OVH has reinforced its contractual commitments with regard to personal data protection

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. OVH took this opportunity to update its terms and conditions of service, and include an appendix on personal data protection.

In July 2017, OVH S.A.S. had already updated its General Terms and Conditions of Service in France, in anticipation of the GDPR deadline.  But as the GDPR deadline date approached, we also wanted to go even further and offer a separate appendix devoted to these issues.

This 7-page appendix, commonly referred to as the “Data Processing Agreement” (DPA), sets out OVH’s commitments as a data processor, as well as what the commitments of our customers must be as data controllers (or as processors if they are acting on instruction from a data processor).

We are aware that legal documents do not always make for a thrilling read, so we designed this document to be as clear, well-structured and easy to understand as possible. To avoid all traces of ambiguity, we kept links to other documents (contracts, websites, etc.) to a minimum. We also took care to express our contractual commitments as concisely as possible, to prevent our message from being lost in an endless list of lengthy legal clauses.

In short, we wanted to make our terms and conditions legible and transparent, just like the commitments we make to protect and process your personal data.

A regulatory obligation

As well as promoting transparency in OVH’s practices, this appendix is also designed to meet our regulatory obligations. If you process personal data, you are required to formalise this processing contractually with your data processor. This DPA thus allows you to meet some of your own obligations under the GDPR.

Article 28 of the GDPR states that “processing by a processor shall be governed by a contract [...]”. The same article sets out what kinds of information such a contract must contain. You can find this information in our appendix.

Firm commitments

This appendix represents a firm commitment that binds OVH to each and every one of its customers with regard to personal data processing. These commitments showcase the choices made by OVH in order to protect its customers’ data. The following are some of the most important commitments:

  1. Not using data for any purposes other than providing the service.
  2. Notifying our customers if their personal data is breached.
  3. For compatible services, keeping data inside the EU, and/or only in countries recognised by the European Union as offering a sufficient degree of protection.
  4. Systematically requesting our customers’ consent whenever we use data processors outside the OVH Group who can access their personal data in order to fulfil the terms of a contract.
  5. Being able to apply reversibility to data hosted with OVH.
  6. Providing the most comprehensive and exhaustive documentation possible, so that every OVH customer can meet their own regulatory obligations.

Commitments like these enable you to organise your own compliance with regulations. As an example, because you know the country or countries in which the data you host with OVH is processed, you can adequately inform the people whose personal data you gather and process.

Familiarising yourself with the technical and organisational measures implemented by OVH will also help you choose a service that is tailored to your needs and, where applicable, your customers’ needs, taking into account the type of data, and the nature of the processing you need to do in particular.

This way, you can build trust in your end-users and/or your own customers, by showing them transparency with regard to the measures implemented by your service provider.

Terms and conditions that apply to all European customers

The appendix on personal data processing became applicable on 25 May 2018, the date on which the GDPR came into effect. You can find it in your Control Panel, and if you have not done so already, we recommend familiarising yourself with it, and confirming your acknowledgement and acceptance. The appendix on personal data protection therefore applies to all orders and renewals for OVH services.

The DPA illustrates OVH’s choice to apply the same high-level commitments in terms of personal data protection to all its customers, whether they are private individuals, SMEs or major accounts.