OVHcloud GDPR Compliance Readiness
OVHcloud GDPR Compliance Readiness
An overview of frequently asked General Data Protection Regulation questions and OVHcloud compliance.
What is the GDPR?
GDPR stands for “General Data Protection Regulation.” It is a data protection law adopted by the European Union (EU), which imposes new rules on all organizations that offer goods or services to individuals in the EU when processing “personal data” of EU residents. It is designed to strengthen the individual’s (also known as a “data subject”) fundamental right to privacy and the protection of personal data. It introduces robust requirements for companies doing business in Europe that will enhance and harmonize standards for data protection, security, and compliance. The GDPR was adopted on April 27, 2016, and becomes effective on May 25, 2018.
We know that preparing for the GDPR is a priority for many of our customers. It is also a priority for OVH US (“OVH”).
What does the GDPR Regulate?
The GDPR regulates the “processing” of personal data, which includes the collection, use, disclosure, storage, manipulation, and erasure of personal data.
The GDPR’s definition of “personal data” is very broad. It captures any information relating to an identified or identifiable data subject, including names, email addresses, photos, bank details, location data, IP addresses, and cookie identifiers.
What is a Data Controller? What is a Data Processor?
The GDPR divides organizations processing personal data into “data controllers” and “data processors.” A data controller determines the purposes and means of the data processing and tells the processor what to do with the data. A data processor processes personal data on behalf of the controller pursuant to the controller’s instructions. Data controllers must comply with the GDPR’s principles, including transparency and the lawfulness of the processing. Data processors must act pursuant to the controller’s instructions, secure the data, and help data controllers comply with the GDPR.
OVHcloud is a data processor when it acts as a service provider to our customers who use our data hosting and storage services. Our customers are data controllers for the data they maintain in our data centers since they decide what data we process and restrict our use of it. Our Data Processing Addendum (“DPA”) to our customer agreements sets forth our responsibilities and obligations as a data processor as well as the responsibilities and obligations of our customers.
Does OVHcloud have a DPA?
Yes, we have posted our DPA on the OVHcloud website. Our DPA sets forth our responsibilities and obligations as a data processor, including to:
- Only process personal data under our customers’ instructions and to fulfill the contract
- Implement appropriate security measures
- Ensure our employees are bound by confidentiality obligations
- Notify customers of data breaches
- Help customers comply with data protection requirements and data subjects’ rights
Will OVHcloud be compliant with the GDPR by May 25?
OVHcloud is committed to the core principles of the GDPR. We are committed to using personal data responsibly and protecting it with advanced technologies and robust internal policies and practices. We are aligning our privacy program, including our business practices, processes, and policies, to help us meet our obligations. We have engaged world-class leaders in the field of data privacy and protection to lead this effort alongside our own team.
What are some of the core obligations that OVHcloud has as a data processor and what is OVHcloud doing to comply?
As a global provider of data-driven services, we are integrating global privacy requirements, including EU data protection requirements, into our business practices.
- As a data processor, we are responsible for complying with our contractual obligations and instructions in our customer DPAs, including assisting our customers to comply with their GDPR obligations, securing data, keeping records of how we process personal data on behalf of our customers, preparing to notify our customers in the event of a data breach, and cooperating with EU data protection authorities on request
- Our internal GDPR team has been working closely with leading data privacy and security experts to lead our compliance efforts
What personal data does OVHcloud process?
As a hosting service, we process, on behalf of our customers, personal data contained in any files, applications, or content uploaded to our systems by OVHcloud customers or their end users. Our customers determine what personal data is hosted by OVHcloud.
Is OVHcloud allowed to transfer personal data from the EU to other countries as part of offering the service?
Yes. As part of our service offering and to meet our contractual obligations, we transfer personal data from the EU and Switzerland to the United States under our EU and Swiss Privacy Shield certifications. Our customers select the country where personal data is stored.