Privacy Policy
OVHcloud Personal Data Usage Policy
If you are a customer, a prospect, a partner, a supplier or if you are a manager, an employee, or an agent of the latter ("Agent(s)") and/or you use a service of OVHcloud, OVH Limited and other OVH Group affiliates (hereinafter "OVHcloud") collect and process personal data relating to you.
This is the case when you visit an OVHcloud website, when you communicate or interact with OVHcloud (by phone, email, via your OVHcloud account, online forms or other communication tools such as Chatbot, live chat, etc.), when you participate to OVHcloud events, or when you use OVHcloud services.
The purpose of this Policy is to describe such processing activities performed on your personal data, as well as the conditions under which we process your personal data.
This policy covers personal data processing performed by OVHcloud as a controller, i.e. those processes for which OVHcloud determines the means and purposes. The processing conditions performed by OVHcloud as a data processor notably under its customers’ instruction are set out in the Appendix “Data Processing Agreement”.
The terms that are defined into the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (hereinafter “UK GDPR”), such as “Personal Data”, “Controller”, “Processor”, etc., have the same meaning when they are used in this Policy.
Part I – Description of the personal data processing
Part II – Conditions of personal data processing
Part 1 - Description of personal data processing
OVHcloud processes your personal data for specific purposes:
1. Contract management
Legal basis: The processing operations described below are necessary for the execution of the contracts concluded by OVHcloud (including the execution of necessary pre-contractual measures), as well as for the management of various requests (such as job application or a request to participate in an event) (Article 6.1b) UK GDPR).
1.1 Contract management for customers, service providers, suppliers and partners
As part of the performance of contracts concluded with customers, services providers, suppliers and partners, OVHcloud processes personal data relating to them or to their agents, and which processing is necessary for managing the contracts thus established.
Service providers, suppliers and partners
The personal data collected by OVHcloud concerning its service providers, suppliers and partners consists essentially of identification data (first name, last name, email address and telephone number) of their agents with whom OVHcloud interacts, as well as the communications and interactions (emails and other electronic messages, activity reports, reports) between them and OVHcloud.
Customers
Customer data collected by OVHcloud includes:
- Customer’s identification data (first name, last name, mailing address, email address, telephone number, proof of identity, proof of address, OVHcloud account number or NIC handle)
- Communications between the customer and OVHcloud (exchanges such as emails and support tickets relating to the conclusion and execution of the contract, history of requests and responses)
- Services consumption data (order and usage history or attempted usage of services)
- Method of payment (method of payment used such as credit card number or bank account number, and holder of the method of payment).
When the customer is a legal entity, OVHcloud collects the aforesaid personal data relating to the customer’s agents interacting with OVHcloud.
The aforesaid data are processed for the purpose of management of commercial activities (information and support, commercial proposals, management of orders, management of complaints, invoicing), management of payments, and management of customer accounts.
Details of the personal data processing carried out in connection with the execution of contracts with customers, suppliers, service providers and partners
Purposes of processing* | Categories of personal data | Retention period | Recipient Categories |
Management of commercial activities | Communications Identification Data Services consumption data | 1 year since the interaction concerned + 4 years in archive Contract duration (duration of the customer account)
| OVHcloud (sales, support, finance et invoicing departments). |
Payment management, ease of purchasing | Means of payment (including the holder) | Single payment; Until full payment is done (+ the disputing payment period) Service subscription with automatic renewal or pay-as-you-go; until the service is terminated, the payment method expires or is revoked (+ disputing payment period) The method of payment may be retained beyond the above-mentioned periods with the consent of the holder to facilitate purchases until the consent is withdrawn or the payment method is revoked or expires (+ the disputing payment period) | OVHcloud (Support, Finance and Invoicing department) : Partial data only (truncated number). Payment services providers |
Customer accounts management | Identification data Proof of identity and proof of address** | Duration of the customer account Duration necessary to performed pre-contractual identity check | OVHcloud (Sales and support departments) OVHcloud Partners*** |
(*) The above-mentioned data may be processed for other purposes than contract management and retained for other shorter or longer periods, in particular for commercial prospecting purposes (more details in Part 1. 3 "Marketing and sales prospecting activities"), in order to comply with the regulations in force, in particular those applicable to location, traffic data retention, accounting and taxation (more details in Part 1. 4 "Compliance with legal obligations"), as well as for reasons of legitimate interest, in particular in case of litigation or to detect and prevent fraudulent acts (more details in Part 1. 5 "Pursuit of legitimate interests").
(**) The proof of identity and proof of address collection is not systematic. It is collected when it is required for the contracting of certain services such as certain domain names or electronic communication services. Proof of identity may also be requested when required by law (more details in Part 1 4. "Compliance with legal obligations") or when there is doubt about the identity of the applicant in order to prevent the risk of fraud (more details in Part 1 5. "Pursuit of legitimate interests").
(***) Some services are provided by OVHcloud in collaboration with partners such as registries of domain names marketed by OVHcloud, software license providers or technology partners, to whom some identification data may be communicated. In this case, more details concerning such data processing are specified in the specific conditions applicable to the services concerned.
1.2 Recruitment activities
Within the framework of its recruitment activities, OVHcloud processes candidates’ personal data that are necessary to manage their application(s). Such data are the candidate’s identity and contact details, his/her Curriculum Vitae, the letters, e-mails and documents sent by him/her, the dates and reports of interviews, the salary positioning, the follow-up given to the application, and the type and duration of the proposed contract.
The terms and conditions described in this Policy apply only to the processing of data from applicants, not to OVHcloud employees. The conditions into which OVHcloud employees’ personal data is processed, are described in another data use policy communicated during the hiring process.
Details of the personal data processing carried out in connection with recruitment activities
Purposes of processing* | Categories of personal data | Retention period | Recipient Categories |
Recruitment | Application data | 15 months from the last contact* | OVHcloud (Human resources and recruiting departments) |
1.3 Events management
In case of events organisation, whether physical or online, OVHcloud processes personal data related to the registrants and participants to the event, in particular their identification data (first name, last name, contact information, email address, phone number, company and function within the company) as well as data related to their participation (conferences and workshops in which they are registered and participate). This data is collected to organise the event and to manage the participations (registration, information, itinerary).
Details of the personal data processing carried out in connection with events
Purposes of processing* | Categories of personal data | Retention period | Recipient Categories |
Organization and management of OVHcloud events | Identification and participation data | Duration of the event + 90 days* | OVHcloud (team in charge of the events organization) Partners of the event |
(*) Subject to the exercise of the data subject's right to object, the data collected may also be processed for 180 days following the event in order to communicate information relating to the event (feedback) or on the organization of future similar events, or for marketing and commercial prospecting purposes under the conditions set out below (more details below in Part 1. 3 "Marketing and business development activities").
2. OVHcloud services delivery
Legal basis: The processing activities described below are necessary to deliver and maintain the OVHcloud services (Article 6.1b) UK GDPR).
In order to deliver and maintain its services, as well as in the context of providing support and assistance to use using those services, OVHcloud collects and processes the following data relating to the customers, the users and the services that they used:
- Customer identification data (essentially first name, last name, contact details, customer ID, user ID or NIC handle)
- Communications between the Customer or its agents and OVHcloud (exchanges such as emails and support tickets relating to provision and utilization of the services, maintenance operations, potential incidents)
- Services identification data (list of services used, characteristics, period of use, location)
- Technical data (machines ID, configurations, connection data, status of the services, usage data and event logs).
Since OVHcloud determines the means and purposes of such personal data processing which is carried out as part of its tools and information system, OVHcloud is the data Controller.
This Section 2. does not apply to data that the customers entrust to OVHcloud as part of their utilization of OVHcloud Services, including data hosted by the customers within OVHcloud infrastructures and services; such data being processed by OVHcloud as a Processor under its customers’ instruction in the conditions provided in the Appendix “Data Processing Agreement”.
Details of the personal data processing carried out for the purpose of OVHcloud services delivery
Purposes of processing* | Categories of personal data processed | Retention period | Recipient Categories |
Support and assistance to services utilization | Customers identification | Duration of the contract (duration of the customer account) | OVHcloud (support and product teams) |
(*) The above-mentioned data may be processed for other purposes than the execution of the services and retained for other shorter or longer periods, in particular to comply with the regulations in force, notably those applicable to localization, retention of traffic data, accounting and taxation (more details hereafter Part 1. 4 "Compliance with legal obligations") as well as for reasons of legitimate interest, in particular to ensure the security of the services or in case of litigation (more details hereafter Part 1. 5 "Pursuit of legitimate interests").
(**) Some services are provided by OVHcloud in collaboration with partners such as registries of domain names marketed by OVHcloud, software license providers or technology partners, to whom some identification data may be communicated. In this case, more details concerning such data processing are specified in the specific conditions applicable to the services concerned.
3. Marketing and commercial prospection activities
Legal basis: The personal data processing activities described below are carried out based on either the legitimate interest of OVHcloud to promote its services and develop its activities, or the consent of the data subjects(in particular customers and prospects) (Articles 6.1 a) and f) UK GDPR).
As part of its commercial activities, OVHcloud processes data relating to its customers and prospects (and their agents) to communicate to them information about its the activities and the activities of its partners, propose services, and invite them to events.
The data subjects concerned may be customers (i.e. individuals who use OVHcloud services or have just opened an OVHcloud customer account), or individual who are not OVHcloud customer but may be interested in OVHcloud activities or services, due to their professional activities or because they get in touch with OVHcloud through its websites, during an event.
Processing requiring the consent of data subjects (such as commercial actions not related to the data subject’s professional activities or to services already used by him or her) is carried out if the data subject has given his or her free, specific, informed and unambiguous consent. When the collection of consent is carried out online, in particular when opening an OVHcloud customer account, registering for an event, or sending a request via a form, a specific check box called "opt in" is used. When the collection of the consent is operated off-line, a process, such as oral presentation, or via paper form, of the purpose and conditions of the data collection, and a request for the express consent of the data subject is implemented.
Concerning processing carried out based on legitimate interests (in particular commercial actions related to the professional activities or services already used by the data subject), OVHcloud takes care to respect the data subject's right of opposition and ensures that this right can be easily exercised in the context of each communication that is sent.
OVHcloud may also contact data subjects whose contact details have been communicated by partners. In this case, OVHcloud ensures that the partners undertake that the personal data has been collected according to applicable law, and that the data subjects have consented to their data being communicated for the purposes of promotion and commercial prospecting.
For business contacts, OVHcloud ensures that the services offered to them are related to their business activity, and that they can exercise their right to object at any time and in an effective way.
Subject to comply with the data subject’s rights, the processing carried out in the context of marketing and commercial prospection activities shall cover the following data:
- Identification data (first name, last name, contact details, email address)
- Internet navigation data (IP address, User ID, websites navigation history)
- Data subject area of interests (data relating to services use, order history, consumption habits, participation to event)
- Data subject’s interactions with OVHcloud (request, “call to action”).
For more information on cookies and information collected by OVHcloud concerning users of its websites, please see the OVHcloud Cookie Policy.
Details of the personal data processing carried out by OVHcloud for marketing and commercial prospecting purposes
Purposes of processing | Categories of personal data processed | Retention period | Recipient Categories |
Commercial prospection and communication of information about OVHcloud’s and Partners’ activities, services and events | Identification | Until the consent is withdrawn (for processing based on consent of the data subject) | OVHcloud (Sales and marketing departments) |
Processing of requests for information about the services sent via online forms | Identification Content of the request | Duration of the request processing + 1 year | OVHcloud (Sales and support departments) OVHcloud Partners (if concerned by the request) |
Cookies and other trackers | Internet navigation data | See « OVHcloud cookies policy » | |
Mailing lists management | Identification data | Until the consent is withdrawn (for processing based on consent of the data subject). Until the right of opposition is exercised or at the latest until the last contact initiated by the Customer + 36 months (for processing based on legitimate interest) | OVHcloud (marketing and products department) |
OVHcloud websites management | Data published on the websites (interviews, posts, photos, vidéo). | Until withdrawal of consent, exercise of right of opposition or end of use | Public (websites users) |
4. Compliance with legal obligations
Legal basis: The personal data processing activities described below are carried out to comply with legal obligations (Article 6.1.c) UK GDPR).
As part of its activities, OVHcloud is subjected to some legal obligations which require the processing of personal data.
Thus, to comply with its accounting and fiscal obligations, OVHcloud has to process data and retain evidence of the orders placed by its customers and the relevant transactions and payment.
Similarly, to ensure the security of its services, in accordance with the provisions of Article 32 of the UK GDPR, as well as to comply with its obligations as a public communications provider pursuant to Article 2 of the Privacy and Electronic Communications Regulations 2003, OVHcloud retains identification data (first name, last name, user ID, customer ID, proof of identity, proof of address) as well as technical data related to the use of the services (traffic and localisation data, connection and event logs).
OVHcloud also has the obligation to respond to requests data subjects exercising theirs rights with respect to the processing of their personal data, or to certain requests from courts and judicial or administrative authorities to provide information, or to report certain data breaches, which may involve personal data.
Details of the processing carried out by OVHcloud to comply with its legal obligations
Purposes of processing | Categories of personal data processed | Retention period | Recipient Categories |
Maintenance of general and ancillary accounts | Orders and consumption history | 10 years following the event (order, service utilisation, payment, etc.) | OVHcloud (Finance and accounting department) |
Identification of the users of websites hosted by OVHcloud and electronic communication services provided by OVHcloud | Identification data (including proof of identity and proof of address when required) Technical data relating to the use of the services | Pursuant to applicable law | OVHcloud (Product, legal and security department) |
Secure data processing activities, services and infrastructures | Technical data relating to the use of the services | Depending on the risk assessment | OVHcloud (Security and product departments) OVHcloud Partners |
Processing requests made within judicial and administrative procedures | Identification data Data relating to the services ordered and to their utilisation | 5 years in archive from the closing of request, or any longer applicable prescription period. | OVHcloud (Legal Department) Administrative and judicial authorities |
Processing requests sent to the data protection officer | Identification data Communications (request/answer) Proof of identity (when there is a doubt concerning the identity of the requestor) | 5 years in archive from the closing of request 1 year in archive from the closing of request | OVHcloud (Support and legal departments) |
Processing of personal data breaches | Data that has been subjected to the breach and data subject impacted | 5 years from the breach | OVHcloud (Legal and security departments) Administrative and judicial authorities |
5. The pursuit of legitimate interests
Legal basis: Processing necessary to safeguard vital interests, and processing necessary for the purposes of legitimate interests pursued by OVHcloud or by a third party (Article 6.1.f) UK GDPR)
OVHcloud may be required to carry out processing operations necessary to safeguard the vital interests of the data subject or another natural person, or necessary for the purposes of the legitimate interests pursued by OVHcloud.
When processing data necessary for the purposes of legitimate interests, OVHcloud shall ensure that the interests or fundamental freedoms and rights of the data subject do not take precedence over such legitimate interests, and that the processing carried out is compatible and has a link with the services provided to the data subject and the purposes for which the data was originally collected.
Processing carried out by OVHcloud for the purpose of legitimate interests includes processing carried out to ensure the security of services, combat fraud, and manage outstanding payments.
Details of the processing carried out by OVHcloud for legitimate interests
Purposes of processing | Categories of personal data processed | Retention period | Recipient Categories |
Secure OVHcloud data processing, services and infrastructures | Technical data relating to the use of the services | Depending on the risk assessment | OVHcloud (Security and product departments) |
Anonymisation for research and development, improvement, reporting or statistics | Potentially any data subject to this policy | Duration of anonymisation operation | OVHcloud |
Conducting customer satisfaction surveys, customer studies, product testing, services improvement | Identification data of customers and users of services Feedback Order history Service usage data | 1 year | OVHcloud (Support, Product and marketing departments) |
Managing of non-payment | Identification data Financial data Payment data Order History | 5 years from the non-payment incident | OVHcloud (support, legal and finance department) Collection service provider(s) |
Fraud detection and prevention | Identification data Order and payment history Banking data Location data Connection data Proof of identity and proof of address (when there is a doubt concerning the identity of the requestor) | Depending on the risk and the result of the Fraud analysis (maximum 5 years) Depending on the risk and the result of the Fraud analysis (maximum 12 months) | OVHcloud (fraud prevention teams, legal and financial departments) Payment service providers |
Creation of evidence for claims or litigation | Identification data Communications Order history Payment history Service usage data | Duration of the prescription period In case of procedure, until the achievement and the exhaustion of all the possibilities of appeals or recourses | OVHcloud (Support, legal and financial department) External counsel |
Training and evaluation of employees, improvement of quality of service) | Identification data Call report Evaluation report Call recordings (subject to the right of opposition) | 1 year following each event 6 months from the recording | OVHcloud (Support, training and quality teams) |
Part II - Conditions for carrying out processing
1. OVHcloud commitments
As part of the processing covered by this policy, OVHcloud complies, as a Controller, with the regulations in force, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as well as any domestic laws and regulations of the United Kingdom that may apply to such processing, in particular Data Protection Act 2018.
As such, OVHcloud commits to:
- Collect only personal data necessary for the above purposes;
- Implement processes to ensure the accuracy and updating of the data used in such processing, and erasure when the data is not anymore necessary;
- Not processing personal data in its possession for purposes other than those mentioned in this Policy, except to obtain the consent of the persons concerned, or to inform them in case of processing based on another legal basis than consent;
- Document the processing within a register and carry out any required data processing impact assessment;
- Set up a process to manage incidents and data breaches, and in the event of a breach, notify the competent authorities in accordance with Article 33 of the UK GDPR, and inform the data subjects, in accordance with Article 34 of the UK GDPR, when the breach is likely to present a high risk to their rights and freedoms; and
- Implement technical and organisational measures to protect personal data against security risks, as defined in OVHcloud’s Information System Security Policy.
2. Technical and organisational security measures
Personal data protection is integrated into OVHcloud’s information security program for which OVHcloud intends to achieve the following objectives:
- Deployment of an industrial, large-scale approach to security
- Positioning OVHcloud as a trusted player in the ecosystem
- Operate a secure cloud for everyone
- Implementation of Information Security Management Systems (ISMS) and Personal Information Management System (PIMS)
- Risk-based approach to safety
- Evidencing security through certification, internal control and external audit
- Unified response to security incidents and personal data breaches
- Integrating security and privacy issues into products development
- Safety assessment and continuous improvement.
These elements are detailed in OVHcloud’s Information System Security Policy.
3. Anonymisation
OVHcloud reserves the right to anonymise the data covered by this Policy, i.e. to modify it so that it no longer allows the data subject to be identified, even indirectly, and to reuse it in this anonymised form only.
OVHcloud strives to apply the following anonymisation principles:
- The impossibility of isolating an individual within a larger group on the basis of the data;
- The impossibility of linking two records concerning the same person; and
- The impossibility to infer, with high probability, unknown information about a person.
Since the anonymised data is no longer personal data, OVHcloud reserves the right to store and use it for purposes other than those set out in this Policy, in particular, but not limited to statistics, new or improved services, marketing analysis and business strategies.
4. Subcontracting
OVHcloud Affiliates, with the exception of US-based entities, may participate in the data processing covered by this Policy, carried out by OVHcloud as a data Controller.
OVHcloud also relies on third-party providers such as security service providers, network providers, providers of internal applications and tools, payment service providers, marketing analysts, web analysts, email solution providers, satisfaction surveys, consultancy companies, auditors, etc. acting as data “processors” under OVHcloud instructions.
OVHcloud ensures that its Processors undertake to comply with the regulations in force, and to implement appropriate technical and organisational measures to ensure the protection of the Personal Data that they are required to process under OVHcloud instructions. In particular, OVHcloud ensures that the Processors only have access to the data necessary to carry out their tasks.
Furthermore, when using third-party software solutions to process data related to the use and delivery of its services (including ticketing and support management tools, tools used for provisioning and maintenance, and even a business relationship management solution), OVHcloud prefers on-premises solutions hosted on its own infrastructures.
In all cases, a contract is established between OVHcloud and the subcontractor, and appropriate technical and organisational measures are put in place in accordance with Articles 28 and 32 of the UK GDPR.
This Section 4. does not cover the conditions under which OVHcloud is authorised to use sub-processors in the context of Personal Data processing carried out under its customers’ instructions. These conditions are set out in the Appendix “Data Processing Agreement”.
5. Data transfers outside the European Union
OVHcloud aims to limit the transfer of Personal Data outside the European Union.
Data hosting
For customers of OVHcloud's European entities, hosting of their data within the European Union is always preferred, including when using Processors. However, where such European customers choose services hosted in OVHcloud data centers located outside the European Union, such as in Canada, Australia or Singapore, the Personal Data necessary for the performance of the services may be hosted outside the European Union.
Processing in remote
Due to OVHcloud's international organisation, the data processing activities described in this Policy may be carried out from locations outside the European Union by OVHcloud's Affiliates and third-party service providers as provided in Section 2. D.
This section relates only to data processed by OVHcloud as Controller according to this policy, excluding Personal Data entrusted by customers to OVHcloud which are processed by OVHcloud as a data Processor under customers’ instructions. The conditions to transfer Personal Data processed by OVHcloud under its customers’ instructions are set out in the Annex “Data Processing Agreement”.
When personal data subject to this Policy is transferred (including in the case of remote access) to non-European third countries which are not subject to an adequacy decision of the Secretary of State under section 17A of the Data Protection Act 2018 (“Adequacy Decision”), OVHcloud ensure that appropriate safeguards are implemented, regardless of whether the data importer is an OVHcloud entity or not.
If the importer is an OVHcloud entity, the said appropriate guarantees shall consist of the standard contractual clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Data Protection Act and for the time being in force, or the standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Data Protection Act and for the time being in force (the “Standard Contractual Clauses”).
In this respect, OVHcloud, reserves the right to substitute the said standard contractual clauses with any other appropriate safeguards provided for in Chapter V of the UK GDPR.
In any case, OVHcloud implements technical and organisational measures (such as traceability, access limitation) to protect the transferred data in particular against any unauthorised access or disclosure, and ensures to comply with the UK GDPR, in the event of requests from third-countries authorities to obtain communication of personal data.
7. Rights of data subjects
In accordance with the UK GDPR, you have the right to access the aforementioned Personal Data relating to you, as well as the right to rectify it, request its deletion and portability, and the right to limit or oppose to certain processing. Where processing is based on consent, you also have the right to withdraw consent at any time.
These rights can be exercised by using the form provided for this purpose on the OVHcloud Website, or by mail to: OVH SAS, Data Protection Officer, 2 rue Kellermann, 59100 Roubaix, France.
In accordance with Article 12 of the UK GDPR, each request must be accompanied by the information required to prove your identity. Each request will be answered without undue delay and in any event in accordance with the said article 12. Where there is reasonable doubt as to the identity of the natural person submitting the request, additional information necessary to confirm the identity of the data subject, including an identity document, may be requested.
If you feel, after contacting us, that your rights have not been respected, you can also address a complaint to the competent data protection authority.