GDPR stands for “General Data Protection Regulation.” It is a data protection law adopted by the European Union (EU), which imposes new rules on all organizations that offer goods or services to individuals in the EU when processing “personal data” of EU residents. It is designed to strengthen the individual’s (also known as a “data subject”) fundamental right to privacy and the protection of personal data. It introduces robust requirements for companies doing business in Europe that will enhance and harmonize standards for data protection, security, and compliance. The GDPR was adopted on April 27, 2016 and becomes effective May 25, 2018.
We know that preparing for the GDPR is a priority for many of our customers. It is also a priority for OVH US (“OVH”).
The GDPR regulates the “processing” of personal data, which includes the collection, use, disclosure, storage, manipulation, and erasure of personal data.
The GDPR’s definition of “personal data” is very broad. It captures any information relating to an identified or identifiable data subject, including: names, email addresses, photos, bank details, location data, IP addresses, and cookie identifiers.
The GDPR divides organizations processing personal data into “data controllers” and “data processors.” A data controller determines the purposes and means of the data processing and tells the processor what to do with the data. A data processor processes personal data on behalf of the controller pursuant to the controller’s instructions. Data controllers must comply with the GDPR’s principles, including transparency and lawfulness of the processing. Data processors must act pursuant to the controller’s instructions, secure the data, and help data controllers comply with the GDPR.
OVH is a data processor when it acts as a service provider to our customers who use our data hosting and storage services. Our customers are data controllers for the data they maintain in our data centers since they decide what data we process and restrict our use of it. Our Data Processing Addendum (“DPA”) to our customer agreements sets forth our responsibilities and obligations as a data processor as well as responsibilities and obligations of our customers.
Yes, we have posted our DPA on the OVH website. Our DPA sets forth our responsibilities and obligations as a data processor, including to:
- Only process personal data under our customers’ instructions and to fulfill the contract
- Implement appropriate security measures
- Ensure our employees are bound by confidentiality obligations
- Notify customers of data breaches
- Help customers comply with data protection requirements and data subjects’ rights
OVH is committed to the core principles of the GDPR. We are committed to using personal data responsibly and protecting it with advanced technologies and robust internal policies and practices. We are aligning our privacy program, including our business practices, processes, and policies, to help us meet our obligations. We have engaged world class leaders in the field of data privacy and protection to lead this effort alongside our own team.
As a global provider of data driven services we are integrating global privacy requirements, including EU data protection requirements, into our business practices.
- As a data processor, we are responsible for complying with our contractual obligations and instructions in our customer DPAs, including assisting our customers to comply with their GDPR obligations, securing data, keeping records of how we process personal data on behalf of our customers, preparing to notify our customers in the event of a data breach, and cooperating with EU data protection authorities on request
- Our internal GDPR team has been working closely with leading data privacy and security experts to lead our compliance efforts
As a hosting service, we process, on behalf of our customers, personal data contained in any files, applications or content uploaded to our systems by OVH customers or their end users. Our customers determine what personal data is hosted by OVH.
Yes. As part of our service offering and to meet our contractual obligations, we transfer personal data from the EU and Switzerland to the United States under our EU and Swiss Privacy Shield certifications. Our customers select the country where personal data is stored.