Personal data protection
OVHcloud’s “Processing of personal data” annexe is evolving
OVHcloud’s “Processing of personal data” annexe (the “DPA”) is evolving in order to take into account new requirements applicable to transfers of personal data outside the European Union, in particular Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) adopted by the European Commission on 4 June 2021.
Click here to view the new version of CCA effective September 27, 2021.
Please note that if you use or would like to use OVHcloud services located in non-European datacentres to process personal data subject to the GDPR, the above new standard contractual clauses must be implemented, along with any additional measures that may be required in relation to the relevant data categories, and third-country law or practices. For more information, please contact OVHcloud’s Data Protection Officer.
If you do not process Personal Data subject to the GDPR via OVHcloud Services located in non-European datacentres, the aforementioned change has no impact.
OVH, founded in 1999, is now one of the leading names in the cloud industry, with a presence in 19 countries around the world. We have over 1 million customers and we take customer data and security extremely seriously.
When you decide to outsource some or all of the hosting for the data that your organisation processes to OVH, you are entrusting us with a share of your information assets. We are aware of the issues that this can represent for your company, particularly when it comes to compliance with the relevant data protection regulations. This is why OVH is providing the most complete information possible on issues concerning the protection of personal data.
Regulations that govern personal data protection
There are currently various documents covering data protection in place at the national, international, and European levels. The most important ones are the following:
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealed on 25 May 2018 by Regulation (EU) 2016/679.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Charter of Fundamental Rights of the European Union (2012/C 326/02).
- Convention for the protection of individuals with regard to the automatic processing of personal data.
OVH undertakes to abide by its obligations in accordance with the aforementioned regulations, particularly the General Data Protection Regulations (GDPR). It's this commitment to compliance in particular which means that OVH's customers can also meet some of their own regulatory obligations. We strongly advise all our customers to be particularly vigilant on these aspects of compliance. Other, more specific regulations may exist, including for certain specific categories of personal data. In such cases, organisations are solely responsible for correctly identifying the regulations applicable to their business activities, and achieving compliance with them. Choosing the right provider, especially when it comes to the cloud, is essential if you want to meet your own obligations on protecting personal data.
OVH's Data Protection Officer (DPO): oversees data protection strategy and implementation to ensure compliance with GDPR.
OVH has appointed a DPO, whose role and aims are partly determined by European regulations. The DPO acts as a fully independent internal watchdog, ensuring that OVH's data processing operations are compliant with all applicable European regulations.
Grégory Gitsels - Data Protection Officer
Grégory Gitsels is totally committed to his objectives and has the resources at his disposal to operate completely independently, without any conflicts of interest. He regularly runs awareness and training sessions for the Group's employees and is there to answer their questions on privacy and data protection. He is in charge of implementing a "privacy by design" and "privacy by default" approach, especially for designing new solutions for customers, he liaises with supervisory authorities and more... He is also the first point of contact for any customers who need guarantees for the measures they have implemented in order to conform with applicable regulations, including the GDPR.