data being communicated for the purposes of promotion and commercial prospecting.

For business contacts, OVHcloud ensures that the services offered to them are related to their business activity, and that they can exercise their right to object at any time and in an effective way.

Subject to comply with the data subject’s rights, the processing carried out in the context of marketing and commercial prospection activities shall cover the following data:

  1. Identification data (first name, last name, contact details, email address)
  2. Internet navigation data (IP address, User ID, websites navigation history)
  3. Data subject area of interests (data relating to services use, order history, consumption habits, participation to event)
  4. Data subject’s interactions with OVHcloud (request, “call to action”).

For more information on cookies and information collected by OVHcloud concerning users of its websites, please see the OVHcloud Cookie Policy.

Details of the personal data processing carried out by OVHcloud for marketing and commercial prospecting purposes

Purposes of processingCategories of personal data processedRetention periodRecipient Categories

Commercial prospection and communication of information about OVHcloud’s and Partners’ activities, services and events

Identification

Area of interest

Interactions

Until the consent is withdrawn (for processing based on consent of the data subject)

OVHcloud (Sales and marketing departments)

OVHcloud Partners (dedicated consent in collection forms)

Processing of requests for information about the services sent via online formsIdentification

Content of the request

Duration of the request processing + 1 year

OVHcloud (Sales and support departments)

OVHcloud Partners (if concerned by the request)

Cookies and other trackers

Internet navigation data

See « OVHcloud cookies policy »

 
Mailing lists management

Identification data

Until the consent is withdrawn (for processing based on consent of the data subject).

Until the right of opposition is exercised or at the latest until the last contact initiated by the Customer + 36 months (for processing based on legitimate interest)

OVHcloud (marketing and products department)

OVHcloud websites management

Data published on the websites (interviews, posts, photos, vidéo).

Until withdrawal of consent, exercise of right of opposition or end of use

Public (websites users)

Details of the processing carried out by OVHcloud to comply with its legal obligations

Purposes of processingCategories of personal data processedRetention periodRecipient Categories

Maintenance of general and ancillary accounts

Orders and consumption history

Accounting documents (invoices, credit notes,, etc.).

Payment and transaction history

10 years following the event (order, service utilisation, payment, etc.)

OVHcloud (Finance and accounting department)

Payment services providers

Tax administration

Identification of the users of websites hosted by OVHcloud and electronic communication services provided by OVHcloud

Identification data (including proof of identity and proof of address when required)

Technical data relating to the use of the services

Pursuant to applicable law

OVHcloud (Product, legal and security department)

Secure data processing activities, services and infrastructures

Technical data relating to the use of the services

Depending on the risk assessment

OVHcloud (Security and product departments)

OVHcloud Partners

Processing requests made within judicial and administrative procedures

Identification data

Data relating to the services ordered and to their utilisation

5 years in archive from the closing of request, or any longer applicable prescription period.

OVHcloud (Legal Department)

Administrative and judicial authorities

Processing requests sent to the data protection officer

Identification data

Communications (request/answer)

Proof of identity (when there is a doubt concerning the identity of the requestor)

5 years in archive from the closing of request

1 year in archive from the closing of request

OVHcloud (Support and legal departments)

Processing of personal data breaches

Data that has been subjected to the breach and data subject impacted

5 years from the breach

OVHcloud (Legal and security departments)

Administrative and judicial authorities

5. The pursuit of legitimate interests

Legal basis: Processing necessary to safeguard vital interests, and processing necessary for the purposes of legitimate interests pursued by OVHcloud or by a third party (Article 6.1.f) UK GDPR)

OVHcloud may be required to carry out processing operations necessary to safeguard the vital interests of the data subject or another natural person, or necessary for the purposes of the legitimate interests pursued by OVHcloud.

When processing data necessary for the purposes of legitimate interests, OVHcloud shall ensure that the interests or fundamental freedoms and rights of the data subject do not take precedence over such legitimate interests, and that the processing carried out is compatible and has a link with the services provided to the data subject and the purposes for which the data was originally collected.

Processing carried out by OVHcloud for the purpose of legitimate interests includes processing carried out to ensure the security of services, combat fraud, and manage outstanding payments.

Details of the processing carried out by OVHcloud for legitimate interests

Purposes of processingCategories of personal data processedRetention periodRecipient Categories

Secure OVHcloud data processing, services and infrastructures

Technical data relating to the use of the services

Depending on the risk assessment

OVHcloud (Security and product departments)

Authorities

OVHcloud Partners

Anonymisation for research and development, improvement, reporting or statisticsPotentially any data subject to this policyDuration of anonymisation operationOVHcloud
Conducting customer satisfaction surveys, customer studies, product testing, services improvement

Identification data of customers and users of services

Feedback

Order history

Service usage data

Data related to the use of the customer support

1 yearOVHcloud (Support, Product and marketing departments)
Managing of non-payment

Identification data

Financial data

Payment data

Order History

5 years from the non-payment incident

OVHcloud (support, legal and finance department)

Collection service provider(s)

Fraud detection and prevention

Identification data

Order and payment history

Banking data

Location data

Connection data

Scoring

Proof of identity and proof of address (when there is a doubt concerning the identity of the requestor)

Depending on the risk and the result of the Fraud analysis (maximum 5 years)

Depending on the risk and the result of the Fraud analysis (maximum 12 months)

OVHcloud (fraud prevention teams, legal and financial departments)

Payment service providers

Creation of evidence for claims or litigation

Identification data

Communications

Order history

Payment history

Service usage data

Duration of the prescription period

In case of procedure, until the achievement and the exhaustion of all the possibilities of appeals or recourses

OVHcloud (Support, legal and financial department)

External counsel

Training and evaluation of employees, improvement of quality of service)

Identification data

Call report

Evaluation report

Call recordings (subject to the right of opposition)

1 year following each event

6 months from the recording

OVHcloud

(Support, training and quality teams)

1. OVHcloud commitments

As part of the processing covered by this policy, OVHcloud complies, as a Controller, with the regulations in force, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as well as any domestic laws and regulations of the United Kingdom that may apply to such processing, in particular Data Protection Act 2018.

As such, OVHcloud commits to:

  • Collect only personal data necessary for the above purposes;
  • Implement processes to ensure the accuracy and updating of the data used in such processing, and erasure when the data is not anymore necessary;
  • Not processing personal data in its possession for purposes other than those mentioned in this Policy, except to obtain the consent of the persons concerned, or to inform them in case of processing based on another legal basis than consent;
  • Document the processing within a register and carry out any required data processing impact assessment;
  • Set up a process to manage incidents and data breaches, and in the event of a breach, notify the competent authorities in accordance with Article 33 of the UK GDPR, and inform the data subjects, in accordance with Article 34 of the UK GDPR, when the breach is likely to present a high risk to their rights and freedoms; and
  • Implement technical and organisational measures to protect personal data against security risks, as defined in OVHcloud’s Information System Security Policy.

2. Technical and organisational security measures

Personal data protection is integrated into OVHcloud’s information security program for which OVHcloud intends to achieve the following objectives:

  • Deployment of an industrial, large-scale approach to security
  • Positioning OVHcloud as a trusted player in the ecosystem
  • Operate a secure cloud for everyone
  • Implementation of Information Security Management Systems (ISMS) and Personal Information Management System (PIMS)
  • Risk-based approach to safety
  • Evidencing security through certification, internal control and external audit
  • Unified response to security incidents and personal data breaches
  • Integrating security and privacy issues into products development
  • Safety assessment and continuous improvement.

These elements are detailed in OVHcloud’s Information System Security Policy.

3. Anonymisation

OVHcloud reserves the right to anonymise the data covered by this Policy, i.e. to modify it so that it no longer allows the data subject to be identified, even indirectly, and to reuse it in this anonymised form only.

OVHcloud strives to apply the following anonymisation principles:

  1. The impossibility of isolating an individual within a larger group on the basis of the data;
  2. The impossibility of linking two records concerning the same person; and
  3. The impossibility to infer, with high probability, unknown information about a person.

Since the anonymised data is no longer personal data, OVHcloud reserves the right to store and use it for purposes other than those set out in this Policy, in particular, but not limited to statistics, new or improved services, marketing analysis and business strategies.

4. Subcontracting

OVHcloud Affiliates, with the exception of US-based entities, may participate in the data processing covered by this Policy, carried out by OVHcloud as a data Controller.

OVHcloud also relies on third-party providers such as security service providers, network providers, providers of internal applications and tools, payment service providers, marketing analysts, web analysts, email solution providers, satisfaction surveys, consultancy companies, auditors, etc. acting as data “processors” under OVHcloud instructions.

OVHcloud ensures that its Processors undertake to comply with the regulations in force, and to implement appropriate technical and organisational measures to ensure the protection of the Personal Data that they are required to process under OVHcloud instructions. In particular, OVHcloud ensures that the Processors only have access to the data necessary to carry out their tasks.

Furthermore, when using third-party software solutions to process data related to the use and delivery of its services (including ticketing and support management tools, tools used for provisioning and maintenance, and even a business relationship management solution), OVHcloud prefers on-premises solutions hosted on its own infrastructures.

In all cases, a contract is established between OVHcloud and the subcontractor, and appropriate technical and organisational measures are put in place in accordance with Articles 28 and 32 of the UK GDPR.

This Section 4. does not cover the conditions under which OVHcloud is authorised to use sub-processors in the context of Personal Data processing carried out under its customers’ instructions. These conditions are set out in the Appendix “Data Processing Agreement”.

5. Data transfers outside the European Union

OVHcloud aims to limit the transfer of Personal Data outside the European Union.

Data hosting

For customers of OVHcloud's European entities, hosting of their data within the European Union is always preferred, including when using Processors. However, where such European customers choose services hosted in OVHcloud data centers located outside the European Union, such as in Canada, Australia or Singapore, the Personal Data necessary for the performance of the services may be hosted outside the European Union.

Processing in remote

Due to OVHcloud's international organisation, the data processing activities described in this Policy may be carried out from locations outside the European Union by OVHcloud's Affiliates and third-party service providers as provided in Section 2. D.

This section relates only to data processed by OVHcloud as Controller according to this policy, excluding Personal Data entrusted by customers to OVHcloud which are processed by OVHcloud as a data Processor under customers’ instructions. The conditions to transfer Personal Data processed by OVHcloud under its customers’ instructions are set out in the Annex “Data Processing Agreement”.

When personal data subject to this Policy is transferred (including in the case of remote access) to non-European third countries which are not subject to an adequacy decision of the Secretary of State under section 17A of the Data Protection Act 2018 (“Adequacy Decision”), OVHcloud ensure that appropriate safeguards are implemented, regardless of whether the data importer is an OVHcloud entity or not.

If the importer is an OVHcloud entity, the said appropriate guarantees shall consist of the standard contractual clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Data Protection Act and for the time being in force, or the standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Data Protection Act and for the time being in force (the “Standard Contractual Clauses”).

In this respect, OVHcloud, reserves the right to substitute the said standard contractual clauses with any other appropriate safeguards provided for in Chapter V of the UK GDPR.

In any case, OVHcloud implements technical and organisational measures (such as traceability, access limitation) to protect the transferred data in particular against any unauthorised access or disclosure, and ensures to comply with the UK GDPR, in the event of requests from third-countries authorities to obtain communication of personal data.

6. Processing of requests from authorities

OVHcloud may receive requests from judicial, administrative or other authorities which purpose is to obtain communication of personal data in its possession relating to its customers.

In this case, OVHcloud makes reasonable efforts to:

  1.  Check the competence of the requesting authority;
  2.  Only respond to requests that are not obviously invalid;
  3.  If authorised, beforehand inform the data subject to enable him/her to assert his/her rights; and
  4.  Limit communication to what is required by the authority.

In case of requests received from a non-UK authority to obtain communication of data relating to a UK customer, OVHcloud objects to the request, subject to the following cases:

(a) the request is made in accordance with an international agreement, such as a mutual legal assistance treaty, in force between the requesting country and the UK; or

(b) the customer has registered an OVHcloud customer account to an OVHcloud entity which is under the same jurisdiction than the requesting authority; or

(c) in accordance with Article 49 of the UK GDPR, in particular where the application pursues a public interest recognised by Union law or by the law of a Member State of the European Union or is necessary to safeguard vital interests.

7. Rights of data subjects

In accordance with the UK GDPR, you have the right to access the aforementioned Personal Data relating to you, as well as the right to rectify it, request its deletion and portability, and the right to limit or oppose to certain processing. Where processing is based on consent, you also have the right to withdraw consent at any time.

These rights can be exercised by using the form provided for this purpose on the OVHcloud Website, or by mail to: OVH SAS, Data Protection Officer, 2 rue Kellermann, 59100 Roubaix, France.

In accordance with Article 12 of the UK GDPR, each request must be accompanied by the information required to prove your identity. Each request will be answered without undue delay and in any event in accordance with the said article 12. Where there is reasonable doubt as to the identity of the natural person submitting the request, additional information necessary to confirm the identity of the data subject, including an identity document, may be requested.

If you feel, after contacting us, that your rights have not been respected, you can also address a complaint to the competent data protection authority.