OVHcloud Data Privacy Policy

Privacy Policy

Updated 13th April 2023

If you are a customer, a prospect, a partner, a supplier or if you are a manager, an employee or an agent of the latter ("Agent(s)") and/or you use a service of OVHcloud India (hereinafter "OVHcloud") OVHcloud collects and processes Personal Data relating to you.

This is the case when you visit an OVHcloud website, when you communicate or interact with OVHcloud (by phone, email, via your OVHcloud account, online forms or other communication tools such as Chatbot, live chat, etc.), when you participate to OVHcloud events, or when you use OVHcloud services.

The purpose of this OVHcloud Privacy Policy (the “Policy”) is to describe such processing activities performed on your Personal Data, as well as the conditions under which we process your Personal Data. 

This Policy covers Personal Data processing performed by OVHcloud as a “Controller”. “Controller” is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The processing conditions performed by OVHcloud as a Data processor notably under its customers’ instruction are set out in the Appendix “Data Processing Agreement”. 

The terms “Data” and “Information” shall have the meaning ascribed to them under the Information Technology Act, 2000. The term “Personal Data” shall have the meaning ascribed to the term “Personal Information” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“Privacy Rules”). “Sensitive Personal Data or Information” shall borrow its meaning from Rule 3 of the Privacy Rules. The term “Personal Data” for the purposes of this Agreement shall include “Sensitive Personal Data or Information”. You understand that by providing your Personal Data to OVHcloud, you are exercising an option, as opposed to your obligation, to provide your Personal Data.

Part I - Description of Personal Data Processing

Part II - Conditions of Personal Data Processing

Part I - Description of Personal Data Processing

OVHcloud processes your Personal Data for specific purposes:

A. Contract management

B. Performance of services

C. Marketing and commercial prospecting activities

D. Compliance with legal obligations

E. Pursuit of legitimate interests.

A. Contract management

Legal basis: The processing operations described below are necessary for the execution of the contracts concluded by OVHcloud (including the execution of necessary pre-contractual measures), as well as for the management of various requests (such as job application or a request to participate in an event).

1.1 Contract management for customers, service providers, suppliers and partners

As part of the performance of contracts concluded with customers, services providers, suppliers and partners, OVHcloud processes Personal Data relating to them or to their agents, and which processing is necessary for managing the contracts thus established.
 
Service providers, suppliers and partners
The Personal Data collected by OVHcloud concerning its service providers, suppliers and partners consists essentially of identification data (first name, last name, email address and telephone number) of their agents with whom OVHcloud interacts, as well as the communications and interactions (emails and other electronic messages, activity reports, reports) between them and OVHcloud.
 
Customers
Customer data collected by OVHcloud includes:  
(i)    Customer’s identification data (first name, last name, mailing address, email address, telephone number, proof of identity, proof of address, OVHcloud account number or NIC handle)  
(ii)    Communications between the customer and OVHcloud (exchanges such as emails and support tickets relating to the conclusion and execution of the contract, history of requests and responses)  
(iii)    Services consumption data (order and usage history or attempted usage of services)
(iv)    Method of payment (method of payment used such as credit card number or bank account number, and holder of the method of payment).
 
When the customer is a legal entity, OVHcloud collects the aforesaid Personal Data relating to the customer’s agents interacting with OVHcloud.
 
The aforesaid data is processed for the purpose of management of commercial activities (information and support, commercial proposals, management of orders, management of complaints, invoicing), management of payments, and management of customer accounts.

 

1.2 Recruitment activities

Within the framework of its recruitment activities, OVHcloud processes candidates Personal Data that are necessary to manage their application(s). Such Data comprises of the candidate’s identity and contact details, his/her curriculum vitae, the letters, e-mails and documents sent by him/her, the dates and reports of interviews, the salary positioning, the follow-up given to the application, and the type and duration of the proposed contract.
 
The terms and conditions described in this Policy apply only to the processing of data from applicants for employment, not to OVHcloud employees. The conditions into which OVHcloud employees’ Personal Data is processed, are described in another data use policy communicated during the hiring process.

1.3 Events management

In case of events organisation, whether physical or online, OVHcloud processes Personal Data related to the registrants and participants to the event, in particular their identification data (first name, last name, contact information, email address, phone number, company and function within the company) as well as data related to their participation (conferences and workshops in which they are registered and participate). This data is collected to organise the event and to manage the participations (registration, information, itinerary).

B. OVHcloud services delivery

Legal basis: The processing activities described below are necessary to deliver and maintain the OVHcloud services.
 
In order to deliver and maintain its services, as well as in the context of providing support and assistance to use using those services, OVHcloud collects and processes the following data relating to the customers, the users and the services that they used:  
 
(i)    Customer identification data (essentially first name, last name, contact details, customer ID, user ID or NIC handle)
(ii)    Communications between the Customer or its agents and OVHcloud (exchanges such as emails and support tickets relating to provision and utilization of the services, maintenance operations, potential incidents)
(iii)    Services identification data (list of services used, characteristics, period of use, location)
(iv)    Technical data (machines ID, configurations, connection data, status of the services, usage data and event logs).  
 
Since OVHcloud determines the means and purposes of such Personal Data processing which is carried out as part of its tools and information system, OVHcloud is the Data Controller.
 
This Section B. does not apply to data that the customers entrust to OVHcloud as part of their utilization of OVHcloud Services, including data hosted by the customers within OVHcloud infrastructures and services; such data being processed by OVHcloud as a Processor under its customers’ instruction in the conditions provided in the Appendix “Data Processing Agreement”.
 
Some OVHcloud services are provided in collaboration with partners (such as registries of domain names marketed by OVHcloud, software license providers or technology partners), to whom some data may be communicated. In this case, the conditions into which the partners process Personal Data are specified in the specific conditions applicable to the services concerned.

 

C. Marketing and commercial prospection activities

Legal basis: The Personal Data processing activities described below are carried out based on either the legitimate interest of OVHcloud to promote its services and develop its activities, or the consent of the data subjects (in particular customers and prospects).  
 
As part of its commercial activities, OVHcloud processes data relating to its customers and prospects (and their agents) to communicate to them information about its the activities and the activities of its partners, propose services, and invite them to events.
 
The data subjects concerned may be customers (i.e. individuals who use OVHcloud services or have just opened an OVHcloud customer account), or individual who are not OVHcloud customer but may be interested in OVHcloud activities or services, due to their professional activities or because they get in touch with OVHcloud through its websites, during an event.
 
Processing requiring the consent of data subjects (such as commercial actions not related to the data subject’s professional activities or to services already used by him or her) is carried out if the data subject has given his or her free, specific, informed and unambiguous consent. When the collection of consent is carried out online, in particular when opening an OVHcloud customer account, registering for an event, or sending a request via a form, a specific check box called "opt in" is used. When the collection of the consent is operated off-line, a process, such as oral presentation, or via paper form, of the purpose and conditions of the data collection, and a request for the express consent of the data subject is implemented.
 
Concerning processing carried out based on legitimate interests (in particular commercial actions related to the professional activities or services already used by the data subject), OVHcloud takes care to respect the data subject's right of opposition and ensures that this right can be easily exercised in the context of each communication that is sent.
 
OVHcloud may also contact data subjects whose contact details have been communicated by partners. In this case, OVHcloud ensures that the partners undertake that the Personal Data has been collected according to applicable law, and that the data subjects have consented to their data being communicated for the purposes of promotion and commercial prospecting.
 
For business contacts, OVHcloud ensures that the services offered to them are related to their business activity, and that they can exercise their right to object at any time and in an effective way.
 
Subject to comply with the data subject’s rights, the processing carried out in the context of marketing and commercial prospection activities shall cover the following data:  
(i)    Identification data (first name, last name, contact details, email address)
(ii)    Internet navigation data (IP address, User ID, websites navigation history)
(iii)    Data subject area of interests (data relating to services use, order history, consumption habits, participation to event)
(iv)    Data subject’s interactions with OVHcloud (request, “call to action”).
 
For more information on cookies and information collected by OVHcloud concerning users of its websites, please see the OVH Cookie Policy.

D. Compliance with legal obligations

Legal basis: The Personal Data processing activities described below are carried out to comply with legal obligations.
 
As part of its activities, OVHcloud is subjected to some legal obligations which require the processing of personal data.  
 
Thus, to comply with its accounting and fiscal obligations, OVHcloud has to process data and retain evidence of the orders placed by its customers and the relevant transactions and payment.
 
Similarly, to ensure the security of its services, OVHcloud retains identification data (first name, last name, user ID, customer ID, proof of identity, proof of address) as well as technical data related to the use of the services (traffic and localisation data, connection and event logs).
 
OVHcloud also has the obligation to respond to requests data subjects exercising theirs rights with respect to the processing of their personal data, or to certain requests from courts and judicial or administrative authorities to provide information, or to report certain data breaches, which may involve personal data. 

E. The pursuit of legitimate interests

Legal basis: Processing necessary to safeguard vital interests, and processing necessary for the purposes of legitimate interests pursued by OVHcloud or by a third party
OVHcloud may be required to carry out processing operations necessary to safeguard the vital interests of the data subject or another natural person, or necessary for the purposes of the legitimate interests pursued by OVHcloud.

When processing data necessary for the purposes of legitimate interests, OVHcloud shall ensure that the interests or fundamental freedoms and rights of the data subject do not take precedence over such legitimate interests, and that the processing carried out is compatible and has a link with the services provided to the data subject and the purposes for which the data was originally collected.

Processing carried out by OVHcloud for the purpose of legitimate interests includes processing carried out to ensure the security of services, combat fraud, manage outstanding payments, claims and litigations, and conduct customer satisfaction surveys, customer studies, product testing and services improvement.

Part II - Conditions for carrying out processing

A. OVHcloud commitments

As part of the processing covered by this Policy, OVHcloud shall ensure compliance with the laws in force, notably the Information Technology Act, 2000.

OVHcloud has also framed rules and security practices hereunder. You agree that these rules and the whole content of OVHCLOUD DATA PRIVACY POLICY and any security measures that OVHcloud may take to secure your Sensitive Personal Data or Information (as defined under the Information Technology Act, 2000 and the rules made thereunder), constitute Reasonable Security Practices and Procedures (“RSPP”) under Section 43A of the Information Technology Act, 2000, which will apply to the processings listed above. Accordingly, the rules of the Indian Government referred to in section 43A(ii) of the Information Technology Act, 2000, shall not apply.

As such, OVHcloud commits to:
 
-    Collect only Personal Data necessary for the above purposes;  
-    Implement processes to ensure the accuracy and updating of the data used in such processing, and erasure when the data is not anymore necessary;  
-    Not processing Personal Data in its possession for purposes other than those mentioned in this Policy, except to obtain the consent of the persons concerned, or to inform them in case of processing based on other legal basis than consent;
-    Document the processing within a register and carry out any required data processing impact assessment;  
-    Set up a process to manage incidents and data breaches,  
-    Implement technical and organisational measures to protect Personal Data against security risks, as defined in OVHcloud’s Information System Security Policy.

 

B. Technical and organisational security measures

Personal Data protection is integrated into OVHcloud’s information security program for which OVHcloud intends to achieve the following objectives:
 

  • Deployment of an industrial, large-scale approach to security
  • Positioning OVHcloud as a trusted player in the ecosystem
  • Operate a secure cloud for everyone
  • Implementation of Information Security Management Systems (ISMS) and Personal Information Management System (PIMS)
  • Risk-based approach to safety
  • Evidencing security through certification, internal control and external audit
  • Unified response to security incidents and Personal Data breaches - Integrating security and privacy issues into products development - Safety assessment and continuous improvement.

These elements are detailed in OVHcloud’s Information System Security Policy.

 

C. Anonymisation

OVHcloud reserves the right to anonymise the data covered by this Policy, i.e. to modify it so that it no longer allows the data subject to be identified, even indirectly, and to reuse it in this anonymised form only.
 
OVHcloud strives to apply the following anonymisation principles:

  • The impossibility of isolating an individual within a larger group on the basis of the data;
  • The impossibility of linking two records concerning the same person; and
  • The impossibility to infer, with high probability, unknown information about a person.

Since the anonymised data is no longer Personal Data, OVHcloud reserves the right to store and use it for purposes other than those set out in this Policy, in particular, but not limited to statistics, new or improved services, marketing analysis and business strategies.

D. Subcontracting

OVHcloud Affiliates may participate in the data processing covered by this Policy, carried out by OVHcloud  
 
OVHcloud also relies on third-party providers such as security service providers, network providers, providers of internal applications and tools, payment service providers, marketing analysts, web analysts, email solution providers, satisfaction surveys, consultancy companies, auditors, etc. acting as data “processors” under OVHcloud instructions.  
 
OVHcloud ensures that its processors undertake to comply with the regulations in force, and to implement appropriate technical and organisational measures to ensure the protection of the Personal Data that they are required to process under OVHcloud instructions. In particular, OVHcloud ensures that the processors only have access to the data necessary to carry out their tasks.
 
When using third-party software solutions to process data related to the use and delivery of its services (including ticketing and support management tools, tools used for provisioning and maintenance, and even a business relationship management solution), OVHcloud prefers on-premises solutions hosted on its own infrastructures.  
 
In all cases, a contract is established between OVHcloud and the subcontractor, and appropriate technical and organisational measures are put in place in accordance with applicable law.
 
You hereby agree to authorize OVHcloud to provide its Affiliates such third-party providers/processors with access to your Data including Sensitive Personal Data or Information. Such third parties receiving your Data Sensitive Personal Data or Information shall not disclose it further.  
 
This Section D. does not cover the conditions under which OVHcloud is authorised to use sub-processors in the context of Personal Data processing carried out under its customers’ instructions. These conditions are set out in the Appendix “Data Processing Agreement”.

E. Data transfers

Data hosting
The data covered by this Policy is hosted in Canada within a data centre owned and managed by the group OVHcloud.  
 
When a customer chooses to use OVHcloud services hosted in data centers located outside India (notably in Australia, Singapore and European Union), the Personal Data necessary for the performance of such services may also be hosted in the relevant location or region.  
 
Processing in remote
 Due to OVHcloud's international organisation, the data processing activities described in this Policy may be carried out from locations outside India by OVHcloud's Affiliates and third-party service providers as provided in Section 2. D above.
 
When Personal Data subject to this Policy is transferred (including in the case of remote access) outside of India, to third countries, OVHcloud implements a data transfer agreement with the data importer and ensures that appropriate technical and organizational measures are implemented in order to secure the data according to applicable laws of India.
 
You hereby acknowledge that transfer of Personal Data as envisaged above is necessary for purposes described in this Policy and you hereby agree to such transfer.

F. Processing of requests from authorities

OVHcloud may receive requests from judicial, administrative or other authorities which purpose is to obtain communication of Personal Data in its possession relating to its customers.
In this case, OVHcloud may make reasonable efforts to:

  • Check the competence of the requesting authority;
  • Only respond to requests that are not obviously invalid;
  • Limit communication to what is required by the authority.

 
In case of requests received from a non-Indian authority to obtain communication of data relating to an Indian customer, OVHcloud objects to the request, subject to the following cases:  
(a)    the request is made in accordance with an international agreement, such as a mutual legal assistance treaty, in force between the requesting country and India; or  
(b)    the customer has registered an OVHcloud customer account to an OVHcloud entity which is under the same jurisdiction than the requesting authority; or
(c)    in particular where the application pursues a public interest recognised by Indian law or is necessary to safeguard vital interests.

G. Rights of data subjects

In accordance with applicable law, you have the right to access and review the aforementioned Personal Data relating to you, as well as the right to rectify it, request its deletion, and the right to limit or oppose to certain processing. Where processing is based on consent, you also have the right to withdraw consent at any time.These rights can be exercised by using the form provided for this purpose on the OVHcloud Website, or by mail to: OVH Salapuria Symbiosis, Areke Village, Begur Hobli, Bannerghatta Road, Bengaluru, Karnataka, 560076, India. Withdrawal of consent shall necessarily be in writing.

Provided that OVHcloud shall not be responsible for the authenticity of the personal Information or Sensitive Personal Data or Information supplied by the provider of information to OVHcloud or any other person acting on behalf of OVHcloud.  

Any query and grievance that you may have in relation to processing of your information may be addressed to the following grievance officer.

Further, any grievance that you may have in relation to the violation of the provisions of Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 or any other matters pertaining to the computer resources made available by OVHcloud may be reported to the above mentioned grievance officer.
 
Each request must be accompanied by the information required to prove your identity.  Where there is reasonable doubt as to the identity of the natural person submitting the request, additional information necessary to confirm the identity of the data subject, including an identity document, may be requested.
 
OVHcloud disclaims liability for any Content that may be hosted, displayed, uploaded, modified, published, transmitted, stored, updated or shared by you on OVHcloud’s resources. When using OVHcloud’s resources, you are advised to remain in compliance with the provisions of the Information Technology Act, 2000 and the rules thereunder.