OVH and personal data protection
Our expert answers your questions
The GDPR legislation, which comes into effect on 25th May 2018, has placed considerable demands on organisations with regard to the way they manage their data. As a result, many have struggled to establish exactly what needs to be done to ensure they achieve GDPR compliance.
For this reason, OVH’s Data Protection Officer, Florent Gastaud, has supported numerous businesses throughout the UK and Europe as they prepare for the GDPR’s arrival.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Regulation, adopted on 27th April 2016 by the European Parliament and the Council of the European Union. Its provisions are directly applicable to all member states within the European Union. Although it was approved by the European Parliament in 2016, it will not come into effect until 25th May 2018. A two-year deadline was provided to public and private organisations, so that they could ensure that they are compliant with the provisions of this regulation.
The GDPR seeks to protect natural persons with regard to how their personal data is processed. It includes rights and obligations that apply to all organisations handling this type of data.
The GDPR applies to all public entities and companies of all sizes that process personal data.
What does GDPR mean?
GDPR is an acronym for General Data Protection Regulation.
The notion of the GDPR directly references Article 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC.
What is a breach of data protection?
When personal data breach is mentioned, people tend to think immediately of personal data leaks, where unauthorised third parties can gain access to the data (such as hacking incidents by malicious parties). Whilst this does indeed count as a personal data breach, the notion of it actually applies to a much wider scope. The G29 (a European advisory body made up of various European personal data protection authorities) defines the notion of data protection breach as falling under the following three categories:
- Accidental or unauthorised loss of access to, or destruction of, personal data, otherwise named an “Availability breach”.
- Unauthorised or accidental alteration of personal data, otherwise named an “Integrity breach”.
- Unauthorised or accidental disclosure of personal data, otherwise named a “Confidentiality breach”.
A data breach does not, therefore, only apply to data leaks. It also applies to the definitive loss of data.
The GDPR imposes new obligations for both data controllers and data processors in terms of personal data breach notifications.
What are the laws on data protection?
There are several texts that determine regulations regarding personal data protection, providing general and more precise guidelines:
- Internationally: Convention 108, for the Protection of Individuals with regard to Automatic Processing of Personal Data, is a binding treaty open for signature to all countries.
- In Europe: Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data GDPR), as well as Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
- Nationally: Many countries have adopted national regulations on the protection of personal data. For example, this is the case for all EU member countries.
What is personal data under the GDPR?
The notion of personal data is defined in article 4 of the GDPR as being “[...] any information relating to an identified or identifiable natural person [...] an identifiable natural person is one who can be identified, directly or indirectly [...]”.
In other words, personal data is a piece or collection of data that in any way allows an individual to be identified.
A piece of data indirectly allows an individual to be identified if simply reading it alone does not give away the individual’s identity, but additional research allows the individual to be identified. This is typically the case with an email address, for example.
What is sensitive personal data?
The notion of “sensitive data” refers to the “processing of special categories of personal data” in the General Data Protection Regulation. Special rules apply to sensitive data, since as a matter of principle, processing data of this nature is prohibited.
Sensitive data refers to information regarding:
- A natural person’s health or sex life.
- A natural person’s racial or ethnic origin.
- A natural person’s political opinions, religious or philosophical beliefs, or trade union membership.
Exceptions allow for the processing of such data.
Can I fulfil my obligations under the GDPR by using OVH services?
Yes, to a certain extent. One of the obligations of a data controller is to select data processors providing sufficient guarantees that personal data is processed in accordance with the regulation.
In other words, the guarantees offered by OVH as a data processor mean that you can comply with a part of your own obligations. Among these guarantees, you will be able to find the security measures put in place by us, the commitments made in terms of the locations in which your data is processed, and more.
The obligations of a data controller are, however, not limited to selecting a GDPR-compliant service provider. They go well beyond OVH’s scope of intervention as an IT processor. As a data controller, you cannot ensure that you are fully GDPR-compliant simply by selecting your processor carefully. You must also comply with the obligations that apply to you: respecting the rights of individuals, and carrying out analyses on the impact on a person’s private life, for example.
What are OVH’s commitments as a cloud services provider?
As a cloud services provider, OVH takes on the role of a data processor. This means that OVH makes the following commitments in particular:
- Not reusing the data hosted on our services: OVH processes its customers’ personal data solely for the purpose of fulfilling its services, and always follows the customer’s instructions when doing so.
- Offering data reversibility: At OVH, all of our cloud solutions are based on open standards, including a number of open-source technologies. This way, you can recover and migrate your data easily, as your data is always reversible and interoperable.
- You will always know exactly where your data is stored and processed.
- We guarantee complete transparency with regard to the recourse we have to subsidiaries as processors.
- We will notify you if you are the subject of a data breach.
- We produce comprehensive documentation for all our services: OVH will provide you with all the appropriate documentation, including a description of the security measures put in place for your services, an attestation of the location your data is stored in, and more.
- We contractually guarantee our commitments: OVH commitments are not empty promises. They are contractually integrated into our Data Processing Agreement (DPA). This document is provided as an attachment to our contracts. It is available on request to all of our customers.
What are OVH’s commitments in terms of data location?
When you select a service that enables you to store your content and personal data, datacentre locations and geographical regions are always listed on our website. If several possible locations or geographical regions are available, you can choose a location when you place your order.
However, “data storage” is not synonymous with “data processing”. The GDPR sets rules for “processing”, not just for “storage”. In light of this, it’s good to take special care when you use these two terms.
When you select a storage region located in the EU, OVH guarantees that it will not process your data outside of the European Union, and any countries recognised by the European Commission as having a sufficient level of personal data protection regulations in place (with regard to the private lives, fundamental rights and freedoms of persons, and also with regard to exercising corresponding rights [adequacy decision]). We also guarantee that we will never process your data in the US.
Can OVH reuse my data?
OVH processes its customers’ personal data solely for the purpose of fulfilling its services, and always follows the customer’s instructions when doing so.
The data hosted within our services by customers remains the property of the customer.
Any resale of the aforementioned data, as well as any use of the data for commercial purposes (e.g. profiling activity, or direct marketing), is strictly prohibited.
How does OVH guarantee that it will respect its commitments?
To ensure that OVH’s commitments allow you to comply with part of your obligations, you will need to stipulate them within a contract, or any other legal act that binds OVH to you.
OVH provides you with this opposability in two ways:
- The General Terms and Conditions of Service apply to all OVH services, and include clauses on personal data protection.
- Furthermore, upon request, OVH can sign a specific additional clause for your contract, entitled a Data Processing Agreement (DPA). Data Processing Agreements are solely dedicated to setting out the guarantees offered by OVH in terms of personal data processing.